Hack 41. Visualize a Network

Get a compelling visual representation of what people are looking at on your network with EtherPEG and DriftNet.

While tools such as tcpdump [Hack #33] or Ethereal [Hack #31] give you detailed information about what people are doing on your network, the information they provide just isn't interesting to most people. They might understand that their wireless data is vulnerable to eavesdroppers, but somehow they still have an attitude of, "It's hard to do, so it won't happen to me."

For some reason, this attitude is quickly cured when people are shown the following tools. While they are really simple utilities, I think they are as revolutionary to network monitoring as the Mosaic browser was to the Internet. Rather than make logs for later analysis, they simply show you what people are looking at online, in real time.

3.3.1. EtherPEG

EtherPEG (http://www.etherpeg.org) is a clever hack for Mac OS X that combines all of the modern conveniences of a packet sniffer with the good oldfashioned friendliness of a graphics-rendering library. It watches the local network for traffic, reassembles out-of-order TCP streams, and scans the results for data that looks like a GIF or JPEG. It then simply displays that data in a random fashion in a large window. As shown in Figure 3-3, it's a real-time metabrowser that dynamically builds a view of images from other people's browsers, built up as other people look around online.

The source code and a couple compiled binaries are freely available; make sure you download the right version, at the bottom of the EtherPEG web page.

The compiled binaries for Mac OS X assume interface names of en0 or en1. If you are using other numbered interfaces, you will need to have the Xcode Tools installed and compile the source directly.

EtherPEG is decidedly not a commercial app designed for extensive eavesdropping. It is a simple but effective hack that indiscriminately shows all image data that it can assemble. It makes no attempt to display where the images have been downloaded from, or who requested them. It doesn't even save a local copy for later perusal; once you quit the app, all collected data is lost.

Figure 3-3. EtherPEG in action

If you are looking for a similar (and even more functional) application that will run on an OS other than Mac OS X, read on.

3.3.2. DriftNet

Inspired by EtherPEG, DriftNet (http://www.ex-parrot.com/~chris/driftnet) is a network image grabber for X11. In addition to decoding image files from sniffed network data, it has a couple other features. It can save all decoded images for later processing (say, by a screensaver app) and has experimental support for decoding an MPEG audio stream.

Ubuntu users can install DriftNet with an apt-get install driftnet command. Contributed RPMs are available for Fedora and Red Hat, as well as other Linux distributions. Ports are also available for FreeBSD users. The code has been tested to compile on Linux and Solaris.

As shown in Figure 3-4, DriftNet's interface is just as simple as EtherPEG. You can click on individual images to save them to disk or, if you want to save all grabbed images, start up driftnet with the -a switch. This starts DriftNet in adjunct mode, which doesn't open a window, but simply saves all image data to a temporary directory (which can also be specified with the -d switch). Other applications can then use this ever-growing collection of images as a data source for their own ends.

Figure 3-4. DriftNet in action

DriftNet has received a surprising amount of bad press as being the worst sort of spyware utility and is sometimes billed as usable only for invading other people's privacy. This is a rather specious way of looking at the capabilities of DriftNet or EtherPEG, since neither program can give you any indication where the images you grab have come from or their end user destination.

On the contrary, tools like this are tremendously useful. Not only can a systems administrator use such a tool to discourage inappropriate use of a corporate network (by simply leaving it running on a monitor in a public place), but it can also provide an amazing insight into the mood of a crowd of wireless users.

What better way to find out what is going on in the minds of wireless users than to see what they are looking at on their screens?

For the results of an experiment in sampling the group subconscious, see the original weblog on the subject at http://www.oreillynet.com/pub/wlg/1414.

If nothing else, tools such as DriftNet and EtherPEG help to remind people of the importance of good wireless security practices and of the use of discretion when using wireless networks in general.

This sort of eavesdropping is possible only because people use insecure protocols and unknowingly broadcast their network traffic in the clear for all to hear. If you are using strong application layer encryption such as SSH or IPSec, or the modern wireless layer encryption of WPA/802.11i, this sort of tool is completely useless.

As a friend of mine says, "Running EtherPEG or DriftNet while sitting at a public wireless hotspot is analogous to looking at the covers of books and magazines people are reading."

Категории