crr0tz Posted September 11, 2020 Share Posted September 11, 2020 Hi all, I'm running a comparison test on several TAPs, including the Packet Squirrel, the Plunder Bug and an EtherTAP (rebranded Profishark). I'm checking to see if I can transfer a large file via SMB from a server and have is successfully received on the client AND be able to successfully recreate the file from the pcap from these devices. To check for success I'm looking at the md5sum of the file - if it matches the original, "success". With the Plunder Bug and the EtherTAP all tests pass. Not so much with the Packet Squirrel. The other thing I'm checking with the test is throughput. Typically seeing 2.5e6 bps with the Packet Squirrel vs the 7e7 bps from the other TAPs. I'm wondering if there is some configuration changes that would help here. I'm running Version 3.2 firmware. I've made some slight mods to the switch1 payload (as found in https://github.com/hak5/packetsquirrel-payloads/blob/master/payloads/library/sniffing/tcpdump/payload.sh) - that is, I made the button press start a new file instead of shutting down. I have also run the test prior to the mods without success. I've also set up the C2 server for ease of use and run switch3 payload (modified to also run tcpdump in the background at startup). This is a super nice feature with lots of promise - I can download the pcap (C2EXFIL) and can run tcpdump from the terminal there. With that I can see that it's dropping packets and the pcap is showing some errors (TCP ACKed unseen segment). The errors occur during file transfer. The other thing I notice is that the other TAPS are producing pcaps that are around 600 MB where as the Packet Squirrel captures are about 25 MB. The file being transferred is 500 MB. To clarify - the file makes it to the client successfully, just seems that the packet squirrel can't keep up. Also network speed is reduced when the Packet Squirrel is in line. Does anyone have any hints on how to improve capture and throughput? Testing code can be provided if requested if anyone cares to duplicate results on their end - I can remove sensitive bits and post on github. Cheers, crr0tz Quote Link to comment Share on other sites More sharing options...
Peter Luykx Posted September 22, 2020 Share Posted September 22, 2020 Hello, I have similar issue. i have send that in a previous post. TCPDUMP lost packets by Kernel. grtz Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.