Thunderbird & Gmail
Gerardo Rodríguez
grchapa at hotmail.com
Wed Oct 15 19:54:18 UTC 2008
anonym escribió:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15/10/08 06:07, Gerardo Rodríguez wrote:
>
>> While retrieving the mail this two readings where constant:
>> _____________________________________________________________________________
>>
>>
>> Frame 10 (60 bytes on wire, 60 bytes captured)
>> Ethernet II, Src: 2wire_aa:aa:aa (aa:aa:aa:aa:aa:aa), Dst:
>> Intel_ff:ff:ff (ff:ff:ff:ff:ff:ff)
>> Internet Protocol, Src: 83.132.242.113 (83.132.242.113), Dst:
>> 192.168.1.70 (192.168.1.70)
>> Transmission Control Protocol, Src Port: mosaicsyssvc1 (1235), Dst Port:
>> 53328 (53328), Seq: 1, Ack: 1, Len: 0
>>
>> No. Time Source Destination Protocol
>> Info
>> 11 9.437005 2wire_2e:d4:89 Broadcast ARP Who
>> has 192.168.1.65? Tell 192.168.1.254
>> _____________________________________________________________________________
>>
>
> You have mixed the information from two packets here:
>
> Number 10 (the upper part) from 83.132.242.113 is from something outside
> of the Tor network. A reverse DNS reveals it's from netcabo.pt, which
> seems to be a Portuguese ISP. The source port number suggests it's some
> sorts of audio/video streaming protocol (Vosiac). If this part appears
> every time you do POP, it's a bit suspicious.
>
> Number 11 (the lower part) is just an ARP request. It seems your router
> (192.168.1.254) simply want to know the MAC address of 192.168.1.65 for
> whatever reason. What is 192.168.1.65 on your network?
>
> Are you really sure that these two appears _every_ single time you do
> POP? Are you sure that you have turned off all other applications that
> use the Internet?
>
>
Thanks, 192.168.1.65 is the pc where i was running the test, and I
turned off all programs while running it, I suppose something kept
running; any way, this is obviously a mistake I made, the packages to
look at would be #12, 23 & 24 =>
>> _____________________________________________________________________________
>>
>>
>> No. Time Source Destination Protocol
>> Info
>> 12 10.373837 192.168.1.70 88.198.51.7 TCP
>> 43089 > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64949 Len=586
>>
>> Frame 12 (640 bytes on wire, 640 bytes captured)
>> Ethernet II, Src: Intel_ff:ff:ff (ff:ff:ff:ff:ff:ff), Dst:
>> 2wire_aa:aa:aa (aa:aa:aa:aa:aa:aa)
>> Internet Protocol, Src: 192.168.1.70 (192.168.1.70), Dst: 88.198.51.7
>> (88.198.51.7)
>> Transmission Control Protocol, Src Port: 43089 (43089), Dst Port:
>> etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
>> Data (586 bytes)
>>
>> 0000 17 03 01 00 20 bc 7f 8b ef dc 1e 82 ca fa 53 e0 .... .........S.
>> etc.
>> _____________________________________________________________________________
>>
>
> 88.198.51.7 is a Tor relay, probably your entry guard.
>
>
>
>> And while sending mail this two:
>> _____________________________________________________________________________
>>
>>
>> No. Time Source Destination Protocol
>> Info
>> 23 3.306572 CompName schatten.darksystem.net TCP
>> florence > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64363 Len=586
>>
>> Frame 23 (640 bytes on wire, 640 bytes captured)
>> Ethernet II, Src: CompName (ff:ff:ff:ff:ff:ff), Dst: 192.168.1.254
>> (aa:aa:aa:aa:aa:aa)
>> Internet Protocol, Src: CompName (192.168.1.70), Dst:
>> schatten.darksystem.net (88.198.51.7)
>> Transmission Control Protocol, Src Port: florence (1228), Dst Port:
>> etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
>> Data (586 bytes)
>>
>> 0000 17 03 01 00 20 39 1e d3 cb fe 30 60 3f f2 5f 43 .... 9....0`?._C
>> etc.
>> _____________________________________________________________________________
>>
>>
>> &
>> _____________________________________________________________________________
>>
>>
>> No. Time Source Destination Protocol
>> Info
>> 24 3.532021 schatten.darksystem.net CompName TCP
>> etlservicemgr > florence [ACK] Seq=1 Ack=587 Win=65535 Len=0
>>
>> Frame 24 (60 bytes on wire, 60 bytes captured)
>> Ethernet II, Src: 192.168.1.254 (aa:aa:aa:aa:aa:aa), Dst: CompName
>> (ff:ff:ff:ff:ff:ff)
>> Internet Protocol, Src: schatten.darksystem.net (88.198.51.7), Dst:
>> CompName (192.168.1.70)
>> Transmission Control Protocol, Src Port: etlservicemgr (9001), Dst Port:
>> florence (1228), Seq: 1, Ack: 587, Len: 0
>> _____________________________________________________________________________
>>
>
> schatten.darksystem.net is the same as 88.198.51.7, which probably is
> your entry guard.
>
>
>> aa:aa:aa:aa:aa:aa is the actual mac address of the adapter in my router
>> ff:ff:ff:ff:ff:ff is the actual mac address of the adapter in my pc
>>
>
> When obfuscating MAC addresses it's better to do so with the latter part
> of it -- the first numbers are much more easy to guess since they are
> determined by the manufacturer, model etc. of the network interface.
>
thanks :-)
>
>> I´m not an expert in reading packets, but, this is a leak ain´t it?
>>
>
> Why do you think there is a leak? Only the first two packages (10 and
> 11) seems to be a bit out of the ordinary. All the other traffic is
> between you and the Tor network which is expected.
>
That would be the mainly thing I´m concerned about, does this dialog
with the Tor network (which includes my mac addresses and computer name)
goes beyond the entry guard?
> And since you use NAT, the EHLO/HELO leak mentioned earlier isn't so
> bad, but since you use Torbutton that should be taken care of any way.
>
Yes, it´s almost impossible to get any information with the headers of
the (received) mail, is what information the email company receives I
wonder .
Thanks anonym for your help,
GR
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAkj15wMACgkQp8EswdDmSVi+yACdFD0YhVZMkzjh0OWRYpnzxcQ4
> rboAn352ktlPwrnFO+sFtbOh34V/hpiH
> =ma/W
> -----END PGP SIGNATURE-----
>
>
>
>
More information about the tor-talk
mailing list