in order to have something better, I will try to modify Mailsnarf and MSGsnarf .
I will use libpcap and libnids, but there is juste two website on how to use libnids. so if you have ever user libnids, or if you have some website, I will take them :D

Ok somes news!!
My mailsnarf problem seems to be tcp.c libnids function problem.

So in libnids, my computer IP and the Ip of the Pcap might be compared. If they didn't match : bye bye, and mailsnarf does nothing.

So, I will need some help to find where the IP's are compared in the function process_tcp() of libnids.

This could be intersting for all of us, because at the end, we could make a tutorail to explain the goal of libnet functions.

So will you help me please?

Some news :

- I have tryed to extract mails from an old Pcap on the pc I have used for the capture : doesn't work

- mailsnarf -pp pcap file on a recent capture (less than 5 minutes) on the computer I have made the capture : OK
This same capture on an other computer at the same time : failed

- msgsnarf : same results.

Libnids, and libnet : OK no problem on the code.

Any ideas please?

For thoose who moght be interested in mailsnarf.

The problem is a SYNCH problem I think.

Do you know if their is any patch for that? thx

I would purely out of curiosity like to know in what way you are trying to modify msgsnarf and mailsnarf? I have used both programs successfully and feel like they do fulfil their purpose already.

The only issues I have noticed using them occurs when replaying a cap file at a too high rate, which makes it hard for them to pick up any info from the file. And used together with Ettercap they support live extraction of messages quite solidly aswell.

Did you try to use them with a pcap file that you have record on an other comptuer?

I tyred, nad it doesn't work for me. I tryed to replay at the normal speed, I tryed all but nothing make it worked.

Do you use BT2 or 3?

Could you copy here all the commande you have write to make the mailsnarf capture and the version of packages you used please.

I think I have tryed all the possibilities without any luck, so if you made it worked, I am interesting in your way to make it work.

Thanks

No I have never tried it with a file captured on another computer, nor do I think I ever will. However that should not matter in any way as long as the file is properly captured and has not become corrupt. Are you absolutely sure that there is any relevant info in the file for mailsnarf and msgsnarf to filter out for you?

The following commands work perfectly for me using a file captured with: tcpdump -i eth1 -s 0 -w /tmp/testfile
Which is naturally done while properly connected to the network I am capturing on. In case you use a file sniffed with airodump-ng over wireless you will have to run it through airdecap-ng first to be able to replay it using:
tcpreplay /tmp/testfile -i lo -r 2
And finally I have both mailsnarf and msgsnarf running using:
msgsnarf -i lo
mailsnarf -i lo

And I am currently using BT3b.

Ok, I will test that as, soon as possible. But could try with a pcap file you have taken on an other PC, if it is possible for you. I really don't know if you can have the same problem or not. If you don't have this problem, it will means that I have a problem on my Hardware.

Thanks for your help Tron!

Update : I have tryed again following your example, and it doen't work. Did you install libnids on your BT?

If my memory serves me right I have successfully used a cap (virtually the same as a pcap file just with different extension) together with msgsnarf. This is naturally after running it trough airdecap-ng first to strip the headers (and decode WEP packets in case WEP-encryption is used on the network). I do not believe that I have installed libnids.

Could you state your problem a bit more clearly? Is it a problem with replaying the file, getting mail-/msgsnarf to run without errors or does mail-/msgsnarf simply not pick up any information?

Did you try it on a file captured using the tcpdump command I posted aswell? This could help you to narrow down the problem to either mail-/msgsnarf or the actual capture process.

Ok, so mailsnarf and msgsnarf don't pick up any thing. I have tryed with a wireshark capture, but not with a tcpdump capture. The most strange thing is that urlsanrf pick up every url in the cap file. I really don't understand why :confused:

But could try with a pcap file you have taken on an other PC, if it is possible for you.

Well a short update to this old thread. You might want to read up on big- vs little-endians as this might be the reason for why your pcap file captured on another computer does not work on your own. This thread might be helpful http://forum.remote-exploit.org/showthread.php?t=14426

That might be true!!!!!!

If it is...You just saved my butt :D
I'll have a look to that doc.

HEy buddies!!!

DO not know if I might create a ne thread but....

Do you know if it is possible to make a pcap filter with mac address??? I have searched, but, I only found IP address filters. So if you have heard anytihng on it, please share with me. Thanks!!

the filter type to use seems to be :
ether host xx:xx:xx:xx:xx:xx
and for the p address :

ip host xxx.xxx.xxx.xxx

Okay, I have tried a msgsnarf with a filter, but it doesn't work as well as I hoped.*
I have this error :
glibc double free or corruption (out): 0xb7ebc878

I have made some printf in the code, and problem seems to come from the nids run and some things after that.
Do you have any idea?

Okay, I have tried a msgsnarf with a filter, but it doesn't work as well as I hoped.

Does msgsnarf output any information regarding the ip and/or mac addresses? I can’t really remember but if it does you could simply filter out the hosts you want to using the grep command. Personally I use this information to filter the output from urlsnarf as it otherwise can be quite overwhelming.

a grep?

Really can't see how you do that.
Sure it is simple, but my brain doesn't like simple things lol.

Could you put an example please?

Lets say that you want urlsnarf to output the URLs for a specific ip, 192.168.1.2
urlsnarf -i wlan0 | grep 192.168.1.2
If you on the other hand want every address visited except for a pairtcular host you would only need to add a -v switch to the grep command.

Oko
i gonna try that, but not sure that it work with the -p option

Seems it doesn't work :(

Thanks for help. I will see if I can perform a filter before using the soft...

I haven't ever used the -p option, but isn't it for reading from a pre-captured .cap file? If so you can always try to get around the problem by using tcpreplay to replay the .cap file on your lo interface instead.

But as I said earlier I am not sure that you can use the grep command to filter out a specific host for msgsnarf. It will depend on if msgsnarf normally outputs which host the messages are originationg from.

Yep, the grep option doesn't work with pcap files!
But their always an other way :
juste make a new filtered pcap, wich will be used by the softs :D

The -p option isn't install by default, you have to download the sources, patch them, and reinstall the soft.

It is faster to extract datas from big pcap files.

The -p option isn't install by default, you have to download the sources, patch them, and reinstall the soft.

I see, however I am quite happy with using tcpreplay instead as you easily can run all the dsniff/msgsnarf/urlsnarf/mailsnarf/etc tools at once on -i lo while broadcasting the pcap file.

Yes; some tools need to be used combiend with tcpreplay like Drifnet and dsniff, and I will be force to do so.
But in order to be the most efficient and fast as possible I prefere to use the -p option.
For example, I can filter a 120mo and extract *snarf information in 15 seconds.

The major problem with tcpreplay is that you can't run all you pcap to the top speed beacause some times the *snrf tools dn't follow the speed and you loose some information.

The major problem with tcpreplay is that you can't run all you pcap to the top speed beacause some times the *snrf tools dn't follow the speed and you loose some information.

That is true, it takes some trial and error to lock down the maximal feasible speed.

Even if it is not related to linbnids developpement, I will ask my question in here.
I am writting a little scipt in order to find the name of the file created by airdecap for my main program.

So here where I am :

file_1="/root/file/pcap_capture.pcap"
path_file= pwd $file_1
decap_file= basename $file_1 .pcap
extension="-dec.pcap"

decap_file= "$path/$decap_file$extension"

echo $decap_file


problem is tjat the resault is :

/root/file/
pcap_capture
-dec.pcap

instead of /root/file/pcap_capture-dec.pcap

Do you have any idea? I have tried using echo -n but it doesnt initialise my vars.. so???