Description

Summary

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Identification

Antivirus detection

Usage

Syntax

Usage: rksniffer.exe [options]

Options

 -l                    list all active adapters on the machine
 -i [adapter]          select adapter
 -s [port]             source port for filtering received packets
 -d [port]             destination port for filtering received packets
 -o [file]             print results in file or in stdout if not specified
 -c [count]            snif [count] packets
 -a                    display packet content in ASCII format
 -x                    display packet content in hex format
 -X                    display packet content in hex and ASCII format
 -t                    display time information
 -h                    display this help

Example

List available adapters

C:\tools>rksniffer.exe -l
Adapter 0 -> 192.168.102.129

Sniff

C:\tools>rksniffer.exe -i "Adapter 0" -X -t -o output.txt
29 packet(s) received.
CTRL-C, Exiting...

View output file

C:\tools>more output.txt
08:59:15 UDP 192.168.102.129:1027 > 192.168.102.128:53 id 145 ttl 128 tos 0 len
56 udplen 36

DATAS
[HEX & ASCII]
00000000 45 00 00 38 00 91 00 00 80 11 eb d1 c0 a8 66 81 E..8..........f.
00000010 c0 a8 66 80 04 03 00 35 00 24 7a f3 1e 6f 01 00 ..f....5.$z..o..
00000020 00 01 00 00 00 00 00 00 06 67 6f 6f 67 6c 65 03 .........google.
00000030 63 6f 6d 00 00 01 00 01                         com.....

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒

08:59:15 ICMP 192.168.102.128 > 192.168.102.129 destination unreachable(Port unreachable) id 22155 ttl 64 tos 192 len 84

DATAS
[HEX & ASCII]
00000000 45 c0 00 54 56 8b 00 00 40 01 d5 0b c0 a8 66 80 [email protected].
00000010 c0 a8 66 81 03 03 4b 85 00 00 00 00 45 00 00 38 ..f...K.....E..8
00000020 00 91 00 00 80 11 eb d1 c0 a8 66 81 c0 a8 66 80 ..........f...f.
00000030 04 03 00 35 00 24 7a f3 1e 6f 01 00 00 01 00 00 ...5.$z..o......
00000040 00 00 00 00 06 67 6f 6f 67 6c 65 03 63 6f 6d 00 .....google.com.
00000050 00 01 00 01                                     ....

Dynamic analysis

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Static analysis

Sections

Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x6f54       0x7000       6.636845    
.rdata     0x8000       0xa2e        0x1000       3.940224    
.data      0x9000       0x2c44       0x2000       3.557306

IAT

Strings

QPPh
PWhP
PPPj
XSVWj ^3
YY_^]
YY_^[]
QQSVW
QPShL
CY;]
YY_^[
QQSVW
YY_^[
SVWj
SVWj
SVWj
_^[]
SVWj
tYhX
-t09]
tG9U
X_^[
^QQSUVW3
hh#@
j4UV
HHtSHt
t"Ht
Y_^][YY
9^(u&
9^(u
9^ t
9^$u
u	VW
YY9^ u	VW
YY9^$u	VW
YY9^
9^ t
9^$u
YY9^
9^ t
9^$u+
t	VW
YY9^ u
t	VW
YY9^$u
t	VW
YY9^
9^ t
9^$u
Y_^3
Yu!j
^_[3
GIt#
t&:a
<8=u
_9=(
YYh(
SUVW
_^][
hn6@
NNtS
t-NuT
~&WP
SVW3
F;5@
X_[^
HHtpHHtl
 Yt	f
RPWV
DSUVWh
_^][
u+Vj
^95@
F;5@
j?I_
u	9}
ulSj
uY;]
pD#U
j #M
j?^;
X_^[
_WPS
QSUV
WWWWj
t/WWUPj
_^][Y
SUVW
_^][
QQSV
btHHt.
SUV3
_^][
t9UW
?=t"U
QQS3
PSSW
8"uD
8"uF@
8"u,
@@f9
@@f9
SS@SSPVSS
t#SSUP
t$$VSS
_^][YY
SVWUj
]_^[
h$]@
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
VWss
0SVW
_u@W
PWPSS
PWPSS
9] u
t	9]
tySS
t-VW
90tr
0B=H
Wj@Y3
t7SW
    
