Wireless Hacks. 1917 IndustrialStrength Tips and Tools [Electronic resources] نسخه متنی

Hack 35 EtherPEG and DriftNet

Get a compelling visual representation of what
people are looking at on your network.

While tools like tcpdump[Hack #37] or Ethereal [Hack #38], and ngrep
[Hack #41] give you detailed
information about what people are doing on your network, the
information they provide just isn't interesting to
most people. They might understand that their wireless data is
vulnerable to eavesdroppers, but somehow they still have an attitude
of "it's hard to do, so it
won't happen to me."

For some reason, this attitude is quickly cured when people are shown
the following tools. While they are really simple utilities, I think
of them as revolutionary to network monitoring as the Mosaic browser
was to the Internet. Rather than make logs for later analysis, they
simply show you what people are looking at online, in real time.

EtherPEG

EtherPEG
(http://www.etherpeg.org/)
is
a very clever hack for OS X that combines all of the modern
conveniences of a packet sniffer with the good old-fashioned
friendliness of a graphics-rendering library. It watches the local
network for traffic, reassembles out-of-order TCP streams, and scans
the results for data that looks like a GIF or JPEG. It then simply
displays that data in a random fashion in a large window. As you can
see in Figure 3-33, it's sort of a
real-time meta-browser that dynamically builds a view of other
people's browsers, built up as other people look
around online.

EtherPEG is decidedly not a commercial app designed for extensive
eavesdropping. It is a simple but effective hack that
indiscriminately shows all image data that it can assemble. It makes
no attempt to display where the images have been downloaded from, or
who requested them. It doesn't even save a local
copy for later perusal; once you quit the app, all collected data is
lost.

The source code is freely available, and compiles easily with a
simple make from the Terminal window. If you are looking for a
similar (and even more functional) application that will run on an OS
other than OS X, read on.

DriftNet

Inspired
by
EtherPEG, DriftNet

(http://www.ex-parrot.com/~chris/driftnet/) is
an image grabber for X11. In addition to decoding image files from
sniffed network data, it has a couple of other nifty features. It can
save all decoded images for later processing (say, by a screensaver
app), and has experimental support for decoding an mpeg audio stream.

As you can see in Figure 3-34,
DriftNet's interface is just as simple as EtherPEG.
You can click on individual images to save them to disk, or if you
want to save all grabbed images, start up
driftnet with the -a switch.
This starts DriftNet in adjunct mode, which
doesn't open a window, but simply saves all image
data to a temporary directory (which can also be specified with the
-d switch). Other applications can then use this
ever-growing collection of images as a data source for its own ends.

DriftNet has received a surprising amount of bad press as being the
worst sort of "spyware" utility,
and is sometimes billed as usable only for invading other
people's privacy. On the contrary, I think that
tools like this are tremendously useful. Not only can a systems
administrator use such a tool to discourage inappropriate use of a
corporate network (by simply leaving it running on a monitor in a
public place), it can provide an amazing insight into the mood of a
crowd of wireless users. What better way to find out what is going on
in the minds of wireless users than to see what they are looking at
on their screens? (For the results of one of my experiments in
sampling the group subconscious, see my original weblog on the
subject at http://www.oreillynet.com/pub/wlg/1414.) If
nothing else, tools such as DriftNet and EtherPEG help to remind
people of the importance of good wireless security practices, and of
the use of discretion when using wireless networks in general.

This sort of
eavesdropping is only possible because people use insecure protocols
and unknowingly broadcast their network traffic in the clear for all
to hear. If you are using

strong application layer encryption
(as described extensively in Chapter 7), this sort
of tool is completely useless. If you are concerned about privacy,
you should encourage your friends to use freely available encryption
tools to protect yourself from wireless voyeurs.
I've found that few things encourage them so
effectively as running DriftNet or EtherPEG to show them what they
themselves are looking at.