Coding using libnids library
in order to have something better, I will try to modify Mailsnarf and MSGsnarf .
I will use libpcap and libnids, but there is juste two website on how to use libnids. so if you have ever user libnids, or if you have some website, I will take them
Ok somes news!!
My mailsnarf problem seems to be tcp.c libnids function problem.
So in libnids, my computer IP and the Ip of the Pcap might be compared. If they didn't match : bye bye, and mailsnarf does nothing.
So, I will need some help to find where the IP's are compared in the function process_tcp() of libnids.
This could be intersting for all of us, because at the end, we could make a tutorail to explain the goal of libnet functions.
So will you help me please?
Some news :
- I have tryed to extract mails from an old Pcap on the pc I have used for the capture : doesn't work
- mailsnarf -pp pcap file on a recent capture (less than 5 minutes) on the computer I have made the capture : OK
This same capture on an other computer at the same time : failed
- msgsnarf : same results.
Libnids, and libnet : OK no problem on the code.
Any ideas please?
For thoose who moght be interested in mailsnarf.
The problem is a SYNCH problem I think.
Do you know if their is any patch for that? thx
I would purely out of curiosity like to know in what way you are trying to modify msgsnarf and mailsnarf? I have used both programs successfully and feel like they do fulfil their purpose already.
The only issues I have noticed using them occurs when replaying a cap file at a too high rate, which makes it hard for them to pick up any info from the file. And used together with Ettercap they support live extraction of messages quite solidly aswell.
Did you try to use them with a pcap file that you have record on an other comptuer?
I tyred, nad it doesn't work for me. I tryed to replay at the normal speed, I tryed all but nothing make it worked.
Do you use BT2 or 3?
Could you copy here all the commande you have write to make the mailsnarf capture and the version of packages you used please.
I think I have tryed all the possibilities without any luck, so if you made it worked, I am interesting in your way to make it work.
Thanks
No I have never tried it with a file captured on another computer, nor do I think I ever will. However that should not matter in any way as long as the file is properly captured and has not become corrupt. Are you absolutely sure that there is any relevant info in the file for mailsnarf and msgsnarf to filter out for you?
The following commands work perfectly for me using a file captured with:Which is naturally done while properly connected to the network I am capturing on. In case you use a file sniffed with airodump-ng over wireless you will have to run it through airdecap-ng first to be able to replay it using:Code:tcpdump -i eth1 -s 0 -w /tmp/testfile
And finally I have both mailsnarf and msgsnarf running using:Code:tcpreplay /tmp/testfile -i lo -r 2
And I am currently using BT3b.Code:msgsnarf -i lo mailsnarf -i lo
Ok, I will test that as, soon as possible. But could try with a pcap file you have taken on an other PC, if it is possible for you. I really don't know if you can have the same problem or not. If you don't have this problem, it will means that I have a problem on my Hardware.
Thanks for your help Tron!
Update : I have tryed again following your example, and it doen't work. Did you install libnids on your BT?
If my memory serves me right I have successfully used a cap (virtually the same as a pcap file just with different extension) together with msgsnarf. This is naturally after running it trough airdecap-ng first to strip the headers (and decode WEP packets in case WEP-encryption is used on the network). I do not believe that I have installed libnids.
Could you state your problem a bit more clearly? Is it a problem with replaying the file, getting mail-/msgsnarf to run without errors or does mail-/msgsnarf simply not pick up any information?
Did you try it on a file captured using the tcpdump command I posted aswell? This could help you to narrow down the problem to either mail-/msgsnarf or the actual capture process.
Ok, so mailsnarf and msgsnarf don't pick up any thing. I have tryed with a wireshark capture, but not with a tcpdump capture. The most strange thing is that urlsanrf pick up every url in the cap file. I really don't understand why
Posting Permissions
