I tested Iris about two months ago. At the end of my testing I forwarded the following comments to the eEye representative. He concurred that the observations are reasonable as applied to the current release. My first impression of Iris is that it has some very useful features but I would not give it an unconditional recommendation. These are my first thoughts as compared to Etherpeek. Pros: Easy to read display of captured packets. Does session reconstruction - Doesn't show full web pages but does show the components that make up the web pages Packet editor - Allows construction of hand-crafted packets that can be transmitted Good graphical summary of hosts visited by each machine seen Cons: Does not have as many display options/charts Does not have the detailed byte/packet/frame summary counts Output format ".cap" cannot be read by EtherPeek Doesn't seem to allow pause of the display while continuing to capture data At this point, my thought is that the two programs would complement each other but, if forced to choose, I would choose Etherpeek. Tim (reply to address is bogus. Use timharat_private) -----Original Message----- From: Ali [mailto:amesdaqat_private] Sent: Thursday, December 19, 2002 10:20 PM To: forensicsat_private Subject: RE: TCP/UDP Data Streams - Packet Reassembly A product that I have used and can vouch for is Iris by eEye. That product has the BEST user interface I have seen on any Sniffer. It also has a decode feature so you can capture packets and decode them and view upper layer information. For example for Http you can view the html or xml that was transported and it will even show you step by step what was sent back and forth. You can also edit the packet and reinject it into the network. Check out the free trial. -----Original Message----- From: Susan Chan Lee [mailto:susan.leeat_private] Sent: Wednesday, December 18, 2002 8:08 AM To: pen-testat_private; forensicsat_private; tcpdump-workersat_private Subject: TCP/UDP Data Streams - Packet Reassembly Anyone know where to obtain information of re-assembling TCP/UDP data streams. I mean I have captured data using Tcpdump (i.e. raw data), how to I recombine the data into the orginal word attachment (or like)? Cannot seem to find any information anywhere on the technical involved in this. Thanks Susan Chan Lee Security Associates - Singapore ************************************************************* Advanced Hands-On Security in the Arabic Gulf DefensiveHacking and DefensiveForensics, Qatar January 2003 www.securityassoc.com/DefensiveCourse.pdf ************************************************************* ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Dec 29 2002 - 10:47:08 PST