Security Basics mailing list archives
Re: covert channel
From: "Deian Stefan" <deianstefan () gmail com>
Date: Tue, 2 Jan 2007 22:27:02 -0500
try adding -x or -X to actually print the packet On 1/2/07, urandom character special device <urandomdev () gmail com> wrote:
Hi With "ping" I send the HEX value "FFE". When I running tcpdump I don't see the HEX value (snap-lenght is hole packet) # ping -c 1 -p FFE 192.168.111.111 PATTERN: 0xff0e PING 192.168.111.111 (192.168.111.111) 56(84) bytes of data. 64 bytes from 192.168.111.111: icmp_seq=1 ttl=64 time=0.646 ms --- 192.168.111.111 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.646/0.646/0.646/0.000 ms # tcpdump -s0 -i eth0 icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 20:21:11.448937 IP 192.168.111.115 > 192.168.111.111: ICMP echo request, id 12826, seq 1, length 64 20:21:11.449555 IP 192.168.111.111 > 192.168.111.115: ICMP echo reply, id 12826, seq 1, length 64
-- Deian Stefan PGP public key: http://www.ee.cooper.edu/~stefan/gmail_pub.key --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- covert channel urandom character special device (Jan 02)
- Re: covert channel Deian Stefan (Jan 04)
- Re: covert channel Roman Shirokov (Jan 15)
- <Possible follow-ups>
- FW: covert channel Murda Mcloud (Jan 04)