Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] OT-ish: libpcap apps on x86_64

from [Alex Butcher, ISC/ISYS] Network Security [Permanent Link]
Subject: [Snort-users] OT-ish: libpcap apps on x86_64
Date: Tue, 26 Jul 2005 12:11:50 +0100 
Hi -

I'm having some problems with Phil Wood's libpcap on CentOS 4.1/x86_64 (a Free RHEL 4U1 clone for those not in the loop!). I've built i386 and x86_64 RPMs of libpcap, and installed them:

# rpm -qil libpcap.i386 libpcap.x86_64
Name : libpcap Relocations: /usr
Version : 1.0.20050129 Vendor: (none)
Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:49:46 BST
Install Date: Tue 26 Jul 2005 11:06:11 BST Build Host: xxx.bristol.ac.uk
Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm
Size : 424623 License: BSD
Signature : DSA/SHA1, Mon 25 Jul 2005 16:49:46 BST, Key ID 2a598db7552ee4e4
URL : http://www.tcpdump.org
Summary : A system-independent interface for user-level packet capture.
Description :
Libpcap provides a portable framework for low-level network
monitoring. Libpcap can provide network statistics collection,
security monitoring and network debugging. Since almost every system
vendor provides a different interface for packet capture, the libpcap
authors created this system-independent API to ease in porting and to
alleviate the need for several system-dependent packet capture modules
in each application.

Install libpcap if you need to do low-level network traffic monitoring
on your network.
/usr/include/net
/usr/include/pcap-bpf.h
/usr/include/pcap-namedb.h
/usr/include/pcap.h
/usr/lib/libpcap-0.8.3.so
/usr/lib/libpcap.a
/usr/lib/libpcap.so
/usr/lib/libpcap.so.0
/usr/lib/libpcap.so.0.7
/usr/lib/libpcap.so.0.8
/usr/lib/libpcap.so.0.8.3
/usr/share/doc/libpcap-1.0.20050129
/usr/share/doc/libpcap-1.0.20050129/CHANGES
/usr/share/doc/libpcap-1.0.20050129/LICENSE
/usr/share/doc/libpcap-1.0.20050129/README
/usr/share/man/man3/pcap.3.gz
Name : libpcap Relocations: /usr
Version : 1.0.20050129 Vendor: (none)
Release : 9.RHEL4.uobnids1 Build Date: Mon 25 Jul 2005 16:50:53 BST
Install Date: Tue 26 Jul 2005 11:06:12 BST Build Host: xxx.bristol.ac.uk
Group : Development/Libraries Source RPM: tcpdump-3.8.2-9.RHEL4.uobnids1.src.rpm
Size : 520887 License: BSD
Signature : DSA/SHA1, Mon 25 Jul 2005 16:50:54 BST, Key ID 2a598db7552ee4e4
URL : http://www.tcpdump.org
Summary : A system-independent interface for user-level packet capture.
Description :
Libpcap provides a portable framework for low-level network
monitoring. Libpcap can provide network statistics collection,
security monitoring and network debugging. Since almost every system
vendor provides a different interface for packet capture, the libpcap
authors created this system-independent API to ease in porting and to
alleviate the need for several system-dependent packet capture modules
in each application.

Install libpcap if you need to do low-level network traffic monitoring
on your network.
/usr/include/net
/usr/include/pcap-bpf.h
/usr/include/pcap-namedb.h
/usr/include/pcap.h
/usr/lib64/libpcap-0.8.3.so
/usr/lib64/libpcap.a
/usr/lib64/libpcap.so
/usr/lib64/libpcap.so.0
/usr/lib64/libpcap.so.0.7
/usr/lib64/libpcap.so.0.8
/usr/lib64/libpcap.so.0.8.3
/usr/share/doc/libpcap-1.0.20050129
/usr/share/doc/libpcap-1.0.20050129/CHANGES
/usr/share/doc/libpcap-1.0.20050129/LICENSE
/usr/share/doc/libpcap-1.0.20050129/README
/usr/share/man/man3/pcap.3.gz

Applications appear to be linking OK:

# ldd /usr/sbin/tcpdump
libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000)
/lib64/ld-linux-x86-64.so.2 (0x00000037d7200000)
# ldd /usr/sbin/tethereal
libwiretap.so.0 => /usr/lib64/libwiretap.so.0 (0x0000002a95583000)
libethereal.so.0 => /usr/lib64/libethereal.so.0 (0x0000002a956a9000)
libnetsnmp.so.5 => /usr/lib64/libnetsnmp.so.5 (0x00000037dad00000)
libelf.so.1 => /usr/lib64/libelf.so.1 (0x00000037d9b00000)
libcrypto.so.4 => /lib64/libcrypto.so.4 (0x00000037daf00000)
libgmodule-2.0.so.0 => /usr/lib64/libgmodule-2.0.so.0 (0x00000037da300000)
libdl.so.2 => /lib64/libdl.so.2 (0x00000037d7400000)
libglib-2.0.so.0 => /usr/lib64/libglib-2.0.so.0 (0x00000037d9900000)
libm.so.6 => /lib64/tls/libm.so.6 (0x00000037d7900000)
libpcap-0.8.3.so => /usr/lib64/libpcap-0.8.3.so (0x0000002a96692000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00000037da900000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00000037da700000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00000037da500000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00000037d8700000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00000037d7b00000)
libpthread.so.0 => /lib64/tls/libpthread.so.0 (0x00000037d8100000)
libc.so.6 => /lib64/tls/libc.so.6 (0x00000037d7600000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00000037dab00000)
/lib64/ld-linux-x86-64.so.2 (0x00000037d7200000)

(that's a version of tethereal that's been rebuilt against the new libpcap, but subsequent behaviour is identical even if I use the CentOS-supplied tethereal).

