Author |
Topic |
|
bargepole
Starting Member
Canada
22 Posts |
Posted - 25 May 2003 : 08:49:45
I'm using very modest SE/30 configurations to perform a killer job for me - network packet capturing.I installed Etherpeek 2.05 onto one of my "stock" SE/30s (8 meg RAM, 40 Meg HD, Asante MacCon network card, system 7.5.5). I've used Etherpeek for Windows extensively and so I was somewhat familiar with the application's indiosyncracies. I connected the SE/30 to my test LAN which also hosts my Win2K workstation and a Win98 testbed machine. I fired up a packet capture app on my Win2k box (Commview) and opened up a chargen connection to the testbed. I compared the captures made by Commview on Win2K and Etherpeek on System 7.5.5. They were identical. Not one packet was dropped by the Mac. That is, until the Etherpeek buffer filled and had to be flushed. About a dozen packets were lost during that transition. Because I've got other traffic on the network, the TCP traffic rate on the test LAN reached about 1600 kbits/sec. At that rate, I can comfortably capture traffic on my cable or DSL connection. Since I'm not concerned with all traffic, the filtered traffic in which I am interested is reliably captured by the SE/30. I can add memory to the SE/30s to increase the buffer size, or increase the HD sizes to enable Etherpeek to save large quantities of packets. However, I use these machines to record SYN packet attempts or I look for specific traffic patterns and I don't need huge resources to do that. For serious, high volume, high speed (100 Mbit/sec) packet capture I still use my 1.2 GHz, 512 Meg Intel box. I've 2 SE/30's doing capture duty on my DSL and cable connections. I've set audible alerts to announce the detection of new nodes and whether certain traffic thresholds have been exceeded. It all looks and sounds very cool. Two more SE/30s are being prepared for DSL traffic monitoring where I work. I found that booting the Macs with no extensions - including no Mode32 - maximizes the RAM available for the capture buffer with no compromise to Etherpeek's performance. I'm experimenting with Applescript to see if I can get Etherpeek to start capturing automatically, thereby eliminating the need for a mouse. I've also tried, without success so far, to maintain a LocalTalk network connection to a capturing SE/30. Even though Etherpeek only works with Ethernet frames (!), LocalTalk still gets pooched when Etherpeek starts. Having a "backdoor" network connection would be very useful. The SE/30 is a near ideal packet sniffing device. It's got a small footprint, runs quietly, is portable, consumes little energy, and has self-contained display and sound for annunciation. However, there are limitations. It can only capture 10Mbit/s traffic and without lots of memory, packets can be lost during high traffic bursts. Still, a bank of scrolling displays of captured packets is quite neat! |
Flash
Full Member
Australia
637 Posts |
Posted - 25 May 2003 : 12:15:22
Wow - that's very cool. I wonder if a packet sniffer is something I need to solve a problem I'm having....I am getting a huge amount of spam on one of my accounts, and my ISP is being fairly unhelpful in helping me trace the source. They say that my PC has a virus and is getting addresses from my address book (OutLook 2000), please download virus protection yadda yadda yadda I won't go into the whole thing here, as I have spent more than enough time explaining the whole thing to my ISP.... but briefly: 1-none of the emails are being sent to addresses in my book - they are completely foriegn to me. 2-I have like ten email accounts and obviously only one set to default. I tried changing the default account - the theory being that if my OutLook was sending emails then it would start to do it from the new default account and I would start getting spam on that. Well, I'm not - it's still only affecting the one account. 3-none of the email (internet) headers show any information pertaining to the emails originating from my PC 4-neither Norton Antivirus or PCillin have found a virus on my system (and yes I did download the latest virus definitions) 5-I did a "Format C:\" and re-installed the OS and the only thing common to the old and new OS is the outlook.pst file with all my mail in it. ....so basically I do not think it's at my end, but I can't prove it yet. I think i have two options. One is to quarintine my PC (unplug it from my network) and use the Mac for email for a while to see if the spam stops (and probably using Netscape Messenger 4.7x instead of outlook) And the other is something that can watch my ports and let me know if Outlook is doing anything without telling me. Would Etherpeek do that for me? cheers Flash! - - - - - - - - - - - - - A little knowledge is a dangerous thing, but it sure beats a blank stare for starting a conversation. 68k ParaMedic |
emaq123
Junior Member
USA
258 Posts |
Posted - 25 May 2003 : 13:15:53
quote:
....so basically I do not think it's at my end, but I can't prove it yet. I think i have two options. One is to quarintine my PC (unplug it from my network) and use the Mac for email for a while to see if the spam stops (and probably using Netscape Messenger 4.7x instead of outlook) And the other is something that can watch my ports and let me know if Outlook is doing anything without telling me. Would Etherpeek do that for me?
