Ok - so this is a little off topic but I just thought I'd throw it out there. It's an old discussion we've had before regarding using dsniff on saved pcap files... <snip> Well, it was much easier than I though. Sometimes it is useful to be able to apply to lovely methods available in dsniff to a saved pcap file. Since dsniff uses libnids for all its sniffing needs, and libnids uses libpcap, building dsniff with a slightly altered libnids will allow dsniff to specify a file instead of an interface. The diff in libnids is simply: src/libnids.c: < if ((desc = pcap_open_live(device, 16384, nids_params.promisc!=0, 1024, nids_errbuf)) == NULL) --- > if ((desc = pcap_open_offline(device, nids_errbuf)) == NULL) Then relink dsniff to this modified libnids. There are cooler ways to solve this including having libnids check for whether device is a filename or interface which I will do shortly. So now, the -i argument is treated as a file. As an example, here from a log box: dsniff.file -n -i /log1/log010403.1013 dsniff.file: listening on /log1/log010403.1013 04/03/01 10:59:53 udp 192.168.0.1.49156 -> x.x.x.x.161 (snmp) [version 1] (obscured) 04/03/01 11:00:22 tcp 192.168.0.1.1280 -> x.x.x.x.80 (http) GET /foo/ HTTP/1.0 Host: foo.bar.net (obscured) Makes a real nice harvesting program should you have pcap files lying around. <snip - eol> -------------------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 09:58:21 PDT