A sniffer or a NIDS works collecting passively internet traffic. This traffic is grabbed as a series of packets, and these packets reassembled in session by the "reassembly engine". The reassembly engine is the target of SniffJoke project: injecting packets inside a live session, Sj don't damage the session, but bring the reassembly engine to do ambiguos choose. The bug exploited is not implementation dependent, instead is network and protocol dependent. Our issue is in found a security laboratory able to provide to us such kind of technology. We're looking for NIDS and sniffer to test in real network environment. SniffJoke project, near the 0.5 release, is now splitting in two parts: SniffJoke (modular mangler extremely configurable) and Janus, portable software able to divert kernel sessions to userspace or to a remote box.
Our goal for the 0.5 is to make SniffJoke running under windows/macosx/linux and Janus divert sockets handled in your default gateway (eg: openwrt, lafonera) or from your local box (macosx, linux, bsd)
In the research point of view, since the 1998, when a paper by Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", has been released, the NIDS/sniffer has know to be possibile of faults. Researcher has developed "Active Mapping" in the NIDS engine, aiming to better understad how manage an ambiguos packet. Active mapping, SHOULD works in NIDS (some kind of information will not be mapped so easily, expecially in high performange environments), but netherless, is not possibile use active mapping efforts in large sniffing. At the moment, national security issue somethime relays in these technology, therfore is a scientific issue make a demonstration that no security will be obtained by passive traffic analysis.