@AA;
QQSVW3
tUj=
t@9u
uT9}
8<=t
^][_
t-Ht!Ht
5t.;
PVh|
VWuBh
tzVS
GIt%
t/Ku
uFWWj
"WWSh|
9} u
E WW
tMWWS
t@9}
VSh 
wDVSU
_^][
@}>j
W;5 
 (8PX
700WP
`h````
ppxxxx
(null)
runtime error 
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
GetComputerNameA
SetConsoleTextAttribute
GetConsoleScreenBufferInfo
GetStdHandle
GetLocalTime
FormatMessageA
GetLastError
SetConsoleTitleA
KERNEL32.dll
WSAIoctl
WSASocketA
WS2_32.dll
HeapFree
HeapAlloc
ExitProcess
TerminateProcess
GetCurrentProcess
SetConsoleCtrlHandler
GetCommandLineA
GetVersion
SetHandleCount
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
HeapReAlloc
WideCharToMultiByte
CloseHandle
UnhandledExceptionFilter
FlushFileBuffers
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
RtlUnwind
SetFilePointer
MultiByteToWideChar
GetCPInfo
CompareStringA
CompareStringW
GetACP
GetOEMCP
SetEnvironmentVariableA
SetStdHandle
CreateFileA
GetStringTypeA
GetStringTypeW
GetProcAddress
LoadLibraryA
LCMapStringA
LCMapStringW
SetEndOfFile
ReadFile
WSAIoctl(), %s
socket(), %s
Adapter %d -> %s
Error: This box doesn't have any adapter.
Exiting...
Required option missing
IP header bad
TTL equals 0 during reassembly
TTL equals 0 during transit
Redirect for TOS and host
Redirect for TOS and network
Redirect for host
Redirect for network
Precedence cutoff in effect
Host precedence violation
Communication administratively filtered
Host unreachable for TOS
Network unreachable for TOS
Host administratively prohibited
Network administratively prohibited
Source host isolated
Destination host unknown
Destination network unknown
Source route failed
Fragmentation needed
Port unreachable
Protocol unreachable
Host unreachable
Network unreachable
recvfrom failed: %d
bind(), %s
GetAdapter(), %s
gethostbyname(), %s
GetComputerName(), %s
unknown icmp (obsolete or malformed?)
address mask reply
address mask request
information reply
information request
timestamp reply
timestamp request
(unknown - error?)
(%s)
parameter problem
(%s)
ttl exceeded
router solicitation
mobile ip advertisement
router advertisement
echo request
redirect
source quench (flow control)
destination unreachable
echo reply
%02x 
[HEX]
%08x 
%08x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x 
[HEX & ASCII]
No Datas.
[ASCII]
%02d:%02d:%02d 
 id %d ttl %d tos %d len %d
 %s 
 %s >
ICMP
 len %d tos %d
 ttl %d win %d id %d
 %s:%d
 %s:%d >
 id %d ttl %d tos %d len %d udplen %d
%s: invalid option -- %c
%s: illegal option -- %c
%s: option requires an argument -- %c
%s: unrecognized option `%c%s'
%s: unrecognized option `--%s'
%s: option `%s' requires an argument
%s: option `%c%s' doesn't allow an argument
%s: option `--%s' doesn't allow an argument
%s: option `%s' is ambiguous
POSIXLY_CORRECT
icmp
Usage: rksniffer.exe [options]
[options]
  -l            	list all active adapters on the machine
  -i [adapter]  	select adapter
  -s [port]     	source port for filtering received packets
  -d [port]     	destination port for filtering received packets
  -o [file]     	print results in file or in stdout if not specified
  -c [count]    	snif [count] packets
  -a            	display packet content in ASCII format
  -x            	display packet content in hex format
  -X            	display packet content in hex and ASCII format
  -t            	display time information
  -h            	display this help
CTRL-C, Exiting...
%d packet(s) received.
WSASocket() failed: %s
fopen() failed: %s
%d Error(s), Exiting...
Error: "%s" Incorrect protocol.
Error: Incorrect count. Specify a count superior at 0.
Error: Incorrect port. Specify a port between 0 and 65535.
li:s:d:p:o:c:axXth
WSAStartup() failed: %s
SetConsoleTitle() failed: %s
RKSniffer
DATAS
! Another protocol was sniffed !

Comments