<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<font size="+1">I also change the first three numbers in the mac
addresses :0)<br>
<br>
Any help will be appreciated<br>
<br>
GR<br>
</font><br>
Gerardo Rodríguez escribió:
<blockquote cite="mid:48F56C64.4050904@hotmail.com" type="cite">Hi once
again. I was wondering if tor with thunderbird send information to the
pop3/smtp servers, this is what i found out. I had to use thundebird
ver 1.5.* with torbutton 1.0.4, and used the WireShark to capture
packets.
<br>
<br>
While retrieving the mail this two readings where constant:
<br>
_____________________________________________________________________________
<br>
<br>
Frame 10 (60 bytes on wire, 60 bytes captured)
<br>
Ethernet II, Src: 2wire_2e:d4:89 (aa:aa:aa:2e:d4:89), Dst:
Intel_94:e0:d3 (ff:ff:ff:94:e0:d3)
<br>
Internet Protocol, Src: 83.132.242.113 (83.132.242.113), Dst:
192.168.1.70 (192.168.1.70)
<br>
Transmission Control Protocol, Src Port: mosaicsyssvc1 (1235), Dst
Port: 53328 (53328), Seq: 1, Ack: 1, Len: 0
<br>
<br>
No. Time Source Destination
Protocol Info
<br>
11 9.437005 2wire_2e:d4:89 Broadcast ARP Who
has 192.168.1.65? Tell 192.168.1.254
<br>
_____________________________________________________________________________
<br>
<br>
&
<br>
_____________________________________________________________________________
<br>
<br>
No. Time Source Destination
Protocol Info
<br>
12 10.373837 192.168.1.70 88.198.51.7 TCP
43089 > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64949 Len=586
<br>
<br>
Frame 12 (640 bytes on wire, 640 bytes captured)
<br>
Ethernet II, Src: Intel_94:e0:d3 (ff:ff:ff:94:e0:d3), Dst:
2wire_2e:d4:89 (aa:aa:aa:2e:d4:89)
<br>
Internet Protocol, Src: 192.168.1.70 (192.168.1.70), Dst: 88.198.51.7
(88.198.51.7)
<br>
Transmission Control Protocol, Src Port: 43089 (43089), Dst Port:
etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
<br>
Data (586 bytes)
<br>
<br>
0000 17 03 01 00 20 bc 7f 8b ef dc 1e 82 ca fa 53 e0 ....
.........S.
<br>
etc.
<br>
_____________________________________________________________________________
<br>
<br>
And while sending mail this two:
<br>
_____________________________________________________________________________
<br>
<br>
No. Time Source Destination
Protocol Info
<br>
23 3.306572 CompName schatten.darksystem.net TCP
florence > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64363 Len=586
<br>
<br>
Frame 23 (640 bytes on wire, 640 bytes captured)
<br>
Ethernet II, Src: CompName (ff:ff:ff:94:e0:d3), Dst: 192.168.1.254
(aa:aa:aa:2e:d4:89)
<br>
Internet Protocol, Src: CompName (192.168.1.70), Dst:
schatten.darksystem.net (88.198.51.7)
<br>
Transmission Control Protocol, Src Port: florence (1228), Dst Port:
etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
<br>
Data (586 bytes)
<br>
<br>
0000 17 03 01 00 20 39 1e d3 cb fe 30 60 3f f2 5f 43 ....
9....0`?._C
<br>
etc.
<br>
_____________________________________________________________________________
<br>
<br>
&
<br>
_____________________________________________________________________________
<br>
<br>
No. Time Source Destination
Protocol Info
<br>
24 3.532021 schatten.darksystem.net CompName TCP
etlservicemgr > florence [ACK] Seq=1 Ack=587 Win=65535 Len=0
<br>
<br>
Frame 24 (60 bytes on wire, 60 bytes captured)
<br>
Ethernet II, Src: 192.168.1.254 (aa:aa:aa:2e:d4:89), Dst: CompName
(ff:ff:ff:94:e0:d3)
<br>
Internet Protocol, Src: schatten.darksystem.net (88.198.51.7), Dst:
CompName (192.168.1.70)
<br>
Transmission Control Protocol, Src Port: etlservicemgr (9001), Dst
Port: florence (1228), Seq: 1, Ack: 587, Len: 0
<br>
_____________________________________________________________________________
<br>
<br>
Now:
<br>
<br>
aa:aa:aa:2e:d4:89 is the actual mac address of the adapter in my
router
<br>
ff:ff:ff:94:e0:d3 is the actual mac address of the adapter in my
pc
<br>
CompName is the name of my pc (faked :-)
<br>
<br>
I´m not an expert in reading packets, but, this is a leak ain´t it?
<br>
<br>
<br>
<br>
<br>
Gerardo Rodríguez escribió:
<br>
<blockquote type="cite">Thanks a lot, I´ll be running tests &
I´ll post the results
<br>
<br>
anonym escribió:
<br>
<blockquote type="cite">-----BEGIN PGP SIGNED MESSAGE-----
<br>
Hash: SHA1
<br>
<br>
On 08/10/08 01:09, Jonathan Addington wrote:
<br>
<br>
<blockquote type="cite">With Wireshark you can filter by
port. </blockquote>
..
<br>
<br>
<blockquote type="cite">To address the above, filter by ports,
and then by your IP inside the
<br>
packet </blockquote>
<br>
Sure, filters make it easier finding stuff when you know what to look
<br>
for, but I'm not sure that's the case here. In an analysis like this we
<br>
are much more interested that which we had not anticipated. For
example,
<br>
what if Thunderbird leaked DNS requests? Filtering away all but POP and
<br>
SMTP would then hide this for us.
<br>
<br>
We're not dealing with huge amounts of packets here really, perhaps a
<br>
couple of hundreds of packets at most. That's a piece of cake to go
<br>
through and will make the analysis more complete and thorough. IMHO,
<br>
when dealing with these kinds of issues filtering comes in when that's
<br>
not a realistic option.
<br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2.0.9 (GNU/Linux)
<br>
<br>
iEYEARECAAYFAkjr/NAACgkQp8EswdDmSVjMrwCfT2aJ7j7Cko2HhYIItj35gmrK
<br>
VW4AoOjIfgtkSPrgghm9yusAz+137GSg
<br>
=xWB4
<br>
-----END PGP SIGNATURE-----
<br>
<br>
<br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
<br>
<br>
<br>
</blockquote>
</body>
</html>