David Honig (honig@sprynet.com)
Fri, 09 Apr 1999 20:18:35 -0700
At 08:15 PM 4/9/99 +0000, Daniel J. Frasnelli wrote:
>When you refer to raw tcpdumps (of IPSEC traffic), I assume you are
>stripping the tcpdump header and non-data information first?
No, actually I was able to distinguish unix "yes" in an xterm
from unix "yes" in an xterm, via an ipsec channel, including the headers.
(No other tcp was going on.)
The MUST measure went from ~3.6 to 6.something, from my memory.
When I started (insecure) browsing, I saw this go down. This was
repeatable.
The headers and random (e.g., ICMP, ARP, etc.) packets obviously accounted
for the redundancy (aka, missing bit).
I used tcpdump -s 10000 -c 1000 -w dump.bin
(capture 1000 packets of up to 10000 bytes each, write to dump.bin)
on FreeBSD 3.0. Then I ran uliscan, as posted.
I would like a tool to strip headers, if you have one.
[Again: there are many ways an IPsec implementation could be
screwed up, and pass my tests. There are also many ways it
could be subverted by evil operating systems, programs,
device drivers, pci cards, etc.
Merely getting a high-entropy MUST score doesn't mean your
data is kosher. Your milage may vary. If symptoms persist,
see your lawyer.]
DH
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:22