pdump - dumps, greps, monitors, creates, and modifies traffic on a network #pdump on SUIDnet (irc.LucidX.com [along with other servers on http://suidnet.org]) for help and other information on pdump and other perl//packet related questions/comments/etc.. Read the 'FUTURE' file for things that I want to have done in the future, and also why certain things are currently happening to pdump such as modules to libs. 0.8 [12/26/00] - Working on a set of modules called 'Packet', with David Hulton, to be used with pdump in the future for packet sniffing and creation. - Added advancements to the ICMP library. - Recoded a great deal of pdump. Now only one BPF is used and also only one process is used for all protocols. pdump should be at least 3 times faster now! - Recently got the domain pdump.org. - Added many bug fixes to the UDP and ICMP libraries. - Added more protocols such as ARP, RARP, OSPF, RIP, RIP-2, BOOTP, Ethernet, and IGMP. Still have to implement a few directly into pdump. - Added perl protocol parsing libraries, all ending in -decode.pl in the lib directory to easily add new protocols. - Added a few more variables to the 'strings' hash. See the 'strings' section in the README for more information. - Web page (http://pdump.org) updated, and finally has some content, and even tables :) - Removed - Added about 500 more fingerprints for Windows, Linux, and *BSD. - About 100 more Windows fingerprints added thanks to Jean-Marc V. Liotier for them. - More additions to the password sniffing library for the web sniffing, and also rewritten for more efficient and quicker results. - pdump untraceable to programs which find remote machines in promiscuous mode such as sentinal and antisniff. - Fixed up both the hex and ASCII dumping a bit. - Fixed up the password sniffing library and also fixed some bugs that were causing it to get an 'Out of memory!' error on some systems. - Added advancements to the `install` script. - A few changes to the install script, thanks to _insane_ for suggesting to allow the user decide where pdump.pl gets installed. - Changed the passive OS fingerprinting making it a bit faster by sniffing only necessary packets. - Fixed a bug when using -e and -g together. 0.79 [11/21/00] - Added more fingerprints for the -a option to do better estimates on remote OS detection - Added hex-dumping with the -x option, similar to tcpdump's -x option - Added ASCII/hex dumping with the -X option, similar to tcpdump's -X option. A few bugs should be fixed in it first until it's fully working correctly. - Added napster password sniffing. - Added some more advancements to the strings function (-e) including using -g in conjunction with the option and not printing packets which you only want the data printed when all that is being printed is either whitespace or nothing at all [although it will always print a newline, so it would be creating unwanted new lines]. - The password sniffing lib is fully functional now. IRC and telnet password sniffing has been added. Hopefully that library will grow. - Added the extras/ directory with a perl/Tk front-end to TCP packet injection with pdump::Sniff. - Changed -x (network mapping) to -a - Removed -X (non-existent option but was in README for some reason) - Fixed a bug in the 'lowjack' library. This enables you to send packets with data into a live connection without disrupting it. - Fixed a memory leak in pdump::Sniff. - Fixed up the passwords library a bit. - Fixed some bugs in the file swiping lib. - Big version change...now using 2 digit decimal numbers since a lot of the big stuff which I wanted accomplished in the beginning is finished. Hopefully there will be contributors to pdump soon and a mailing list will be set up shortly. 0.782-2: [10/20/00] - Big bug in the Makefile.PL was found and patched by Conrad H.. Big thanks to him! 0.782: [10/19/00] - pdump doesn't come with libpcap anymore but the INSTALL file has a link to the current stable version. - #pdump on SUIDnet [encrypted IRC network] is now up. You can come on encrypted or on an unencrypted connection on irc.LucidX.com. www.suidnet.org for more information on the IRC servers. - Hopefully code will start coming in quickly again. There was a sort of code freeze for the past month or so. - More advanced -e option with many examples in the README files. Also allows \n and \t support. - Added file swiping/snarfing support which is able to detect files going through FTP, SMB, Samba, and DCCs through IRC and is able to save them to the local machine. - Added the -A option which is able to send packets into an open TCP connection without disrupting that connection. - The -x option which does passive operating system fingerprinting/detection is now fully functional and bugless (it requires a better table for the detection and hopefully that will continuously be updated :) This option does the same thing as what siphon does. 0.781: [09/17/00] - Added experimental passive operating system detection/fingerprinting. - Added support for recognition of df (don't fragment) and tos, just as tcpdump does. It will display them just as tcpdump would. - -J functional now. -J is the clone of dsniff's tcpkill. It is able to 'kill' any TCP connections (all, if not specified) on the network going out or in. - Removed -Z and made a more advanced -W. - -p is now active/working. - Added -x for passive network mapping. - This version has a new option, -e. It allows the user to display the output for pdump in a format so it will display packets any way the user wants it to look like. This is good if you wish to make front-ends for pdump and only want certain information from packets. Read the README for more details in the 'STRINGS' section. - Using pdump::Sniff instead of Net::RawIP now. 0.780: [09/13/00] - This version has a lot of bug fixes and is so far the most stable of all versions... such things as the 'Out of memory!' and perl dumping core bugs are out [not pdump's fault]! - Added Escape.pl, my replacement of the module URI::Escape. Also removed URI::Escape from this package. - This should have removed the MIME::Base64 dependancy... - Updated Net::RawIP 0.09b to version 0.09c. (This should have fixed the 'Out of memory!' error on some [well, all I assume] systems :) - Renamed All.pl to Filter.pl (used with the -E option). - Fixed some bugs in the sniffing libraries. - Displays TCP sequence numbers with TCP packets - Fixed the missing window size bug when when the window size of a packet is set to 0 - Fixed the negative sequence numbers bug - Fixed the differences in display when using TCP.pl compared to Filter.pl - Removed some useless subroutines which just set variables and now getting ready for the pdump modules (already in development). See the FUTURE file for more information. 0.779-2: [09/06/00] - Vital updates were added which are required for some, but few, systems. - Include TCP sequence numbers when displaying TCP packets just as tcpdump would do. - Modified -g option to not display empty packets and to remove the two spaces displayed in the beginning of all packets when using the option. 0.779: [09/01/00] - Added Color.pl, my replacement of the module Term::ANSIColor. Also removed Term::ANSIColor from this package. - Fixed a bug in the Passwords library which was screwing up the AIM decryption when using -W. - Added the -l option to allow you to specify the pdump directory where the library (lib/) directory resides. - Fixed the missing ACK bit when pdump uses color. - Now using libpcap 0.5.2 instead of 0.4. 0.778: [08/20/00] - Fixed a few minor bugs with -c and -g. - Added 'Omnivore', a plug-in almost identical to dsniff's mailsnarf (identical pretty much, just in different languages :), or is it *cough* Carnivore *cough*. This will sniff all email going in and out of the network you're on. - Also changed -h a little bit. - Added AIM password decryption and sniffing. Thanks to David Hulton for the original code and paper he did on AIM decryption. -Samy Kamkar [CommPort5@LucidX.com]