Ok - so this is a little off topic but I just thought I'd throw it out
there. It's an old discussion we've had before regarding using dsniff on
saved pcap files...
<snip>
Well, it was much easier than I though. Sometimes it is useful
to be able to apply to lovely methods available in dsniff to
a saved pcap file.
Since dsniff uses libnids for all its sniffing needs, and libnids
uses libpcap, building dsniff with a slightly altered libnids will
allow dsniff to specify a file instead of an interface.
The diff in libnids is simply:
src/libnids.c:
< if ((desc = pcap_open_live(device, 16384, nids_params.promisc!=0, 1024,
nids_errbuf)) == NULL)
---
> if ((desc = pcap_open_offline(device, nids_errbuf)) == NULL)
Then relink dsniff to this modified libnids. There are cooler ways
to solve this including having libnids check for whether device
is a filename or interface which I will do shortly.
So now, the -i argument is treated as a file.
As an example, here from a log box:
dsniff.file -n -i /log1/log010403.1013
dsniff.file: listening on /log1/log010403.1013
04/03/01 10:59:53 udp 192.168.0.1.49156 -> x.x.x.x.161 (snmp)
[version 1]
(obscured)
04/03/01 11:00:22 tcp 192.168.0.1.1280 -> x.x.x.x.80 (http)
GET /foo/ HTTP/1.0
Host: foo.bar.net
(obscured)
Makes a real nice harvesting program should you have pcap files
lying around.
<snip - eol>
--------------------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to
the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Jul 10 2001
Intro