But when I try to use it:

# tcpdump -s 1514 -w foo.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes


11 packets captured
11 packets received by filter
0 packets dropped by kernel
# tcpdump -r foo.pcap
reading from file foo.pcap, link-type EN10MB (Ethernet)
11:58:02.000182 [|ether]
11:58:02.000060 [|ether]
11:58:02.000060 [|ether]
11:58:02.000060 [|ether]
11:58:03.000062 [|ether]
11:58:03.000134 [|ether]
11:58:03.000102 [|ether]
11:58:03.000134 [|ether]
11:58:03.000102 [|ether]
11:58:03.000060 [|ether]
11:58:03.000134 [|ether]
# tethereal -r foo.pcap
tethereal: "foo.pcap" appears to be damaged or corrupt.
(pcap: File has 262152-byte packet, bigger than maximum of 65535)

If I uninstall my local packages and revert to CentOS' own:

# rpm -e --nodeps arpwatch tcpdump.i386 tcpdump.x86_64 libpcap.i386 libpcap.x86_64 ethereal ethereal-gnome
[root@vauxhallx ~]# yum install arpwatch tcpdump libpcap ethereal-gnome

[...]

Dependencies Resolved
Transaction Listing:
 Install: arpwatch.x86_64 14:2.1a13-10.RHEL4 - update
 Install: ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 - base
 Install: libpcap.i386 14:0.8.3-9.RHEL4 - base
 Install: libpcap.x86_64 14:0.8.3-10.RHEL4 - update
 Install: tcpdump.i386 14:3.8.2-10.RHEL4 - update
 Install: tcpdump.x86_64 14:3.8.2-10.RHEL4 - update

Performing the following to resolve dependencies:
 Install: ethereal.x86_64 0:0.10.11-1.EL4.1 - base
Total download size: 7.6 M
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: libpcap 100 % done 1/7
Installing: ethereal 100 % done 2/7
Installing: libpcap 100 % done 3/7
Installing: tcpdump 100 % done 4/7
Installing: arpwatch 100 % done 5/7
Installing: ethereal-gnome 100 % done 6/7
Installing: tcpdump 100 % done 7/7

Installed: arpwatch.x86_64 14:2.1a13-10.RHEL4 ethereal-gnome.x86_64 0:0.10.11-1.EL4.1 libpcap.i386 14:0.8.3-9.RHEL4 libpcap.x86_64 14:0.8.3-10.RHEL4 tcpdump.i386 14:3.8.2-10.RHEL4 tcpdump.x86_64 14:3.8.2-10.RHEL4
Dependency Installed: ethereal.x86_64 0:0.10.11-1.EL4.1
Complete!
[root@vauxhallx ~]# tcpdump -s 1514 -w foo.pcap
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes

10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@vauxhallx ~]# tcpdump -r foo.pcap
reading from file foo.pcap, link-type EN10MB (Ethernet)
12:03:12.069506 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 438264354:438264402(48) ack 562433326 win 13056
12:03:12.069938 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 48 win 16608
12:03:12.069965 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 48:160(112) ack 1 win 13056
12:03:12.088801 IP zzz.bris.ac.uk.hsrp > ALL-ROUTERS.MCAST.NET.hsrp: HSRPv0-hello 20: state=active group=0 addr=zzz.bris.ac.uk
12:03:12.188619 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 160 win 16496
12:03:13.076233 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 1:81(80) ack 160 win 16496
12:03:13.076328 IP xxx.xxx.xxx.aaa.ssh > yyy.bris.ac.uk.3241: P 160:208(48) ack 81 win 13056
12:03:13.194539 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: . ack 208 win 16448
12:03:13.337582 802.1d config 800a.00:14:69:ZZ:ZZ:ZZ.8004 root 600a.00:12:01:XX:XX:XX pathcost 4 age 1 max 14 hello 2 fdelay 10
12:03:13.564950 IP yyy.bris.ac.uk.3241 > xxx.xxx.xxx.aaa.ssh: P 81:161(80) ack 208 win 16448
[root@vauxhallx ~]# tethereal -r foo.pcap
1 0.000000 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48
2 0.000432 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=48 Win=16608 Len=0
3 0.000459 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=112
4 0.019295 xxx.xxx.xxx.251 -> 224.0.0.2 HSRP Hello (state Active)
5 0.119113 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=0 Ack=160 Win=16496 Len=0
6 1.006727 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80
7 1.006822 xxx.xxx.xxx.aaa -> xxx.xxx.xxx.bbb SSH Encrypted response packet len=48
8 1.125033 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa TCP 3241 > ssh [ACK] Seq=80 Ack=208 Win=16448 Len=0
9 1.268076 00:14:69:YY:YY:YY -> Spanning-tree-(for-bridges)_00 STP Conf. Root = 24586/00:12:01:XX:XX:XX Cost = 4 Port = 0x8004
10 1.495444 xxx.xxx.xxx.bbb -> xxx.xxx.xxx.aaa SSH Encrypted request packet len=80

Anyone got any tips or patches?

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] OSSRC Web Site Live, Jennifer Steffens
Next by Date:  [Snort-users] http_inspect ?'s, John Hally
Previous by Thread:  [Snort-users] OSSRC Web Site Live, Jennifer Steffens
Next by Thread:  [Snort-users] Re: [Snort-devel] OT-ish: libpcap apps on x86_64, Phil Wood
Indexes:  [Date] [Thread] [Top] [All Lists]