Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: pcap-tcp Proof of Concept hack
From: Jay Fink <jay.fink () gmail com>
Date: Mon, 29 Jun 2009 10:09:01 -0400

So I monekyed with this a little more today and found an inherent problem.
I was able to pass a filter to it (by port) which was easy enough,
but, because the steps in ncat are sequential the only way I can get
it to capture the current session is to figure out how to run the pcap
dispatch or loop in parallel. In other words, this patch is pretty
much useless as is.
I'm still trying to figure out how to get it to run while nsock_loop
is running.

thx,
  j

On Sun, Jun 28, 2009 at 2:10 PM, Jay Fink<jay.fink () gmail com> wrote:
All,

Per fyodor's suggestion I am attaching a patch and file for ncat to
invoke a pcap reader. Note that this is proof of concept and right now
literally just fires up a looper. I would eventually want it to
automatically filter for the port, set the device and have the option
to pass additional filter arguments and have a timed and/or polls
count. Fyodor posed a few questions which I went ahead and answered.

Thanks Jay.  I'm not sure if this feature should be added to Ncat or
not, but it is definitely worth sending to nmap-dev so folks can try
it out and let you know what they think.

sending to nmap-dev in this email; all see my replies below.

I assume you added this feature because you personally find a need for
it?

as per the norm, pure laziness. I've had the need recently to use ncat
to troubleshoot a problem. So I had to fireup tcpdump in another
window while watching output. So basically having it as an option in
ncat (or whatever) saves me the time. I'm also thinking that ncat
could set up a few things ahead of time like automatically assign a
filter (for the port),  set the device and so forth - once again
saving me time (albeit not much) plus a few things I mentioned above.

 In what situations do you find that a pcap save is more useful
than the session output format Ncat already has?

when I want pcap specific data (which I might  load up into wireshark
for a replay later).

Why is it only TCP?  Couldn't you do the same thing when Ncat is in
UDP mode?

yes - it certainly could, since this is POC stuff I didn't want to
take it too far.

thanks,
  j


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault