Wednesday, August 04, 2010

Hexcompare and Finding New Tools

Last week while teaching at Black Hat, one of my students wanted to know how I find new tools. One of the ways I do that is to subscribe to FreshPorts, a site created by Dan Langille. FreshPorts tracks additions to the FreeBSD ports tree, so when someone makes it easy for me to run a new app on FreeBSD I find out. Every week I get an email of new additions to the tree, and I take a quick look to see if any catch my interest.

For example, last week I saw a new port called devel/hexcompare. I visited the Sourceforge project page and decided to try it. Since I was using an Ubuntu desktop I tried to install the new app using apt-get, but it wasn't available yet. I could have turned to a FreeBSD system, but instead I decided Hexcompare was probably simple enough to compile by hand. It turns out the app was really simple, and I got it running quickly.

The screen shot at the top shows the differences in a binary pcap file identified by Hexcompare. Basically I edited a few bytes in a single packet pcap. You can see the changes in red.

5 comments:

Sandro Süffert said...

I use a similar tool called vbindiff - it was written by Christopher Madsen in 1996 - http://www.cjmweb.net/vbindiff/

Best,

--SS

dvl said...

Nice. Thanks Richard. ;)

dre said...

I use a similar tool called Burp Comparer. It supports words or bytes. Oh wait, this is for HTTP/TLS proxied traffic. What else is there?

Anonymous said...

Such a small world. I Mountain Bike with Dan Langille regularly and I never knew he ran FreshPorts and I follow TaoSecurity blog religiously.... I knew Dan like FreeBSD as do I.

Anonymous Boyfriend said...

Hey Anonymous: small world - I'm the guy who wrote hexcompare, and we're all from the same town. At least, I assume you guys are from Ottawa if you mountain bike together!