CoPacketSniffer 8:@ , packet learning / discovery tool does wireshark like filtering

clintonselke · 08/26/2010, 02:04

CoPacketSniffer 8:@110110110110...

REQUIRES WinPcap:

Run As ADMIN: Required for using conquer memory for trial & error when solving for the key after DH key exchange.

THIS IS NOT A BOT, ITS A EDUCATIONAL TOOL, PLEASE DON'T ASK ME HOW TO MAKE IT HUNT!!!

Hello Guys and Girls, made a nice little tool for assisting developers out there in finding packets and learning how they work.

Heres a little screenshot

This tool will always be 100% free. No advertising links like sharecash, just direct links.

The expressions are similar to wireshark.

Here are some of the variables / functions

DstEther - The destination mac address. (for network interface or router)
SrcEther - The source mac address. (for network interface or router)
DstIP - The destination IP address (for network interface, remote login server, or game server)
SrcIP - The source IP address (for network interface, remote login server, or game server)
DstPort - The destination port (goes with DstIP)
SrcPort - The source port (goes with SrcIP)
Data.StartsWith("AA BB CC DD") - Finds packets that start with AA BB CC DD
Data.Contains("AA BB CC DD") - Finds packets that contain AA BB CC DD

&& - Logical AND, Example: SrcPort==5816 && Data.StartsWith("25 00 1A 27");
|| - Logical OR, Example: SrcIP == "10.1.1.2" || SrcIP == "10.1.1.3"
! - Logical NOT, Example: !Data.Contains("1A 27")
== - EQUAL test, Example: DstPort == 5816
!= - NOT EQUAL test, Example: DstPort != 5816

Downloads:

Tips

- Login spams a lot of packets, and sometimes packets are dropped due to the time it takes to draw them on the screen. If you uncheck the "Enable" checkbox during login and re-check it, then there will be less chance of packets appearing as random data.

ChangeLog

CoPacketSniffer-v1.2.zip

- Fixed a bug when copying packets in filtered mode. (It was copying the wrong packet before)

CoPacketSniffer-v1.1.zip

- Made the Filter Expression TextBox coloured. (green means valid expression, red means invalid expression)
- Made the Font inside the packet list monospaced

CoPacketSniffer-v1.0.zip

- Added C/C++, C#, VB.Net, and Detailed Copy styles (from right click on packets)
- Added IP checksum check. (Ignores errored packets which needs to be resent due to poor network connection)

CoPacketSniffer.zip

- Initial Import

~~Die Schnittstelle~~ · 08/26/2010, 11:34

Antivirus	Version	Last Update	Result
AhnLab-V3	2010.08.26.00	2010.08.25	-
AntiVir	8.2.4.38	2010.08.26	-
Antiy-AVL	2.0.3.7	2010.08.26	-
Authentium	5.2.0.5	2010.08.26	W32/Heuristic-KPP!********
Avast	4.8.1351.0	2010.08.25	-
Avast5	5.0.594.0	2010.08.25	-
AVG	9.0.0.851	2010.08.25	-
BitDefender	7.2	2010.08.26	-
CAT-QuickHeal	11.00	2010.08.24	-
ClamAV	0.96.2.0-git	2010.08.26	-
Comodo	5862	2010.08.26	-
DrWeb	5.0.2.03300	2010.08.26	-
Emsisoft	5.0.0.37	2010.08.26	-
eSafe	7.0.17.0	2010.08.25	-
eTrust-Vet	36.1.7818	2010.08.26	-
F-Prot	4.6.1.107	2010.08.26	W32/Heuristic-KPP!********
F-Secure	9.0.15370.0	2010.08.26	-
Fortinet	4.1.143.0	2010.08.26	-
GData	21	2010.08.26	-
Ikarus	T3.1.1.88.0	2010.08.26	-
Jiangmin	13.0.900	2010.08.26	-
Kaspersky	7.0.0.125	2010.08.26	-
McAfee	5.400.0.1158	2010.08.26	Suspect-D!F817EDAFAADA
McAfee-GW-Edition	2010.1B	2010.08.26	Heuristic.BehavesLike.Win32.Trojan.H
Microsoft	1.6103	2010.08.26	-
NOD32	5397	2010.08.25	-
Norman	6.05.11	2010.08.25	-
nProtect	2010-08-26.01	2010.08.26	-
Panda	10.0.2.7	2010.08.25	-
PCTools	7.0.3.5	2010.08.26	-
Prevx	3.0	2010.08.26	-
Rising	22.62.03.01	2010.08.26	-
Sophos	4.56.0	2010.08.26	-
Sunbelt	6795	2010.08.26	-
SUPERAntiSpyware	4.40.0.1006	2010.08.26	-
Symantec	20101.1.1.7	2010.08.26	-
TheHacker	6.5.2.1.356	2010.08.26	-
TrendMicro	9.120.0.1004	2010.08.26	-
TrendMicro-HouseCall	9.120.0.1004	2010.08.26	-
VBA32	3.12.14.0	2010.08.25	-
ViRobot	2010.8.26.4009	2010.08.26	-
VirusBuster	5.0.27.0	2010.08.25	-

