RE: Dsniff'ng wireless networks

["Matthew Jach" <jach () berbee com>]

Ok - so this is a little off topic but I just thought I'd throw it out
there.  It's an old discussion we've had before regarding using dsniff on
saved pcap files...

<snip>
Well, it was much easier than I though. Sometimes it is useful
to be able to apply to lovely methods available in dsniff to
a saved pcap file.

Since dsniff uses libnids for all its sniffing needs, and libnids
uses libpcap, building dsniff with a slightly altered libnids will
allow dsniff to specify a file instead of an interface.

The diff in libnids is simply:

src/libnids.c:

<   if ((desc = pcap_open_live(device, 16384, nids_params.promisc!=0, 1024,
nids_errbuf)) == NULL)
---
>   if ((desc = pcap_open_offline(device, nids_errbuf)) == NULL)

Then relink dsniff to this modified libnids. There are cooler ways
to solve this including having libnids check for whether device
is a filename or interface which I will do shortly.

So now, the -i argument is treated as a file.

As an example, here from a log box:

dsniff.file -n -i /log1/log010403.1013
dsniff.file: listening on /log1/log010403.1013
04/03/01 10:59:53 udp 192.168.0.1.49156 -> x.x.x.x.161 (snmp)
[version 1]
(obscured)

04/03/01 11:00:22 tcp 192.168.0.1.1280 -> x.x.x.x.80 (http)
GET /foo/ HTTP/1.0
Host: foo.bar.net
(obscured)

Makes a real nice harvesting program should you have pcap files
lying around.
<snip - eol>


--------------------------------------------------------------------------------------

This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service
For more information on SecurityFocus' SIA service which automatically alerts you to 
the latest security vulnerabilities please see:

https://alerts.securityfocus.com/