Hacker Read top | best | new | newcomments | leaders | about | bookmarklet login

Anyone with Wireshark or tcpdump could have already seen what IP address the Siri client communicates with it.

Any competitor's jealous of Siri aren't learning too much to find out that the client uses HTTP, compression, and binary payloads in what it sends over the wire to the Siri service - the magic is server-side. The client has to communicate with the service somehow.

reply



sort by: page size:

True.

My usage or Wireshark is rather sporadic, so I appreciate the traffic drill down I can do w/o any knowledge in advance about the protocols I have captured.

reply


how? wouldn’t they just see TCP packets?

reply


We use tcpdump all the time to capture traffic that we later analyse with Wireshark, so I'm a bit surprised by some comments trying to confront the two.

reply


And tcpdump already exists on every server. I frequently pipe the output of tcpdump over ssh into wireshark for analysis on my local machine.

ssh root@HOST tcpdump -U -s0 -w - 'not port 22' | wireshark -k -i -

reply


You can pump tcpdump into wireshark for a pleasant remote experience

reply


Wow! Can you elaborate more on the latter? How were you able to figure that out with Wireshark?

reply


True, but Wireshark will highlight dodgy TCP frames (retransmits, dups, etc) which should give a small clue to look further. I agree that it is necessary to understand how TCP works (or have access to someone who does) in order to run Internet services.

reply


I think it's just that most scanning tools aren't trying to unwrap a TCP packet inside a TCP packet, so it bypassed their naive filters. Once a researcher spotted it, it was trivial to unwrap, but automated tooling would just see it as the outer TCP packet with some opaque data inside of it.

I would assume that the attacker's destination IP would show up on some dashboards somewhere though...

reply


Fair point. I just tested using tcpdump and the IP address in the response doesn't in fact end with a dot.

reply


They can see that anyway if they intercept the traffic anyway, since the IP will be in all packets. Even better, the TCP connection will end up creating routing tables on all hops along the way.

reply


Interesting use of wireshark.. I'd assume they'd at least allow you access from at least one end.

reply


Running wireshark only shows packets that are delivered to your network interfaces. If people didn't want you to have that data, why did they route it directly into your computer's network port?

reply


I've never used wireshark, but fwiw it's trivial to filter by destination with, for example, tcpdump.

reply


Wireshark is also able to capture traffic of remote interfaces over ssh.

reply


I was afraid of using tcpdump until I learned that the ip and tcp packet has a very specific structure. I had to use tcpdump+wireshark for debugging recently and it felt like having a mini-superpower.

reply


We had tcpdump and Wireshark, but we weren't allowed to capture anything with it.

So how does anybody know there isn't data exfiltration going on?

reply


I would just use wireshark for that.

reply


Right? That would be much more interesting, and I wonder why they didn't show packet data. They already went through the work of setting up wireshark, might as well peek into the packet data to see what's going on.

reply


Yeah, I've used wireshark for years. But maybe I was late in the game.

reply

next

Legal | privacy