I don't see how a virus on your pc means you receive spam. Send it maybe, but not receive. Unless you are running your own mailserver, a packet sniffer will probably not help with your spam issue. Now, to watch outlook, a sniffer could do that. Since you are doing mail on a wintel box, you might as well install a mini firewall like Zone Alarm on the box. Then you can control what comes in or out of it. If you don't trust the firewall on the box you are working on, then place a firewall box between you and your internet connection. emaq123 SE/30 and system 6.0.8 Now we're talking POWER! |
emaq123
Junior Member
USA
258 Posts |
Posted - 25 May 2003 : 13:20:31
Very cool use of old tech!!! You have the system working nicely from what is sounds. A couple of questions:1. Have you tried running with system 6.0.8? If so, does performance increase? 2. Have you tried NetBSD on the SE/30? If so, does performance increase? I've read where BSD on a mac improve network performance over MacOS. I've never tested, but it would be interesting to know. Now I've got another project once I get a network card for my SE/30s emaq123 SE/30 and system 6.0.8 Now we're talking POWER! |
Flash
Full Member
Australia
637 Posts |
Posted - 25 May 2003 : 13:29:36
sorry for going off topic bargepole I'm recieving spam ( up to ten 300k messages per day - which is hard on my dialup), but my ISP says that they are 'responses from emails that I or the virus have sent' But like I say, I can't find anything at my end. I've just set ZoneAlarm to not let OutLook send or recieve without me verifying it, and popping up a dialog if it tries. I think this will do the trick, however i'm still interestd in Etherpeek - - - - - - - - - - - - - A little knowledge is a dangerous thing, but it sure beats a blank stare for starting a conversation. 68k ParaMedic |
bargepole
Starting Member
Canada
22 Posts |
Posted - 25 May 2003 : 15:56:51
To answer your question, yes, Etherpeek can monitor any traffic leaving (or entering or within) your networking. But it's not at all clear what your problem is.You say you're receiving a lot of spam. Why do you think this indicates that you're sending mail from your machine? If you complained to your ISP about the spam you're receiving and they, in turn, said a virus/Trojan/worm is the cause of you receiving so much spam, they should be put to death for criminal laziness. A couple of other points. The prevalent worms that abound from MS systems use their own SMTP service to send mail. They don't rely on the client (Outlook, OE, Eudora, etc) to send the infection. Changing default accounts, modifying your address book and other "fixes" don't work. Packet sniffing can be an overkill solution for some problems. In your case, installing a free personal firewall (KPF or ZA) would detect any use of your network resources. If, in fact, you do have a clandestine mail server, one of those personal firewalls will alert you to it. Etherpeek, or other sniffers would also detect such behaviour but it would require you to wade through logs to find the incriminating packets.
|
G4from128k
Full Member
USA
873 Posts |
Posted - 25 May 2003 : 16:11:43
Excellent work, bargepole! A very fine new use for a very fine old computer. I wonder if my new/old Duo and DuoDock could be used for this purpose?Regarding automatic start-up, have you tried putting an alias to Etherpeek in the "Startup Items" folder in the system folder? And, regarding a backdoor Localtalk connection to the SE/30, have you tried talking to the machines via Appletalk over ethernet? Maybe you could use file sharing to access a log file or something. Thanks for teaching an old computer new tricks -- this is what the 68kMLA is all about. G4From128k by Day: Mild-Mannered Engineer and Trapeze(tm) Artist by Night: Colonel of Truth, Justice, and the Macintosh Way Reserve Officer in 68kMLA Cantankerous Coot Contingent
|
bargepole
Starting Member
Canada
22 Posts |
Posted - 25 May 2003 : 16:11:54
quote:
