Re: my sebek2 did not work

[george chamales <george () overt org>]

> I also use tcpdump to capture the udp port 1101,but got nothing the 
> same
> Is there anybody faced the same problem the same with I did ?

The first thing I'd do is double-check that the parameters for the 
destination are correct and that it is possible to see any traffic 
coming out of the honeypot at the sniffer machine.

If it still doesn't work you should make sure the sebek module loaded 
properly on the honeypot.  The sebek.sh script that is used to load the 
module uses the -q (quiet) option to insmod.  This keeps insmod from 
returning any information when the module loads (which makes perfect 
sense once everything's working right but makes things a bit tricky 
when you're testing).

Try rebooting the honeypot (to clear out sebek if it was already 
loaded), removing the -q option from the first insmod command in the 
sebek.sh script, commenting out the insmod and rmmod of cleaner.o and 
rerunning the script.  If you don't get any error messages and you can 
see the sebek module in lsmod then the module should be up and running.

Good luck,
george
ut austin honeynet project