Sniffing POP3 passwords using gpackcount

Using gpackcount you can sniff passwords on your network.
A practical example is shown below (in the transcript we do not show the USER and PASS POP3 commands, because this is a public article); this can be useful to debug problems, or to assert whether someone is trying to break your POP3 accounts. POP3 is a good example, because without SSL support, authentication is made on plain text. If you plan to use a POP3 service for your network server, think twice: instead of local sniffing, someone between your POP3 client and your network server might be running a similar tool

With this example it is assumed you know POP3 (without SSL) protocol runs over TCP, on port 110; you can see the raw output produced by the gpackcount utility.

Transcript:
[root@fuji root]# gpackcount packets -g 0,110,110,0 -v
{TCP/IP} (size=0, str=0) luisa.prized:2503 => 0.0.0.0:110

{TCP/IP} (size=0, str=0) 0.0.0.0:110 => luisa.prized:2503

{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]

{TCP/IP} (size=82, str=94) 0.0.0.0:110 => luisa.prized:2503 +OK Teapop [5B]0.3.7[5D] - Teaspoon stirs around again <1207351688.25c7c716@llywellyn>[0D][0A]

{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]

{TCP/IP} (size=6, str=12) luisa.prized:2503 => 0.0.0.0:110 rset[0D][0A]

{TCP/IP} (size=54, str=60) 0.0.0.0:110 => luisa.prized:2503 -ERR rset? I'm not quite sure what you mean, Master.[0D][0A]

{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]

{TCP/IP} (size=6, str=12) luisa.prized:2503 => 0.0.0.0:110 quit[0D][0A]

{TCP/IP} (size=55, str=61) 0.0.0.0:110 => luisa.prized:2503 +OK I hope you will be back for your mail later, Sir.[0D][0A]

{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]

{TCP/IP} (size=6, str=24) luisa.prized:2503 => 0.0.0.0:110 [00][00][00][00][00][00]

netpack-gpack - why this name?

netpack comprises currently gpack.

First release was packaged as netpack-gpack-v0.8.tar.gz; main sources are netpack/gpack/gPackCount-v0.8.

The actual executable is gpackcount, which was primarily built to snif my own intranet traffic.
My original CVS sources were placed at gprog/pNetPack/, where some utilities like gPackServer and gPackClient were stored, together with an AS (Autonomous System) text compiler.

As the time went by, I didn't have time to complete the client / server functionality, and I continued to use gpackcount, making several enhancements.

gpackcount turned out to be quite useful for the purposes, but had initially an anoying tweak: it greatly depended on installed libpcap (known as pcap, refer to www.tcpdump.org).
It turned out fairly easier to integrate libpcap in my own wrapper lib known as libgpcap, needing just one primary source code, instead of a bunch of separate pieces.

• netpack/gpack/o_sources/libpcap-0.7.2-orig.tar
• netpack/gpack/o_sources/libpcap-diff.patch

The original libpcap (version 0.7.2, which I chose, most stable!) is part of the package, as well as the slight differences applied to make it work cross-platform (at least on many different Linux flavours).
There is also a guideline for further development, the include files that can be installed:

• netpack/gpack/o_sources/libpcap-0.7.2-include.tar

Now back to the name: why not just netpack? There are lots of trade-marks referring to netpack, netpackage, and other variant words. gpack is the result of gathering libpcap, libgpcap, and the main application distributed, gpackcount -- so it got named netpack-gpack.

That's about it.
Enjoy!