1. Have you tried running with system 6.0.8? If so, does performance increase?
No. I haven't tried any OS other than 7.5.5. I'm not sure whether Etherpeek will run in an OS lower than 7.x. If it did, I'd expect more capture buffer memory available (smaller system use), but the network features needed by the promiscuous mode captures are all self-contained within Etherpeek. quote:
2. Have you tried NetBSD on the SE/30? If so, does performance increase?
I have tried installing NetBSD (and Linux) on a SE/30 with limited success. Again, I doubt I'd see an improvement in capture ability since Etherpeek addresses the network card directly, not through the OS. I'd never be able to capture 100Mbit/sec traffic because the network card is physically incapable of detecting those signals. The *nix variants will be of more interest to me once I find a need for more elaborate routing. Btw, I have just now been able to sustain a LocalTalk connection to a capturing SE/30. I think some of my 7.5.5 installs on previous machines were corrupt. With a cherry install, I can now control a SE/30 sniffer from a remote machine using Network Assistant 3.5. Wow!
|
bargepole
Starting Member
Canada
22 Posts |
Posted - 25 May 2003 : 16:27:03
quote:
Excellent work, bargepole! A very fine new use for a very fine old computer. I wonder if my new/old Duo and DuoDock could be used for this purpose?Regarding automatic start-up, have you tried putting an alias to Etherpeek in the "Startup Items" folder in the system folder? And, regarding a backdoor Localtalk connection to the SE/30, have you tried talking to the machines via Appletalk over ethernet? Maybe you could use file sharing to access a log file or something.
A Duo would be a dream machine in such an application. Faster, better display, lower power. But how does one connect Ethernet networking to it? I tried the alias in start up, natch. Etherpeek starts but waits for confirmation to begin capturing. I've aliased its preference file in start up, too. It starts with the last saved settings ready to go (filters, displays), waiting for a click to start capturing. As I've mentioned in previous post, I did finally get LocalTalk networking to run while capturing. Appletalk over Ethernet won't work because Etherpeek dumps all protocols bound to the network card and instead uses its promiscuous mode driver. Since LocalTalk is non-Ethernet, it works just fine with Etherpeek. |
emaq123
Junior Member
USA
258 Posts |
Posted - 25 May 2003 : 18:56:55
quote:
No. I haven't tried any OS other than 7.5.5. I'm not sure whether Etherpeek will run in an OS lower than 7.x. If it did, I'd expect more capture buffer memory available (smaller system use), but the network features needed by the promiscuous mode captures are all self-contained within Etherpeek.
Interesting. So as long as the OS supports the program, you should be home free. Even if you can't drop to system 6, 7.1 should free up a bit of space. How much space is the OS taking currently?
quote:
I have tried installing NetBSD (and Linux) on a SE/30 with limited success. Again, I doubt I'd see an improvement in capture ability since Etherpeek addresses the network card directly, not through the OS. I'd never be able to capture 100Mbit/sec traffic because the network card is physically incapable of detecting those signals. The *nix variants will be of more interest to me once I find a need for more elaborate routing.
This would be how efficiently etherpeek runs. But on a Linux/BSD box, etherpeek would use the TCP/IP stack of the OS. I've read reports of people getting better thoughput on Linux/BSD versus MacOS for general TCP/IP use.
quote:
Btw, I have just now been able to sustain a LocalTalk connection to a capturing SE/30. I think some of my 7.5.5 installs on previous machines were corrupt. With a cherry install, I can now control a SE/30 sniffer from a remote machine using Network Assistant 3.5. Wow!
Wow is right!! Thanks again for sharing the info. emaq123
SE/30 and system 6.0.8 Now we're talking POWER! |
maclover5
LC Doctor/Hot Rodder
Australia
5830 Posts |
Posted - 28 May 2003 : 03:43:21
Interesting. I thought that Etherpeek was a Windohze only app, but anyway....."**** em" - Jobs in regards to customers Warrior maclover5 68kMLA Official 68kMLA Detective Number of 68ks Liberated: 7 Number of Contraband (PPC) Liberated from the Dumpster: 1 |
Mobile_tech
Starting Member
USA
8 Posts |
Posted - 05 Jun 2003 : 06:38:21
quote:
A Duo would be a dream machine in such an application. Faster, better display, lower power. But how does one connect Ethernet networking to it?
If you use a Duo, then Maybe a Newer Etherdock would be the best bet. Small, light, only adds about 1 inch to the back of the machine. Anyone have any idea where I can get a 68k version of Etherpeek? Thanks!
|
|