Provided by: nast_0.2.0-2_i386 bug

NAME

       NAST 0.2.0 - Network Analyzer Sniffer Tool

SYNOPSIS

       nast  [-G]  [-i  interface]  [-l  filename] [-f filter] [--ld filename]
       [-pdxPmsgrSMLbcCBVh]

DESCRIPTION

       Nast is a packet sniffer  and  a  LAN  analyzer  based  on  Libnet  and
       Libpcap.

       It  can  sniff  in  normal mode or in promiscuous mode the packets on a
       network interface and log it.  It dumps the headers of packets and  the
       payload  in  ascii  or  ascii-hex  format.  You can apply a filter. The
       sniffed data can be saved in a separated file.

       As analyzer tool, it has many features like:
              * Build LAN hosts list
              * Follow a TCP-DATA stream
              * Find LAN Internet gateways
              * Discover promiscuous nodes
              * Reset an established connection
              * Perform a single half-open portscanner
              * Perform a multi half-open portscanner
              * Find link type (hub or switch)
              * Catch daemon banner of LAN nodes
              * Control ARP answers to discover possible ARP-spoofing
              * Byte counting with an optional filter
              * Write reports logging

       It also provides a new ncurses interface.

CMDLINE SNIFFER OPTIONS

       -i, --interface
              Select the Interface, if not specified will be auto-detected.

       -p, --promisc
              Disable promiscuous mode on NIC.

       -d, --ascii-data
              Print data in ascii format.

       -x, --ascii-hex-data
              Print data in ascii-hex format.

       -f, --filter <"filter">
              Apply <"filter"> to sniffer (see "FILTER SYNTAX"  section  below
              for syntax)

           --ld <filename>
              Log  captured  data  to <filename> (only payload). Use -l to log
              all packet instead, useful with -B

       -T, --tcpdump-log <filename>
              Log all packets in tcpdump format to <filename>

       -R, --tcpdump-log-read <filename>
              Read all packets saved in tcpdump format from <filename>

ANALYZER FEATURES

       -P, --check-promisc <ip>
              Check other NIC on the LAN with the promiscuous flag set.
              By performing a fake ARP broadcast, we can determine if a NIC is
              in  promiscuous  mode  or  not.   If  the  checked  host  is  in
              promiscuous mode it will responds with an ARP response otherwise
              it drop the packet.
              Note: This method doesn’t work with all OS
              Use -P all to query all network NIC

              eg: root@localhost:~/$ nast -P 192.168.1.2

              NAST "NETWORK ANALYZER SNIFFER TOOL"

              192.168.1.2 (localhost.org)             Found!!

              We can check all nodes by using:
              root@localhost:~/$ nast -P all

       -m, --host-list
              Map  the LAN by performing a series of ARP request to sequential
              subnet IP addresses.

              eg: root@localhost:~/$ nast -m

              NAST "NETWORK ANALYZER SNIFFER TOOL"

              Mapping the Lan for 255.255.255.0 subnet ... please wait

              MAC address             IP address (hostname)
              ===========================================================
              00:4R:BR:3E:21:12       192.168.1.1(nast.experiment.net)
              00:50:BA:80:AC:11       192.168.1.2 (localhost.org) (*)

              (*) This is localhost

       -s, --tcp-stream
              Follow a TCP/IP connection printing all  data  in  payload.  You
              must specify the IP addresses of the ends.

              eg of a ftp connection:
              root@localhost:~/$ nast -s

              NAST "NETWORK ANALYZER SNIFFER TOOL"

              Type connection extremes
              ------------------------
              1st ip : 192.168.1.1
              1st port : 1041
              2nd : 192.168.1.2
              2nd port : 21

              NAST TCP STREAM LOG
              192.168.1.1->mistaya.neverland.org
              PASV
              192.168.1.1<-mistaya.neverland.org
              227 Entering Passive Mode (192,168,1,2,4,12).
              192.168.1.1->mistaya.neverland.org
              LIST
              (...)

       -g, --find-gateway
              Try to find possible Internet-gateways.
              We  send  a  SYN  packet  to  a  public  host on port 80 through
              sequential host-lan and if a SYN-ACK return  we  have  find  the
              gateway.

       -r, --reset-connection
              Destroy  an  established  connection.  You  must  specify the IP
              addresses of the ends and at  least  one  port  .   Please,  pay
              attention when use this function.

              eg: root@localhost:~/$ nast -r

              NAST "NETWORK ANALYZER SNIFFER TOOL"

              Type connection extremes
              ------------------------
              1 ip / hostname : 192.168.1.1
              1 port (0 to autodetect) : 0
              2 ip / hostname : 192.168.1.2
              2 port (0 to autodetect) : 21

              - Waiting for SEQ ACK (192.168.1.1 -> 192.168.1.2:21)
              - Stoled SEQ (247656261) ACK (3764364876)...
              - Connection has been resetted

              This  feature  works  only  if  we can read SEQ and ACK numbers,
              because RST mechanism works with them.

