UGN Security
Posted By: Something Alternative to Iris - 07/12/03 01:21 AM
Hi,

What is a free alternative to Iris form eeye.com that will allow me to " �sniff� and record network traffic, then completely reconstruct the data into its original format."(from eeye.com)

Thanks
Posted By: unreal Re: Alternative to Iris - 07/12/03 01:38 AM
Moved to Newbie Questions.
Posted By: sinetific Re: Alternative to Iris - 07/12/03 10:27 PM
Iris is just a fancy packet sniffer with some nice features for people who are too lazy to be figure out to do with raw packet data. For the demo of it that I watched, It seems like an ordinary packet sniffer that takes the port information and associates that with a certain program, for instance outlook on 25. Since email is sent in text anyways (unless its html email) you could see that anyways in most sniffers since the usually display packet data in hex and ascii.

I would use something like ethereal or snort that do the same things.

http://www.ethereal.com/
http://www.snort.org/

The UI isn't as fancy and they dont have the built in features, but with a little bit of brain power you can do the same things. The only things iris can reconstruct are SMTP POP3 and HTTP. You can also 'view' IM's and ftp data as long as its not encrypted. You can do the same thing with the programs I provided links for but it will just be in ascii format and wont be pretty.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

07/12-17:30:56.380419 0:4:5A:5D:2D:D9 -> 0:3:6D:13:64:44 type:0x800
len:0x82
192.168.0.4:6667 -> 192.168.0.50:39155 TCP TTL:64 TOS:0x0 ID:8707 IpLen:20
DgmLen:116 DF

***AP*** Seq: 0x12E51FBD Ack: 0x79D065 Win: 0x16A0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 25126189 717089932

0x0000: 00 03 6D 13 64 44 00 04 5A 5D 2D D9 08 00 45 00 ..m.dD..Z]-...E.
0x0010: 00 74 22 03 40 00 40 06 96 FA C0 A8 00 04 C0 A8 .t".@.@.........
0x0020: 00 32 1A 0B 98 F3 12 E5 1F BD 00 79 D0 65 80 18 .2.........y.e..
0x0030: 16 A0 60 3A 00 00 01 01 08 0A 01 7F 65 2D 2A BD ..`:........e-*.
0x0040: EC 8C 3A 73 69 6E 21 31 30 30 30 40 31 39 32 2E ..:sin!1000@192.
0x0050: 31 36 38 2E 30 2E 68 69 64 65 2D 32 36 31 30 30 168.0.hide-26100
0x0060: 20 50 52 49 56 4D 53 47 20 23 75 6E 64 65 72 67 PRIVMSG #underg
0x0070: 72 6F 75 6E 64 6E 65 77 73 20 3A 68 65 6C 6C 6F roundnews :hello
0x0080: 0D 0A ..


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

In this packet you can see a computer at 192.168.0.4 sent a packet from port 6667, which is IRC port if you didnt know, to port 39155 on machine 192.168.0.50 The data included in the packet is displayed in HEX on the left and ascii on the right. As you can see [email protected] sent a privmsg to channel #undergroundnews consisting of the text 'hello'. If all you want to do is see the data sent thats all you need the rest is just lower level tcp data. So that's how you do it if you want to do it for free.
Posted By: Something Re: Alternative to Iris - 07/12/03 11:47 PM
Thanks for the information.

I didn't know that packets were that easy to understand. Thank you very much for the information and I will give one of those free ones a try. smile
Posted By: MESELF Re: Alternative to Iris - 08/09/03 11:40 PM
haha 192.168 isn't that a firewall/internal address or whatever
© UGN Security Forum