This handy utility takes any sort of input file and creates a pcap showing this file being downloaded from a remote web server, or the file being transferred via smtp/pop3/imap. The pcap is a full tcp stream from syn to fin and all the sequence numbers and checksums are all correct.
File2pcap now also supports quoted-mime encoding(experimental), additionally to the default mime(base64) encoding.
I just posted the updated version 0.95 of file2pcap. The tool now also creates pcaps of files being transferred as email attachments via smtp/pop3/imap., besides the original functionality of creating pcaps showing a file being downloaded from an http server.
file2pcap - written by warlord / nologin.org
Takes a file as input and creates a pcap showing a client grabbing that file from a webserver or transferring it it by email(smtp/pop3/imap).
-m mode h - http / s - smtp / p - pop3 / i - imap [default: http]
-o outfile output filename
-p port[:port] specify source and/or destination port. -p 1234:80 will show a tcp connection from port 1234 to port 80
I had to release a bugfix here. Poison 1.5.4 had a minor change in how it determines its own source IP address. As a result that code broke when scanning hostnames, or ranges of hostnames. So while poison 1.5.3 would happily scan google.com/24, version 1.5.4 would not. This has now been fixed. Don't ask how this could have possibly evaded me.
A new release of my scanner. As usual, there are bugs fixed, features added, and code improved. The Changelog:
- Cleaned up banner/banner.c.
- Copied the default banner grabbing code from banner.c into its own file banner/00_tcp_default.c
- Made the default banner grab module send a http header if it doesn't receive anything for few seconds
- Changed the naming scheme of the protocol handlers in subfolder banner/
- Fixed an embarassing bug when the portstring on the commandline was too long
- Added simple ssh banner grab support
- Added support for random UDP scans. Before, random scans were TCP only
- Added support for IPMI over TCP. Poison will request auth 'none'
- Changed the poison.csv log file format! Added a field for the protocol
- Fixed a bug that prevented the fingerprinting option -o to actually display the result
- Re-added the -t option to specify the time between packets
- Changed scan options. Now -sS for syn scan and -sU for udp scan. Same syntax like that other scanner
- Added README
- Changed packet TTL from 255 to 64
- Fixed/Improved fingerprinting. Sadly that meant the prints have to be re-collected. Thanks for the patches vanHauser @ THC
- Fixed a major performance bug in the receive code
- By default UDP packets will now send a 4 byte random payload instead of none. This is only true in combination with the -b option.
- Improved auto detection of source IP address
- Fingerprints will be read out of an easily editable text file now. This is additionally to the internal, hardcoded fingerprints
- Added UPNP support. A UDP reply from port 1900 will result in a TCP connection to the indicated port to try and grab the config
- Decreased default delay between packets from 1800 to 1500 nano seconds. See DEFAULT_DELAY in poison.h, or grep poison.c for usleep();
- Updated ip-to-country database (Thanks http://software77.net/geo-ip/)
- Added two small functions at the end of packets.c. They are called for tcp and udp to determine whether to use specific source ports for packets to specific destination ports
I finally updated my TCP/IP options fuzzer 'fuzzball2'. I was quite embarassed when I had to realize that the checksums for many of the packets were bad in older versions. The new release fixes all of these. Happy fuzzing!