[icq-devel] Not working?

Роман Галеев me at jamhed.pp.ru
Wed Jul 2 19:19:03 CEST 2003

Hello Igor,

Wednesday, July 2, 2003, 10:45:25 PM, you wrote:

IF>     It suggested me to reboot when I checked the checkbox second from above.
IF>     Till then on it showed me various IP addresses of my local network
IF>     area with checkboxes at the left side of each one. I checked my IP
IF>     address, then all the rest with no visible results. The sniffer's
IF>     window was white and empty as it always has been. I especially
IF>     spawned ICQ traffic to see if anything was changed. My ICQ was
IF>     already running when I started sniffer, if it does matter...

IF>     That's true but snort is extensible. A plugin can do any job,
IF>     including ICQ protocol parcing.

Undoubtfully yes, but it seems there is no such thing yet :)

IF>     That would be useful. Your program is fine, keep developing it.

IF>     PS I want to ask as you as the developer. I installed sniffer and
IF>     when there was no result I checked Enable OS routing box. Then sniffer
IF>     has suggested me to reboot. Then I unchecked the button. It AGAIN
IF>     suggested me to reboot. I didn't reboot, uninstalled sys driver,
IF>     removed registry entries. but I couldn't remove Legacy driver
IF>     entry that sniffer has spawned in my registry. I didn't reboot since
IF>     then.
IF>     The question is what this driver does? Will I be able to stay online
IF>     next time I reboot? Why it is not a service? I never liked new drivers
IF>     attached to my network card. I've seen some sniffers working this
IF>     way and I never liked them. I'm sure there are better ways to
IF>     sniff traffic.

This driver do the dirty job - intercepts a network packets from
NIC (also from PPP interface). So - because you are unable to see any
messages at all it seems it simply doesnt started/loaded properly.
It was designed as a driver due the need of low level kernel calls.

The OS routing checkbox is a part of the ARP spoofing module. When it
checked fake ARP's contains NIC own address, and if Routing _must_ be
enabled - there is another reason to reboot. If the OS routing is
unchecked, sniffer forges ARP's with different MAC addresses making it
harder to detect sniffing performed, and routing is done by
application itself.

Best regards,
 jamhed                            mailto:me at jamhed.pp.ru

More information about the icq-devel mailing list