Re: pcap-tcp Proof of Concept hack

[Jay Fink <jay.fink () gmail com>]

All,

Per fyodor's suggestion I am attaching a patch and file for ncat to
invoke a pcap reader. Note that this is proof of concept and right now
literally just fires up a looper. I would eventually want it to
automatically filter for the port, set the device and have the option
to pass additional filter arguments and have a timed and/or polls
count. Fyodor posed a few questions which I went ahead and answered.

> Thanks Jay.  I'm not sure if this feature should be added to Ncat or
> not, but it is definitely worth sending to nmap-dev so folks can try
> it out and let you know what they think.

sending to nmap-dev in this email; all see my replies below.
> I assume you added this feature because you personally find a need for
> it?

as per the norm, pure laziness. I've had the need recently to use ncat
to troubleshoot a problem. So I had to fireup tcpdump in another
window while watching output. So basically having it as an option in
ncat (or whatever) saves me the time. I'm also thinking that ncat
could set up a few things ahead of time like automatically assign a
filter (for the port),  set the device and so forth - once again
saving me time (albeit not much) plus a few things I mentioned above.

>  In what situations do you find that a pcap save is more useful
> than the session output format Ncat already has?

when I want pcap specific data (which I might  load up into wireshark
for a replay later).
> Why is it only TCP?  Couldn't you do the same thing when Ncat is in
> UDP mode?

yes - it certainly could, since this is POC stuff I didn't want to
take it too far.

thanks,
   j

Attachment: ncat_tcp_poc.patch
Description:

Attachment: ncat_pcap_tcp.c
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org