Wireshark-dev: Re: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and requestfor feedb
From: "Tamazov, Artem" <artem.tamazov@xxxxxxxxxxx>
Date: Mon, 27 Apr 2009 13:15:39 -0500
Hello Sebastien,
 
If you consider there is a bug in wireshark, please create relevant bug in BugZilla.
Please see [http://wiki.wireshark.org/ReportingBugs] for instructions.
I believe every WS developer will appreciate that.
 
thanks,
artem//


From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Sebastien Tandel
Sent: Monday, April 27, 2009 8:29 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and requestfor feedback (forw)

   SniffJoke has a nice/interesting characteristic : It is *only* used by the sender *not* by the receiver. 

   SniffJoke, thanks to some tricks - which *does not* have impact on the receiver's TCP/IP stack (for all OSes?) -, is able fool sniffers and some others network tools.

   I would expect wireshark seeing the traffic as the OS is able to see it ... IOW, if receiver's OS is able to re-assemble correctly the traffic, wireshark should be able to do so too. Therefore, I would consider this as a bug in wireshark since OSes (all?) would be able to reassemble the traffic without any problem. (Although the next question would be : who will spend time to analyze SniffJoke tricks and fixes the TCP dissector?)

   Also, I'm not convinced people will think that wireshark would consider it as a cracking tool since the receiver's OS is considering this SniffJoke's traffic as valid ...


Regards,
Sebastien

On Mon, Apr 27, 2009 at 11:45, Sake Blok <sake@xxxxxxxxxx> wrote:
As the purpose of Wireshark is to display network traffic to analyse
problems, I see no use in competing in a race to cloak and uncloak traffic
with Sniffjoke. That would put Wireshark in the list of cracking tools which
might have a negative effect on the places where it is allowed to be used.
So I would not consider this a bug and I would *not* consider being able to
reassemble Sniffloke traffic a feature to implement.

Just my $0.02


Sake

----- Original Message -----
From: "Joerg Mayer" <jmayer@xxxxxxxxx>
To: <wireshark-dev@xxxxxxxxxxxxx>
Sent: Monday, April 27, 2009 3:53 PM
Subject: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and
requestfor feedback (forw)


> Should it be considered a bug if WS can be fooled by a tool like Sniffjoke
> to incorrectly reassemble a TCP stream?
> The webpage has two sample traces that seem to be handeled incorrectly by
> HEAD indeed.
>
> Ciao
>   Joerg
> ----- Forwarded message from vecna <vecna@xxxxxxxxxx> -----
>
> Delivered-To: jmayer@xxxxxxxxxxxxxxxxxxxxxxxxx
> Delivered-To: full-disclosure@xxxxxxxxxxxxxxxxx
> Date: Wed, 15 Apr 2009 09:27:39 +0200
> From: vecna <vecna@xxxxxxxxxx>
> Organization: SALVIA & MENTA, azione TOTALE, aiuta a prevenire placca,
> carie
> e disturbi gengivali.
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] SniffJoke 0.3 release and request for feedback
> Errors-To: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>
> Some days ago I've relased this:
>
> SniffJoke is a "connection scrambler" for Linux with the purpose of
> preventing packet sniffers from reassemble network sessions of the user.
> The "sniffer evasion" technology is well known since almost 10 years.
> SniffJoke implements the most efficents techniques. Using a local fake
> tunnel it is able to manage outgoing and ingoing packets without
> disturbing the kernel. With the local web interface the user can easily
> start/stop and configure SniffJoke. At the moment, Wireshark, the most
> famous packet analyzer, is unable to correctly reconstruct TCP flow
> mangled by SniffJoke. I would like to update the list of victim
> sniffers, so please send me a report if you test SniffJoke with other
> network protocol analyzers.
>
> http://www.delirandom.net/20090402/sniffjoke-03/
> http://www.delirandom.net/sniffjoke/
>
>
> Any comments appreciate
>
> Regards,
> vecna
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ----- End forwarded message -----
>
> --
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


============================================================
The information contained in this message may be privileged
and confidential and protected from disclosure. If the reader
of this message is not the intended recipient, or an employee
or agent responsible for delivering this message to the
intended recipient, you are hereby notified that any reproduction,
dissemination or distribution of this communication is strictly
prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and
deleting it from your computer. Thank you. Tellabs
============================================================