Re: Analysis of "stacheldraht"

[dittrich () CAC WASHINGTON EDU (Dave Dittrich)]

On Fri, 31 Dec 1999, Jordan Ritter wrote:

> # Programs like "ngrep" do not process ICMP packets, so you will not as
> # easily (at this point in time) be able to watch for strings in the data
> # portion of the ICMP packets (except using the patches to tcpshow from
> # Appendix C and patches to sniffit provided in the analysis of TFN).
>
> The latest version of ngrep (1.35) does in fact match ICMP, and has been out
> for some time now.

Jordan,

Sweet!  I updated the analysis to use ngrep in preference to
tcpdump/tcpshow for most stuff:

        http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

ngrep is *way* more convenient to use, but I had to note that it
doesn't run on as many systems as tcpdump/tcpshow (e.g., Digital Unix
4.x) and it doesn't seem to read tcpdump files, so if you want to
caputure the raw packets for later analysis (timing, flags, etc.) you
need to stick to tcpdump/tcpshow.  If only I'd sent the analysis out
*before* Christmas... ;)

--
Dave Dittrich                 Client Services
dittrich () cac washington edu   Computing & Communications
                              University of Washington

<a href="http://www.washington.edu/People/dad/";>
Dave Dittrich / dittrich () cac washington edu [PGP Key]</a>

PGP 6.5.1 key fingerprint:
FE 97 0C 57 08 43 F3 EB  49 A1 0C D0 8E 0C D0 BE  C8 38 CC B5