Events in the Packet World

It is strange, quite strange. A latest release version number is smaller than the last one.

As everybody knows,  last version of Sniffer Pro is 4.9, however, the newest version is 3.0.

Maybe after the acquisition, the mentality of product management people is changed too. Anyway still many highlights in the new software version attract the eyes.

Many new decoders are added into Sniffer Portable Professional 3.0

• VoIP – UNISTIM, Megaco-binary , updates to Cisco SCCP for version 6.0
• Wireless – 802.11n, 802.11h, 802.11e
• Financial – Russell Index 1000, IBM LLM, LMSD, OPRA Fast, NSADAQ UQDF, NSADAQ UTDF, NSADAQ OMDF, ARCA equity, FIX 4.0 and NSX FAST
• Mobile – Gb over IP Stack, Blackberry RIM and Radius A12
• Fiber Channel decodes – FCoE, FC
• Other – 802.1ah, 802.1ad, X.25 over Ethernet

The crazy vendor Packetbone releases their software for 2nd major version.

Why call them crazy?

PacketBone is the only vendor who provide the integration to make a packet analyzer embedded into Microsoft Windows and Office. Now, in the second release, they extend the integration with Wireshark in this recent release. The wireshark fruitful dissectors can be used to parse the packet and export the decode information into BoneLight XLView. It is quite useful.

Another interesting point is BoneLight 2.0 provides a IP Deduplicate feature. According to the experiences, many multiport capture will result duplicated packets, some earlier SPAN settings can lead to duplication too. With those confusing deplicated packets, the analysis feature in mainstream analyzers such as Sniffer, OmniPeek, Observer, Wireshark will work definitely poor and identify everything as retransmission.

Every packet fans should have a try on this, go http://www.packetbone.com

if you have an iPhone, you may already play iTunes Remote which is a tool released by Apple to remote control the Apple TV and iTunes from the iPhone/iPod Touch directly.  If you didn’t tried that, I suggest you go to AppStore to download one, it is free and very easy to use.

The remote control has no limit on distance, in theory, even at Office, you can directly remote control your home iTunes in real time. How it implemented? Is that a magic? Let’s look into the actual packets.

My iPhone got a LAN address at 172.16.0.102, the iTunes PC got 172.16.0.106.  When the iPhone remote starts, it began to send  a Multicast-DNS packet to 224.0.0.251. This is a multicast which means the devices and computers in the same group will hear this packet.

The computer with iTunes installed will reply packets if it received the multicast packet. The reply is a multicast-DNS response too which provides the information about the iTunes version and capacities.

One of the replies indicates the service port of the iTunes, by default , it uses TCP port 3689. Then, the iPhone will happily connect to iTunes talking through a protocol similar to Digital Audio Access Protocol. More information about RAOP can be seen http://en.wikipedia.org/wiki/Digital_Audio_Access_Protocol

iPhone also send some discardable broadcast packet in the meanwhile which seems not make any sense.

Here, we are not going to dig into the protocol specification, but just go through the packets payload roughly, we can see the protocol is actually encapsulated by HTTP.

the login sequence is as below

iPhone   –>     iTunes       :             GET /server-info HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK
iPhone   –>     iTunes       :             GET /login?pairing-guid=* HTTP/1.1
iTunes   –>      iPhone      :                         HTTP/1.1 200 OK

After the login, the iTunes and iPhone will exchange some library information. if you play a song remotely on iTunes, many calls related to  /ctrl-int are involved.

The implementation is compact and efficient. The multicast implementation is quite good and adaptive even to a routed complex network.

iPhone 2.0 Firmware was come around 2 weeks ago. It was a good news for all apple fans. Well, after the DEV team released the unlock tool for iPhone. It becomes the good news for packet fans.

Applied the pwnagetool, you can receive many applications which can never be seen in apple iTunes store. The applications includes
Tcpdump - a famous packet capture tool
ngrep - a packet payload seach tool
nmap - exellent network scanning tool
And many more

The iPhone hacker team ships the libpcap, de facto packet capture library, into iPhone also. This is really amazing which simply convert the iPhone to be a network packet processor over the wifi interface.

So you must realize a young guy with an iPhone standing beside you might be a hacker equipped by the handheld Sniffer and scanner. Hacker anywhere

As you may know, Snort, the most famous open source IDS(Intrusion detection System) are now promoting snort 3.0. The new software release currently still in beta. However, through the design and the description posted, the open source giant intends to be a total platform of all packet based software.

The Snort 3.0 emphasized the lower level native support for IPv6, MPLS and GRE. This helps the carrier users have a chance to put snort into the newest networks for wired and wireless data. To be a platform, this is necessary. 

Inline snort previously is an independent project, now the inline feature integrated into Snort 3.0 as standard offering. The multi-threading and subsystem architecture shows ambitious to let plugins or component from 3rd parties to easily port to.

So the snort 3.0 is actually called SnortSP 3.0 which means Snort Security Platform.

As linux unified the core of many operating system distribution, can SnortSP 3.0 unify the core of security systems?

Keep walking…

From some history data, I found the Network General revenue reports. We can see during 5 years (1992~1997), Network General revenue increase from 64M to 240M.  Now, Solarwinds filing the IPO request which mentioned its revenue reach more than 60 million. Will Solarwinds be another NGC for a rocket boost?

 The Network management and Application performance management vendor PacketBone, releases a new style network analysis product.

  July 1, 2008 — The network management and application performance management vendor PacketBone today releases a new product called BoneLight.

PacketBone claims the product is a start of revolutions in the network analysis area. BoneLight will not rely on traditional independent GUI to analyze the traffic, instead, BoneLight integrate deeply into Microsoft Windows and Office systems to provide seamless analysis features inside of Operating Systems.

BoneLight provide  trace file conversions among libpcap/winpcap, cisco ids traces, Sniffer Pro cap, WildPackets pkt and Observer bfrs. The Wireshark and Endace Dag ERF are supported either.  BoneLight can convert the trace files into an Excel xlsx/xls result, it does provide a brand new experience for the network analysis people.

BoneLight is not only a trace file tool but also bringing benefits to the communication and collaboration for the network guys troubleshooting problem. The integrated Outlook preview handler provides a chance for people using Email and Exchange directly see and input ideas about traffic inside of Office software.