SniffJoke has a nice/interesting characteristic : It is *only* used by the sender *not* by the receiver.
SniffJoke, thanks to some tricks - which *does not* have impact on the receiver's TCP/IP stack (for all OSes?) -, is able fool sniffers and some others network tools. I would expect wireshark seeing the traffic as the OS is able to see it ... IOW, if receiver's OS is able to re-assemble correctly the traffic, wireshark should be able to do so too. Therefore, I would consider this as a bug in wireshark since OSes (all?) would be able to reassemble the traffic without any problem. (Although the next question would be : who will spend time to analyze SniffJoke tricks and fixes the TCP dissector?) Also, I'm not convinced people will think that wireshark would consider it as a cracking tool since the receiver's OS is considering this SniffJoke's traffic as valid ... Regards, Sebastien On Mon, Apr 27, 2009 at 11:45, Sake Blok <s...@euronet.nl> wrote: > As the purpose of Wireshark is to display network traffic to analyse > problems, I see no use in competing in a race to cloak and uncloak traffic > with Sniffjoke. That would put Wireshark in the list of cracking tools > which > might have a negative effect on the places where it is allowed to be used. > So I would not consider this a bug and I would *not* consider being able to > reassemble Sniffloke traffic a feature to implement. > > Just my $0.02 > > > Sake > > ----- Original Message ----- > From: "Joerg Mayer" <jma...@loplof.de> > To: <wireshark-dev@wireshark.org> > Sent: Monday, April 27, 2009 3:53 PM > Subject: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 release and > requestfor feedback (forw) > > > > Should it be considered a bug if WS can be fooled by a tool like > Sniffjoke > > to incorrectly reassemble a TCP stream? > > The webpage has two sample traces that seem to be handeled incorrectly by > > HEAD indeed. > > > > Ciao > > Joerg > > ----- Forwarded message from vecna <ve...@s0ftpj.org> ----- > > > > Delivered-To: jma...@thot.informatik.uni-kl.de > > Delivered-To: full-disclos...@lists.grok.org.uk > > Date: Wed, 15 Apr 2009 09:27:39 +0200 > > From: vecna <ve...@s0ftpj.org> > > Organization: SALVIA & MENTA, azione TOTALE, aiuta a prevenire placca, > > carie > > e disturbi gengivali. > > To: full-disclos...@lists.grok.org.uk > > Subject: [Full-disclosure] SniffJoke 0.3 release and request for feedback > > Errors-To: full-disclosure-boun...@lists.grok.org.uk > > > > Some days ago I've relased this: > > > > SniffJoke is a "connection scrambler" for Linux with the purpose of > > preventing packet sniffers from reassemble network sessions of the user. > > The "sniffer evasion" technology is well known since almost 10 years. > > SniffJoke implements the most efficents techniques. Using a local fake > > tunnel it is able to manage outgoing and ingoing packets without > > disturbing the kernel. With the local web interface the user can easily > > start/stop and configure SniffJoke. At the moment, Wireshark, the most > > famous packet analyzer, is unable to correctly reconstruct TCP flow > > mangled by SniffJoke. I would like to update the list of victim > > sniffers, so please send me a report if you test SniffJoke with other > > network protocol analyzers. > > > > http://www.delirandom.net/20090402/sniffjoke-03/ > > http://www.delirandom.net/sniffjoke/ > > > > > > Any comments appreciate > > > > Regards, > > vecna > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ----- End forwarded message ----- > > > > -- > > Joerg Mayer <jma...@loplof.de> > > We are stuck with technology when what we really want is just stuff that > > works. Some say that should read Microsoft instead of technology. > > > ___________________________________________________________________________ > > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > > Archives: http://www.wireshark.org/lists/wireshark-dev > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe > > > > > > > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: http://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe > >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe