It’s been a while…

…before I found some time to post something on this blog. Mostly because of the summer break, but also because I was attending DefCon 2013 in Las Vegas, after a break of 3 years. I used to be at DefCon every year while it was held at the Riviera, working for the hotel as a network security expert (“We need protection! Evil hackers everywhere!”) with my buddies Eddi and Landi. Funniest thing the Riv guys did back then was to disconnect all public network ports accessible to the public (“the hackers”) like we told them too – well, all except one. That one, they put a small padlock in front of it. Our question to them was “uhm… did you know they have lock picking contests? What do you think will happen when they see this?” πŸ˜‰

This year’s DefCon was fun again:

  • Eddi and I competed in the Network Forensics contest, but we started late and went to a couple of talks, so we weren’t exactly the fastest to come up with the final solution of the 8 sub challenges. We were pretty fast though, crunching through the first 6 challenges in a total of maybe 2 hours.
  • There was a “Capture the packet” challenge, which was kinda strange in a couple of ways: first of all the guys doing it had some problems setting it up, so it only started a day later than originally planned (I think). And there was a guy doing a session of basic capture 101, talking about hubs, SPAN ports and Wireshark usage – I think at a convention like DefCon you shouldn’t compete if you need a 101 tutorial first πŸ˜€
  • A couple of talks were quite interesting. I had the most fun at the cool presentation of theΒ Evil Foca tool by Chema Alonso. Evil Foca can be used to wreak havoc on IPv6 networks – including Man-in-the-Middle attacks with a couple of mouse clicks.

Anyway, a couple of things have happened since Sharkfest, and unfortunately, one thing hasn’t: I wanted to do a re-recording of my “Top 5 False Positives” talk since it wasn’t filmed at the conference. I already bought a Camtasia license, but didn’t find the time to do the recording session. Well, it’s still on my ToDo list.

TraceWrangler received quite some attention, which is nice after all the work I put into it. It’s now more than 202.000 lines of code (including a couple of 3rd party components that deal with the SQLite integration), and I just released build 308 two days ago – at 5 am in the morning, after more than 8 hours of coding. Some of the feedback included:

  • A video review by Tony Fortunato which shows how to do basic trace file sanitization, using the version released at Sharkfest 2013
  • Also, LoveMyTool has posted my talk on YouTube in the meantime. Thanks to Chris Greer!
  • Feature requests from Sharkfest attendees, like the editing feature that allows removing a Juniper header preceding the Ethernet header. Thanks to all the guys at LinkedIn!
  • Well, regarding LinkedIn groups… I helped Stuart Kendrick with a SACK problem that was introduced when TraceWrangler sanitized the file he posted later. So basically I debugged my own mistake without knowing it. Anyway, the bug was fixed and we all had a laugh. I hope.
  • Claus Valka dedicated a lot of his recent blog post to TraceWrangler. I recommend taking a look – his post (and the blog) is packed with tons of interesting links!

Before I forget: Hansang Bae has posted on the official Wireshark blog, and he even mentioned Landi’s talk at Sharkfest 2013. I have to admit I laughed about the link to Landi’s slide deck – it’s so short, it won’t tell you much. Well, the lesson learned should be: Be at Sharkfest 2014, see the talks live! πŸ˜‰

Okay, enough for now. The next post shouldn’t take as long. I hope.


Discussions — No responses yet