[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Thunderbird & Gmail
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15/10/08 06:07, Gerardo Rodríguez wrote:
> While retrieving the mail this two readings where constant:
> _____________________________________________________________________________
>
>
> Frame 10 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: 2wire_2e:d4:89 (aa:aa:aa:2e:d4:89), Dst:
> Intel_94:e0:d3 (ff:ff:ff:94:e0:d3)
> Internet Protocol, Src: 83.132.242.113 (83.132.242.113), Dst:
> 192.168.1.70 (192.168.1.70)
> Transmission Control Protocol, Src Port: mosaicsyssvc1 (1235), Dst Port:
> 53328 (53328), Seq: 1, Ack: 1, Len: 0
>
> No. Time Source Destination Protocol
> Info
> 11 9.437005 2wire_2e:d4:89 Broadcast ARP Who
> has 192.168.1.65? Tell 192.168.1.254
> _____________________________________________________________________________
You have mixed the information from two packets here:
Number 10 (the upper part) from 83.132.242.113 is from something outside
of the Tor network. A reverse DNS reveals it's from netcabo.pt, which
seems to be a Portuguese ISP. The source port number suggests it's some
sorts of audio/video streaming protocol (Vosiac). If this part appears
every time you do POP, it's a bit suspicious.
Number 11 (the lower part) is just an ARP request. It seems your router
(192.168.1.254) simply want to know the MAC address of 192.168.1.65 for
whatever reason. What is 192.168.1.65 on your network?
Are you really sure that these two appears _every_ single time you do
POP? Are you sure that you have turned off all other applications that
use the Internet?
> _____________________________________________________________________________
>
>
> No. Time Source Destination Protocol
> Info
> 12 10.373837 192.168.1.70 88.198.51.7 TCP
> 43089 > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64949 Len=586
>
> Frame 12 (640 bytes on wire, 640 bytes captured)
> Ethernet II, Src: Intel_94:e0:d3 (ff:ff:ff:94:e0:d3), Dst:
> 2wire_2e:d4:89 (aa:aa:aa:2e:d4:89)
> Internet Protocol, Src: 192.168.1.70 (192.168.1.70), Dst: 88.198.51.7
> (88.198.51.7)
> Transmission Control Protocol, Src Port: 43089 (43089), Dst Port:
> etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
> Data (586 bytes)
>
> 0000 17 03 01 00 20 bc 7f 8b ef dc 1e 82 ca fa 53 e0 .... .........S.
> etc.
> _____________________________________________________________________________
88.198.51.7 is a Tor relay, probably your entry guard.
> And while sending mail this two:
> _____________________________________________________________________________
>
>
> No. Time Source Destination Protocol
> Info
> 23 3.306572 CompName schatten.darksystem.net TCP
> florence > etlservicemgr [PSH, ACK] Seq=1 Ack=1 Win=64363 Len=586
>
> Frame 23 (640 bytes on wire, 640 bytes captured)
> Ethernet II, Src: CompName (ff:ff:ff:94:e0:d3), Dst: 192.168.1.254
> (aa:aa:aa:2e:d4:89)
> Internet Protocol, Src: CompName (192.168.1.70), Dst:
> schatten.darksystem.net (88.198.51.7)
> Transmission Control Protocol, Src Port: florence (1228), Dst Port:
> etlservicemgr (9001), Seq: 1, Ack: 1, Len: 586
> Data (586 bytes)
>
> 0000 17 03 01 00 20 39 1e d3 cb fe 30 60 3f f2 5f 43 .... 9....0`?._C
> etc.
> _____________________________________________________________________________
>
>
> &
> _____________________________________________________________________________
>
>
> No. Time Source Destination Protocol
> Info
> 24 3.532021 schatten.darksystem.net CompName TCP
> etlservicemgr > florence [ACK] Seq=1 Ack=587 Win=65535 Len=0
>
> Frame 24 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: 192.168.1.254 (aa:aa:aa:2e:d4:89), Dst: CompName
> (ff:ff:ff:94:e0:d3)
> Internet Protocol, Src: schatten.darksystem.net (88.198.51.7), Dst:
> CompName (192.168.1.70)
> Transmission Control Protocol, Src Port: etlservicemgr (9001), Dst Port:
> florence (1228), Seq: 1, Ack: 587, Len: 0
> _____________________________________________________________________________
schatten.darksystem.net is the same as 88.198.51.7, which probably is
your entry guard.
> aa:aa:aa:2e:d4:89 is the actual mac address of the adapter in my router
> ff:ff:ff:94:e0:d3 is the actual mac address of the adapter in my pc
When obfuscating MAC addresses it's better to do so with the latter part
of it -- the first numbers are much more easy to guess since they are
determined by the manufacturer, model etc. of the network interface.
> I´m not an expert in reading packets, but, this is a leak ain´t it?
Why do you think there is a leak? Only the first two packages (10 and
11) seems to be a bit out of the ordinary. All the other traffic is
between you and the Tor network which is expected.
And since you use NAT, the EHLO/HELO leak mentioned earlier isn't so
bad, but since you use Torbutton that should be taken care of any way.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkj15wMACgkQp8EswdDmSVi+yACdFD0YhVZMkzjh0OWRYpnzxcQ4
rboAn352ktlPwrnFO+sFtbOh34V/hpiH
=ma/W
-----END PGP SIGNATURE-----