Florian Cramer on Sat, 22 Jun 2002 19:16:02 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> How We Made Our Own "Carnivore" [6x]

Am Thu, 20.Jun.2002 um 15:32:59 -0400x schrieb RSG:
> >From: Andreas Broeckmann <abroeck@transmediale.de>
> >[...] discuss the technical analysis offered by the Moscow-jury which, 
> >from what i understand as a techno-idiot and reading against the grain, 
> >basically says that your Carnivore program offers nothing new under the sun??
> as stated in our original post, Carnivore Personal Edition is rich with
> new features not included in its FBI counterpart. 

FBI's "Carnivore" is, as far as known, an Ethernet sniffer set up to do
very specific/particular tasks, like sniffing only E-Mail of only one
person (see: <http://www.howstuffworks.com/carnivore3.htm>). As the FBI
puts it itself:

  "The Carnivore device works much like commercial "sniffers" and other
  network diagnostic tools used by ISPs every day, except that it
  provides the FBI with a unique ability to distinguish between
  communications which may be lawfully intercepted and those which may

"RSG Carnivore" has no such encoded sniffing rulesets. It is yet another
of the many Ethernet sniffing programs out there, except that its output
is meant for "Net.art" visualization front-ends or, to use your
terminology, "plugins". 

The "RSG Carnivore" we - i.e. the Moscow read_me 1.2 jury - reviewed was
a simple Perl script wrapper around the well-known standard Linux/Unix
program "tcpdump" and another third-party program that converted the
latter's binary output into ASCII. "tcpdump" did the actual sniffing (or
"surveillance", the "Carnivore" Perl scripts only transferred the output
to the web so that it could be used by Net.art visualization "plugins".
This, I assume, was also the version of "RSG Carnivore" which the ars
electronica jury reviewed and awarded.

The new "RSG Carnivore PE" differs from the old "RSG Carnivore" in that
it is not a Linux/Unix, but a Windows program, and that it doesn't need
to be installed on servers. It is written in Visual Basic instead of
Perl and uses the third-party software WinPcap
<http://winpcap.polito.it/> as its sniffing engine, instead of tcpdump. 

Of the 9 differences you find in "RSG Carnivore" as opposed to other
Ethernet sniffing tools, I could validate at least the first:

> 1) artist-made diagnosic clients created by leading net artists around
> the world

Concerning the rest:

> 2) remote access--meaning clients can access CarnivorePE data streams
> from other computers via the Internet

Trivial to implement if you combine an ethernet sniffer with a webserver
or file sharing tool, like

tethereal -x > sniffdata.txt

...and then share this file in Gnutella or a locally running webserver.

> 3) full subject targetting--meaning all users are sniffed, not just a
> single user

Any network sniffing software I know does this. (Ethereal, dsniff,

> 4) full data targetting--all data is sniffed, not just email

As above. 

What you write sounds reads a hackish prank; a hack to sell
trivial/commonplace functionality as extraordinary to people who, due to
their non-technical background, can't judge it. 

man ethereal:

   The following is a table of protocol and protocol fields that are
   filterable in Ethereal.  

       802.1q Virtual LAN (vlan)
       802.1x Authentication (eapol)
       AOL Instant Messenger (aim)
       ATM (atm)
       Address Resolution Protocol (arp)
       Appletalk Address Resolution Protocol (aarp)
       Cisco Auto-RP (auto_rp)

[Skipping dozens and hundreds of protocols]

> 5) volume buffering--to avoid packet storms, CarnivorePE can buffer
> packet output to either 1, 5, 20, or 100 packets per second.

man ethereal:

  -b  If a maximum capture file size was specified, cause Ethereal to
      run in "ring buffer" mode, with the specified number of
      files.  In "ring buffer" mode, Ethereal will write to
      several capture files; the name of the first file, while the cap­
      ture is in progress, will be the name specified
      by the -w flag, and subsequent files with have
      .n appended, with n counting up.

> 6) transport protocol filtering--meaning CarnivorePE can sniff on TCP or
> UDP packets, or both

man ethereal, continued from 4):

       User Datagram Protocol (udp)

           udp.checksum  Checksum
               Unsigned 16-bit integer

           udp.checksum_bad  Bad Checksum

           udp.dstport  Destination Port
               Unsigned 16-bit integer

           udp.length  Length
               Unsigned 16-bit integer

           udp.port  Source or Destination Port
               Unsigned 16-bit integer

           udp.srcport  Source Port
               Unsigned 16-bit integer

man ettercap:

       -u, --udp
              sniff  only  UDP  packets  (default  is TCP).  

