["Visser, Martin" <martin.visser@xxxxxx>]

Just to put my two cents worth in... I think if you suspect your server
is compromised then maybe  last thing you want to do is run Ethereal on
it. If you want to do "forensics" then you either want to:-

1. Capture traffic in and out of the box without touching the server at
all. That is, you would want to maybe to mirroring/monitoring from the
switch port that the server is on to a standalone packet sniffer. 

2. If you want to forensically capture what is on the server at the time
you need to bring the server down as quickly as possible and perform an
image copy of any disks. (I have even heard of installing software so
you can do an immediate memory dump - much like laptop hibernation)

If the server is truly compromised and owned by an undesirable then it
is quite possible running things like ethereal will trigger evasive
actions by the cracker and not leave you with the evidence you desire.

Also I guess if you do believe that packet analysis will help you detect
anomalies (and hence compromises) than you are better off installing a
network IDS as part of your standard build. For instance, "snort" can
analyse against a rule set or heuristics in real time, and produce
appropriate alerts, logs and packet captures that are sent to a secure
server.

Martin

Martin Visser ,CISSP
Network and Security Consultant 
Consulting & Integration
Technology Solutions Group - HP Services

3 Richardson Place 
North Ryde, Sydney NSW 2113, Australia 

Phone: +61-2-9022-1670    
Mobile: +61-411-254-513
Fax: +61-2-9022-1800     
E-mail: martin.visserAThp.com
 
This email (including any attachments) is intended only for the use of
the individual or entity named above and may contain information that is
confidential, proprietary or privileged. If you are not the intended
recipient, please notify HP immediately by return email and then delete
the email, destroy any printed copy and do not disclose or use the
information in it.


 

> -----Original Message-----
> From: ethereal-users-bounces@xxxxxxxxxxxx 
> [mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Jesse Millan
> Sent: Saturday, 12 February 2005 9:23 AM
> To: Ethereal user support
> Subject: Re: [Ethereal-users] Portable version of Ethereal?
> 
> 
> Thanks for the responses and sorry for the lack of info.
> 
> The CD I am creating is part of a 'suspected compromised 
> server toolkit' for Windows 2000/2003 servers. And rebooting 
> is really not an option.
> 
> The goal is to do some data collection without tampering with 
> the state of the server too much. Thats why I would love a 
> way to run Ethereal from a CD and not have to install 
> software on a machine that may be compromised.
> 
> And I really was hoping to find out a way for the winpcap 
> stuff to be loaded from this CD as well.
> 
> Thanks guys.
> 
> On Feb 11, 2005, at 1:12 PM, Andrew Hood wrote:
> 
> > Jesse Millan wrote:
> >> Can anyone give me some pointers to building a completely portable 
> >> version of Ethereal? My goal is to have a CDROM that has all the 
> >> files i.e. ethereal, winpcap, etc. that is necessary to 
> run Ethereal.
> >> We do not have to install any files on the server itself.
> >> Thanks for any info.
> >
> > Is your objective to be able to run this on most hardware platforms?
> > Is rebooting the server acceptable?
> >
> > IIRC winpcap has to be installed, and depending on circumstances 
> > (phase of the moon, how much money M$ made last week, ...), needs a 
> > reboot.
> >
> > You would probably find you will need to compile for each *nix 
> > platform pointing the target at whereever the CDROM will be 
> mounted to 
> > get the shared libs to work. e.g.
> >
> > ./configure --prefix=/cdrom/linux-x86
> >
> > ./configure --prefix=/cdrom/aix-power
> >
> > --
> > There's no point in being grown up if you can't be childish 
> sometimes.
> >                 -- Dr. Who
> >
> > _______________________________________________
> > Ethereal-users mailing list
> > Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> ---
> Jesse Millan
> CNS Server Team
> Portland State University
> Phone: (503) 725-3285
> Fax: (503) 725-6487
> Mobile: (503) 453-0748
> GPG key: www.system-calls.com/gpg.php
> 
> It's not a matter of whether the war is not real, or if it 
> is, Victory is not possible. The war is not meant to be won, 
> it is meant to be continuous.
> Hierarchical society is only possible on the basis of poverty 
> and ignorance. This new version is the past and no different 
> past can ever have existed. In principle the war effort is 
> always planned to keep society on the brink of starvation. 
> The war is waged by the ruling group against its own subjects 
> and its object is not the victory over either Eurasia or East 
> Asia but to keep the very structure of society intact.
> 
> -George Orwell from his book 1984
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>