[Honeywall] Sebek client port changing

Earl esammons at hush.com
Tue Jul 8 09:27:07 EDT 2008

On Tue, 08 Jul 2008 06:05:21 -0400 Gayan Sahabandu 
<gayan.leo at gmail.com> wrote:
>I am running IIS server on a XP machine which I am using as my 
>honeypot. Even though I gather info: (walleye flow view) from 
>honeywall (roo 1.4) about my Honeypot I dont see any inbound 
>HTTP traffic from the honeypot. 

I dont use this stuff and I'm a bit out of touch on the dev side... 
(Developers) Did HwBPF_DISABLE make it so you have to explicitly 
list Honeypot IP's to get pcpap capture for them?  If so, (Gayan) 
do you have the Honeypot IP in question listed in 'hwctl 

>I have realise Sebek client (windows) track UDP port 1101 only. 

Incorrect.  Sebek client uses UDP/1101 (by default) to *Transmit* 
information.  The sebek server process on roo then picks it up 
(from pcap?).  As I understand it (could be wrong) sebek client 
does not listen to network traffic at all - this is handled by 
tcpdump, argus, snort etc. on the roo.  For clarity I do not 
mention this as being a defect.  Also note, Sebek is not my 
specialty so I could be slightly off - feel free to chime in a d 
correct me...

>Is this mean that I cannot use windows sebek client to gather 
>HTTP traffic info: ?

HTTP destined for a Honeypot behind a roo should be traceable from 
data collected by the roo.  If not, something is wrong.


More information about the Honeywall mailing list