Suspected Sniffer - Programmers Please Analyze Packet Log

Discussion in 'OS X Mountain Lion (10.8)' started by Antifragile, Aug 12, 2013.

  1. macrumors newbie

    Joined:
    Aug 12, 2013
    #1
    Over the last week I've had a guest staying in my home. Due to suspicious activity on my i-phone and i-pad mini I decided to run a packet logger through one of the evenings he or she stayed. I can also add that this particular guest has access to extremely sophisticated software as well as the implementation know-how. I have may other details - including i-phone logs when I was suspicions of my phones activity - but before we get into all of that I'm hoping to get some feedback on this topic first.

    Included in this post is just a simple screenshot - is there something in the packet logger file I would want to search for in particular to give me details as to whom it could have been.

    If there is more information I may provide please let me know.

    Thanks so much for your time and analysis.

    This is my first post on the MR forum - admins if I have posted in the incorrect place I apologize in advance.

    -Antifragile
     

    Attached Files:

  2. macrumors 68020

    MacModMachine

    Joined:
    Apr 3, 2009
    Location:
    Canada
    #2
    most of that is the HCI bluetooth controller, looks like a possible BT sniffer.

    anymore screen shots?
     
  3. thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #3
    Would it be safe to post the .pklg file?
     
  4. Antifragile, Aug 12, 2013
    Last edited: Aug 15, 2013

    thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #4
    More images for analysis until further recommendation...

    Thanks

    Edit Test
     

    Attached Files:

  5. thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #5
    Anyone else care to add their thoughts? Thanks
     
  6. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #6
    That's all Bluetooth. Hardly something to fret over.
     
  7. thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #7
    I must disagree - what sort of background do you have in tech? Thanks :)
     
  8. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #8
    A few college degrees, various technical certificates, many years of experience. I wonder, do you disagree with your doctor if he/she points to your oddly bend arm and says "It's broken" and you respond "No it isn't". You came here asking for advise, then question the advise given to you.
     
  9. thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #9
    I was not attempting to be a jerk AT ALL! Much respect - and I appreciate your advice - but what is your take on where it actually says - Mode Change - Sniff Mode - ?

    I also have Peer-to-Peer Logs from iphone that make me suspicious...
     
  10. macrumors 6502a

    laurihoefs

    Joined:
    Mar 1, 2013
    Location:
    Korpi
    #10
    Sniff Mode (among other BT modes) is explained here: Bluetooth Sleep Modes

    Could you elaborate what you think is suspicious in the logs? Do you have BT devices connected? If so, then that's pretty much what your log should look like.
     
  11. macrumors 68020

    Joined:
    Jun 15, 2012
    #11
    What was the "suspicious" activity?

    In that case, your best bet might be to use social engineering:
    "Dave, have you been messing with my stuff?"
     
  12. macrumors 68020

    MacModMachine

    Joined:
    Apr 3, 2009
    Location:
    Canada
    #12
    there are some pretty good Hardware BT sniffers, this to me looks like a large amount of BT traffic but not knowing what possible devices are around it could be anything.

    although i highly doubt one is trying to hack your phone/ipad/computer via bluetooth unless you have some nuclear launch codes or something.
     
  13. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #13
    That's Mac OS X's buled. The traffic shown is generated and sourced from it. Unless the OP has a sniffer running in that machine in a unusual configuration, that's all normal.
     
  14. thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #14
     
  15. macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #15
    Those logs from the iPhone are normal. I get those very often on mine. Nothing unusual there.
     
  16. thread starter macrumors newbie

    Joined:
    Aug 12, 2013
    #16
    Log 5

    Wed Aug 14 12:10:53 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_ginIpDH123eW1zb: No such file or directory
    Wed Aug 14 12:10:53 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_vYKI0J3ZcLMNesX: No such file or directory
    Wed Aug 14 12:10:53 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_nmpWQpmiDABGge3: No such file or directory
    Wed Aug 14 12:10:53 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_cfRamaVrMjhAgQe: No such file or directory
    Wed Aug 14 12:13:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_ginIpDH123eW1zb: No such file or directory
    Wed Aug 14 12:13:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_vYKI0J3ZcLMNesX: No such file or directory
    Wed Aug 14 12:13:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_nmpWQpmiDABGge3: No such file or directory
    Wed Aug 14 12:13:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_cfRamaVrMjhAgQe: No such file or directory
    Wed Aug 14 12:28:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_ginIpDH123eW1zb: No such file or directory
    Wed Aug 14 12:28:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_vYKI0J3ZcLMNesX: No such file or directory
    Wed Aug 14 12:28:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_nmpWQpmiDABGge3: No such file or directory
    Wed Aug 14 12:28:42 2013 backboardd com.apple.backboardd[26] <Warning>:Facebook[773]: Could not stat /private/var/mobile/Applications/CAF61834-294E-4087-8F7F-BE4831E50210/tmp/etilqs_cfRamaVrMjhAgQe: No such file or directory

    ----------

    I appreciate that very much - any explanation as to why all of my stuff seems to be acting so strange? Like why on earth my SAT NAV stereo would reset presets and keep all other info the same?
     
  17. Antifragile, Aug 15, 2013
    Last edited: Aug 15, 2013

    thread starter macrumors newbie

    Joined:
    Aug 12, 2013

Share This Page