Evaluation of several network packet capture tools and several tools
Evaluation of several packet capture tools by Bin Laden's brother
Recently, I wrote a CMD remote control that says I want to do something on the server.
We all know that soft false positives, especially those reported by black software, are normal.
For this reason, some people may not install software. Basically, they rely on themselves to analyze whether the software is secure.
1 low-level tool testing cannot completely guarantee that the program is non-toxic and has no technical content.
The reason may be that the backdoor is not activated when you are detecting it (for example, I set it to 12 o'clock in the evening)
When you detect my tools during the day or other times, you may not find any exceptions.
The backdoor is also activated. Haha. In fact, someone looks at a trojan like this.
If it is detected that the current machine is 2003, it will send some server-related information to the author's mailbox for him to be hacked.
2. Advanced Self-cracking off-shell decompilation programs directly kill the analysis code
What functions are called by software? What are done? The analysis results are clear at a glance. The results are also accurate and technical.
This is also a waste of time, even though it will not often be analyzed everywhere (except for virus analysts)
Now I want to do some tricks on the server to escape the commonly used packet capture tools because I need to use several packet capture tools.
So by the way, compare and make an evaluation to give a reference that doesn't know much about the packet capture tool. If there are any mistakes, please correct me.
Some tools can be found in E: \ CrAcK8 toolkit 2012 \ Security Detection
1 MiniSinffer
Advantage: 1 single file Green Edition can monitor all traffic information
2. You can enable the packet capture tool before running the test body.
3. Send several GB of files to colleagues via skype and capture a bunch of packages.
Disadvantages: 1. It is not easy to analyze the specified process if there are too many packages)
2. UDP is displayed when the WEB package is captured (that is, those submitted for post get)
In the test, stop listening. After re-running, the WEB package cannot be captured.
2 WSExplorer 1.3.exe
Advantages: 1. Single-file Green Edition is convenient and does not need to be installed
2 not supported by Wincap
3. You can only capture the specified process (penetration). For example, you can upload a file (cracking) to check what is going on after the software executes an operation)
4. Good compatibility. Support WIN7 2008 and other systems.
Disadvantages: 1. A software package with a large amount of data crashes.
(Use skype to send a few GB of files to colleagues and then use a white screen)
2. You can only run the test body first and then refresh the list process to capture packets.
3. Sometimes it seems to be stuck when a packet is captured.
Packet capture before and after the test body runs is very different
3 WSockExpert_Cn (packet capture)
Advantages: 1 Green Edition can be used without installation and decompression
2 not supported by Wincap
3. You can only capture the specified process (penetration). For example, you can upload a file (cracking) to check what is going on after the software executes an operation)
Disadvantages: 1. You can only run the test body first and then refresh the list process to capture packets.
2. Poor compatibility. Unsupported systems such as vista or WIN7
4. What is iris eeye's work? Why? 10. Why was it because of the ghost MBR?
I found some information and found that they released the relevant bookit research materials (one of MBR) before 05 years ago)
Advantage: 1. a filtering mechanism is available for Nic packet capture.
2. Capture packets before running the test body.
3. Many pieces of work organized by eeye are not inferior to each other.
(It's just today that I can't run it in my virtual machine. I can't get it right. It's just a bit of the image I 've used before)
Disadvantages: 1. If Wincap is required, some administrators cannot install Wincap.
5 iptool packet capture analysis tool
Advantages: 1. You can capture the NIC and filter the NIC using multiple rules, such as IP protocol (only capture ARP, SMTP, or others)
2. It is convenient to view and analyze the packages in several forms.
3. Capture packets before running the test body.
4. You can also find a package based on the specified content.
5. Good compatibility, support for win7 2008, etc.
6. Do not install wincap
Disadvantage: 1. You cannot only capture the specified process.
2. Wincap is required. Some administrators have made restrictions and cannot install Wincap.
6 sniffer pro (network packet capture tool)
I have never used it. I have installed it before. I have seen that the software is too big. The most important thing is that the environment cannot run after installation.
So I always thought this was basically useless.
Conclusion 1 the domestic Iptool has good overall performance.
2 IRIS is also good for EEYE organizations outside China, but I rarely use it.
But it is not because the software is in English, but because it may have captured packets before.
Most of the tools used for WEB packet capture or specified operation packet capture are basically selected to support the capture of Specified Processes
3 The above two models can be said to be cannon WSockExpert, etc. These are Xiaomi and rifle.
However, they also have the advantage that they cannot ignore: they support packet capture by specific processes.
Which packages are submitted during the operation is very convenient for analysis, for example, what SQL statements are submitted during the scan of the D injection tool?
4 The above packet capture tool has its own advantages and disadvantages. Please choose which one to use based on your actual application to improve your work efficiency.