> 7) output channels--meaning clients can request one of three output
> channels: "carnivore" for full packet data in ASCII, "hexivore" for full
> packet data in hex, or "minivore" for packet headers only

man ethereal:

   It can assemble all the packets in a TCP conversation and
   show you the ASCII (or EBCDIC, or hex) data in that conversation.
   Display filters in Ethereal are very powerful; more
   fields are filterable in Ethereal than in other protocol
   analyzers, and the syntax you can use to create your filters is
   richer.  As Ethereal progresses, expect more and more protocol
   fields to be allowed in display filters.

> 8) an open source software license (a dramatic improvement over its
> chief rival, Etherpeek, which isn't open source and costs $1,295)

Looking up...


   GPL, as evidenced by existence of GPL license file "COPYING".
   (the GNU GPL may be viewed on Debian systems in /usr/share/common-licenses/GPL)



  Copyright:   Copyright (c) 1999, 2000 Dug Song <dugsong@monkey.org>
  All rights reserved, all wrongs reversed.

  Redistribution and use in source and binary forms, with or without
  modification, are permitted provided that the following conditions
  are met:

  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the distribution.
  3. The name of author may not be used to endorse or promote products
     derived from this software without specific prior written permission.



   Ettercap is licensed under the terms of the GNU GPL.

   The GPL licence can be found in /usr/share/common-licenses on modern
   Debian systems.

> 9) a distributed rather than centralized architecture
> most of these features are also missing in the various other sniffers
> available including Snort and tcpdump.

(See point 2.)

> instead of stumbling over technical details, perhaps the nettime
> community can engage in a deeper critique of the software and its uses?

A deeper critique would be that the
developer team of "Ethereal", a free cross-plattform (Linux/Unix and
Windows) tool which offers everything you describe except the Net.art
"plugins", should have run


over their sourcecode and sold it as a "critical", "political",
"subversive", "provocative" etc. piece of software (art), and that
perhaps this is what the RSG hacktivism is actually about. Next we sell
"Norton Unerase" + some fancy "Net.art" visualization backend as a
critical software art piece on personal data privacy.

The bottomline: "RSG Carnivore" is a packet sniffer for the purpose of
creating aestheticized visualizations. I appreciate that because I often
run packet-sniffers to entertain myself with accidental concrete poetry
(particularly radical and sexually intense if you sniff on Gnutella
connections).  But you agree that, as aesthetic sniffing, it is
different from the targetted law-enforcement packet sniffing of FBI
Carnivore whose algorithmic intelligence is spent on the input backend,
not on the output frontend.

I am also in in tune with exploiting ready-made software concepts and
tools. (I even think RSG could have saved much effort by working with a
high-level cross-platform tool like "Ethereal" right away instead of
writing its own Perl/Visual Basic wrappers around low-level sniffing

The difference between FBI Carnivore and commonplace packet sniffers
shows that the difference is in the targetting and the particular
application. In the Moscow jury, we just failed to see the rhetoric
implied in the title "Carnivore" (and the subsequent political rhetoric
you posted here) backed-up in the piece.  

Meanwhile, though, I changed my mind and think our objections were
premature. While the targetting and application of "RSG Carnivore" might
be different from FBI Carnivore on the technical level, it is not so
different on the discursive level. Because "RSG Carnivore", as it turns
out, are not those who run it and let it sniff their networks, but the
net.art world itself, as obvious in this thread it provoked. "RSG
Carnivore" was sophisticatedly at work when Olga Goriunova posted the
read_me 1.2 jury statement, but rhizome-digest of June 2nd, 2002
included it in a version modified by the rhizome editors that skipped
all of our frivolous remarks about "RSG Carnivore", passing it as Olga's
original E-Mail though, without any editorial annotation or typographic
[...] markup. This was Carnivore at work: The implied appeal to readers
to critically question media-fabricated truth (whether by the
syndication of, say, ABC News and Disney or rhizome.org and RSG
Carnivore) by matching rhizome-digest against rhizome-raw showed what
the piece was actually about. Contrary to what Andreas criticized, the
"Net.art"-themed screensaver output turned out to be a clever means of
tactical distraction from thei actual piece.

You call your award-winning piece "Carnivore" instead of (seemingly more
appropriate) "Rhizome Community Network Sniffer"; this honesty is much


GnuPG/PGP public key ID 3200C7BA, finger cantsin@mail.zedat.fu-berlin.de

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime@bbs.thing.net