looks clean

clintonselke · 08/26/2010, 11:44

Thanks .Mio

LoSeR1 · 08/26/2010, 11:49

lol i dont even know wat it should be doing

Ian* · 08/26/2010, 18:28

Quote:

Originally Posted by LoSeR1

lol i dont even know wat it should be doing

it's a sexy packet logger which doesn't require forwarding connections to a proxy

gabrola · 08/26/2010, 19:19

Quote:

Originally Posted by Ian*

it's a sexy packet logger which doesn't require forwarding connections to a proxy

Indeed, it's sexy.
EDIT: Right click won't work.
EDIT2: Clint you could also use a fixed width font like Courier New for the packets to look "nice"

clintonselke · 08/27/2010, 08:44

Quote:

Originally Posted by gabrola

Indeed, it's sexy.
EDIT: Right click won't work.
EDIT2: Clint you could also use a fixed width font like Courier New for the packets to look "nice"

Will do, the gui was kinda done quickly. Any drawings or pictures of a gui layout would be appreciated as well.

There are a couple of things im working on w/ it atm. One is, since the packets are being sniffed in a raw way, there is a chance they can arrive out of order, or corrupt. If a packet is out of order or corrupt, then I need to ignore the packet, otherwise it will throw the encryption out and you will end up with random bytes for the packets.

Lots of reading to do on Ethernet, IP and TCP packet headers... joy... :P

As for right click, that should be working unless I've zipped the wrong exe. Like ya select a packet, right click it, then go "C/C++ Style Copy", "VB.Net Style Copy", "C# style copy" or "detail style copy", and it should end up on the clipboard in that style.

drunkey · 08/27/2010, 17:01

Greate Job, but I want to use it

but: Why the CO and packetsniffer is shutting down when I start CO? don't say nothing just exit. I have windows xp sp2 , I'm using wi-fi.

clintonselke · 08/29/2010, 04:08

Quote:

Originally Posted by drunkey

Greate Job, but I want to use it
but: Why the CO and packetsniffer is shutting down when I start CO? don't say nothing just exit. I have windows xp sp2 , I'm using wi-fi.

Atm its doing a Debug Breakpoint Hook on BF_set_key(), to catch the new blowfish key after DH key exchange. And the address of that function is hard coded. That means this tool will only work on the latest English version exe for now.

But later on i'll make it do a memory search for the BF_set_key() function, so it will work for more versions and more languages of conquer.

Starburst17 · 09/07/2010, 02:09

Thank you for your hard work!

PKDemon · 09/08/2010, 11:12

i think this is kinda of kewl but for someone like me that dont know a dang thing about packets it is useless haha

but i like the copy functions though

and i test this on a 5095 private server and it was reading the packets

i guess i am gonna have to learn how to do stuff with these packets and what packets are what :P

this is a fun tool to have and you could learn alot from it

Matic^ · 10/15/2010, 14:24

will this going to be updated?