Friday, August 03, 2007

Packet Sniffing

I mentioned in my previous post that I've been collecting data for a couple of our vendors to help fix some bugs discovered by our field. One of the problems concerns FTP PASV mode, so the vendor wanted packet traces of the failed and successful connections.

I used Wireshark on my MacBook Pro to get the traces. Unfortunately for my purposes today, traces from on of the FTP servers I was connecting to contained a password that I did not want to disclose (FTP sends passwords in plain text, which is why SFTP or SCP are better options when available).

So, to sanitize the TCPDUMP file before shipping it off to $VENDOR, I used the command line tool editcap to delete from it the packet containing my password. Unfortunately, the binary version of Wireshark I installed on my Mac didn't include editcap.

Parallels to the rescue. I fired up my CentOS 5 virtual machine, installed the complete Wireshark package via "yum install wireshark," and was then able to run:

# editcap foo.pcap sanitized.pcap 10

This took the capture file called foo.pcap, stripped out the 10th packet (which contained my password) and then created a new file called sanitized.pcap.

I could then safely send off the capture file.

No comments: