Wireshark-dev: Re: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and requestfor feedb

From: Sébastien Tandel <sebastien@xxxxxxxxx>
Date: Mon, 27 Apr 2009 14:28:54 -0300
   SniffJoke has a nice/interesting characteristic : It is *only* used by the sender *not* by the receiver. 

   SniffJoke, thanks to some tricks - which *does not* have impact on the receiver's TCP/IP stack (for all OSes?) -, is able fool sniffers and some others network tools.

   I would expect wireshark seeing the traffic as the OS is able to see it ... IOW, if receiver's OS is able to re-assemble correctly the traffic, wireshark should be able to do so too. Therefore, I would consider this as a bug in wireshark since OSes (all?) would be able to reassemble the traffic without any problem. (Although the next question would be : who will spend time to analyze SniffJoke tricks and fixes the TCP dissector?)

   Also, I'm not convinced people will think that wireshark would consider it as a cracking tool since the receiver's OS is considering this SniffJoke's traffic as valid ...


Regards,
Sebastien

On Mon, Apr 27, 2009 at 11:45, Sake Blok <sake@xxxxxxxxxx> wrote:
As the purpose of Wireshark is to display network traffic to analyse
problems, I see no use in competing in a race to cloak and uncloak traffic
with Sniffjoke. That would put Wireshark in the list of cracking tools which
might have a negative effect on the places where it is allowed to be used.
So I would not consider this a bug and I would *not* consider being able to
reassemble Sniffloke traffic a feature to implement.

Just my $0.02


Sake

----- Original Message -----
From: "Joerg Mayer" <jmayer@xxxxxxxxx>
To: <wireshark-dev@xxxxxxxxxxxxx>
Sent: Monday, April 27, 2009 3:53 PM
Subject: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and
requestfor feedback (forw)


> Should it be considered a bug if WS can be fooled by a tool like Sniffjoke
> to incorrectly reassemble a TCP stream?
> The webpage has two sample traces that seem to be handeled incorrectly by
> HEAD indeed.
>
> Ciao
>   Joerg
> ----- Forwarded message from vecna <vecna@xxxxxxxxxx> -----
>
> Delivered-To: jmayer@xxxxxxxxxxxxxxxxxxxxxxxxx
> Delivered-To: full-disclosure@xxxxxxxxxxxxxxxxx
> Date: Wed, 15 Apr 2009 09:27:39 +0200
> From: vecna <vecna@xxxxxxxxxx>
> Organization: SALVIA & MENTA, azione TOTALE, aiuta a prevenire placca,
> carie
> e disturbi gengivali.
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [Full-disclosure] SniffJoke 0.3 release and request for feedback
> Errors-To: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>
> Some days ago I've relased this:
>
> SniffJoke is a "connection scrambler" for Linux with the purpose of
> preventing packet sniffers from reassemble network sessions of the user.
> The "sniffer evasion" technology is well known since almost 10 years.
> SniffJoke implements the most efficents techniques. Using a local fake
> tunnel it is able to manage outgoing and ingoing packets without
> disturbing the kernel. With the local web interface the user can easily
> start/stop and configure SniffJoke. At the moment, Wireshark, the most
> famous packet analyzer, is unable to correctly reconstruct TCP flow
> mangled by SniffJoke. I would like to update the list of victim
> sniffers, so please send me a report if you test SniffJoke with other
> network protocol analyzers.
>
> http://www.delirandom.net/20090402/sniffjoke-03/
> http://www.delirandom.net/sniffjoke/
>
>
> Any comments appreciate
>
> Regards,
> vecna
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> ----- End forwarded message -----
>
> --
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe