Wireshark, a tool recognized universally as being one of the best network analyzers available, has long been used by legitimate network professionals as well as a shadier crowd (and everywhere in between). While useful for analyzing both wired and Wi-Fi traffic, monitoring 802.15.4 protocols (such as Zigbee) have not been a common use in the past. [Akiba] of FreakLabs has brought us a solution which works around the normal limitations of Wireshark’s libpcap base, which does not accept simple serial input from most homebrew setups that use FTDI or Arduinos to connect to Zigbee devices. Using named pipes and a few custom scripts, [Akiba] has been able to coax Wireshark into accepting input from one of FreakLabs Freakduino boards.

While there are certainly professional wireless analyzing tools out there that connect directly into Wireshark, we at Hackaday love showing off anyone who takes the difficult, cheap, out of the way method of doing things over the neat, expensive, commercial method any day.

Everyone’s favorite packet sniffer has a new stable release. Wireshark 1.2.0 has a slew of new features. They’ve included a 64-bit Windows installer and improved their OSX support. A number of new protocols are recognized and filter selection autocompletes. One of the more interesting additions is the combined GeoIP and OpenStreetMap lookups. We’re excited about this new release as Wireshark has proven an indispensable tool in the past for figure out exactly what was going on on our network.

[via Lifehacker]

Our own [Anthony Lineberry] has written up his experience participating in the 2008 Malware Challenge as part of his work for Flexilis. The contest involved taking a piece of provided malware, doing a thorough analysis of its behavior, and reporting the results. This wasn’t just to test the chops of the researchers, but also to demonstrate to network/system administrators how they could get into malware analysis themselves.

[Anthony] gives a good overview of how he created his entry (a more detailed PDF is here). First, he unpacked the malware using Ollydbg. Packers are used to obfuscate the actual malware code so that it’s harder for antivirus to pick it up. After taking a good look at the assembly, he executed the code. He used Wireshark to monitor the network traffic and determine what URL the malware was trying to reach. He changed the hostname to point at an IRC server he controlled. Eventually he would be able to issue botnet control commands directly to the malware. We look forward to seeing what next year’s contest will bring.

Making a passive network tap can be an easy and inexpensive undertaking as shown in this Instructable. Passive monitoring or port mirroring is needed because most networks use switches which isolate the network traffic and this does not allow for the entire network to be monitored.  This example uses a single tap, using multiple taps will provide access to the full-duplex data separately. By using two taps you are able to monitor inbound data that is passed through one tap, and outbound data that is passed through the other tap.  Separate taps are desired because most sniffer software handles half-duplex traffic only and requires two network cards for full-duplex.

It is easy to insert a passive Ethernet tap inline, as shown in the picture above from a different multitap project,  simply plug the incoming line into a host port and a patch cable from the other host port to the outgoing port, then verify your connection status. Now connect the Ethernet port of your sniffer computer into either of the tap connectors on the passive Ethernet tap. This tap works by using sniffer applications that put your Ethernet card into promiscuous mode.  This allows you to monitor all traffic on the network not just the traffic directed to your network adapter. After you install your favorite sniffer program, such as Wireshark, Snort, TCPDump, WinDump, or Ettercap to name a few,  you are then able to monitor all traffic any way you see fit, like looking for passwords in the video below.

[photo: nrkbeta]