       -S, --port-scanner
              Performs a half-open port scanning  on  the  selected  host.  It
              tries also to determine some firewall (just iptables) rules.
              About this technique NMAP says: This technique is often referred
              to as "half-open" scanning, because you don’t open  a  full  TCP
              connection.  You send  a SYN packet, as if you are going to open
              a real connection  and  you  wait  for  a  response.  A  SYN|ACK
              indicates  the  port is listening. A RST is indicative of a non-
              listener.  If a SYN|ACK is received, a RST is  immediately  sent
              to  tear  down   the   connection  (actually  our OS kernel does
              this for us).  The primary advantage to this scanning  technique
              is  that  fewer  sites will log it.  Unfortunately you need root
              privileges to build these custom SYN packets.

              eg: root@localhost:~/$ nast -S
              NAST "NETWORK ANALYZER SNIFFER TOOL"
              Port Scanner extremes
              Insert IP to scan   : 192.168.1.3
              Insert Port range   : 1-100

              Wait for scanning...

              State           Port            Services                Notes
              Open            22              ssh                     None
              Open            27              nsw-fe                  None

              All the other 98 ports are in state closed
              Scanning terminated on Apr 14 21:46:55

              The Port range could be in the following style:
              eg: 1-100       (means from port 1 to 100)
                  1,3,5,1000  (means ports 1,3,5 and 1000)
                  1-50,60     (means from port 1 to 50 and port 60)

       -M, --multi-port-scanner
              Same as above but done on all hosts of the lan.

       -L, --find-link
              Tries to determine what type of link is used in the LAN (Hub  or
              switch).
              In the LAN segment is there a HUB or a SWITCH? We can find it by
              sending a spoofed ICMP echo-request (to work there  must  be  at
              least  3  host in LAN and at least one of them must reply with a
              ICMP echo-replay)

       -b, --daemon-banner
              Checks the most famous daemon banner on the LAN’s hosts.
              You can customize ports database adding them to ports[] variable
              in main.c

       -c, --check-arp-poisoning
              Control  ARP  answers  to discover possible ARP spoofing attacks
              like man-in-the-middle
              When run, Nast make a database of all network node (IP  and  MAC
              address),  then sniff ARP response and verify the correctness of
              IP-mac address association.  Remember to execute Nast  when  you
              are  sure that nobody is making ARP-poisoning, than have fun and
              relax and check program output:).

       -C, --byte-counting <"filter">
              Apply traffic counting to <"filter"> (see FILTER SYNTAX  section
              below for syntax)
              Use -C any if you don’t want to use a filter.

              eg: root@localhost:~/$ nast -C any

              NAST "NETWORK ANALYZER SNIFFER TOOL"

              Reading from "eth0"

              Packets          Total           Current speed           Average
              speed
              ----------------------------------------------------------------
              - 24            1008B           18B/s                   21B/s

GENERAL OPTIONS

       -G, --ncurses
              Run  Nast  with  the  ncurses  interfaces (only if compiled with
              ncurses support)

       -l, --log-file <filename>
              Log reports to <filename>. Work with many features.

       -B, --daemon
              Run in background like daemon and turn off stdout  (very  useful
              for sniffer/stream/ARP control logging)

       -V, --version
              Show version information

NCURSES INTERFACE NOTE

       Versions  later  0.2.0  have  a  new  ncurses  interface which has many
       improvements regarding the  correspondent  command  line  version.  For
       example  you can select the connection interactively for tcp stream and
       reset features and byte counting module  show  much  more  informations
       (packets type and connections load).

       Please read NCURSES_README file before using the ncurses interface!

FILTER SYNTAX, WHAT PCAP GIVE US!

       Important:  this section has been copied from Tcpdump 3.7.1 manpage and
       "expression" here stand from "filter".
       Remeber to enclose filter between apexes ("something like this")

        expression
              selects which packets will  be  dumped.   If  no  expression  is
              given,  all  packets on the net will be dumped.  Otherwise, only
              packets for which expression is ‘true’ will be dumped.

              The expression consists of one or more  primitives.   Primitives
              usually  consist  of  an  id (name or number) preceded by one or
              more qualifiers.  There are three different kinds of qualifier:

              type   qualifiers say what kind of thing the id name  or  number
                     refers to.  Possible types are host, net and port.  E.g.,
                     ‘host foo’, ‘net 128.3’, ‘port 20’.  If there is no  type
                     qualifier, host is assumed.

              dir    qualifiers  specify  a  particular  transfer direction to
                     and/or from id.  Possible directions are src, dst, src or
                     dst  and  src and dst.  E.g., ‘src foo’, ‘dst net 128.3’,
                     ‘src  or  dst  port  ftp-data’.   If  there  is  no   dir
                     qualifier, src or dst is assumed.  For ‘null’ link layers
                     (i.e. point to point protocols such as slip) the  inbound
                     and  outbound qualifiers can be used to specify a desired
                     direction.

              proto  qualifiers restrict the match to a  particular  protocol.
                     Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp,
                     decnet, tcp and udp.  E.g., ‘ether  src  foo’,  ‘arp  net
                     128.3’,  ‘tcp  port 21’.  If there is no proto qualifier,
                     all protocols  consistent  with  the  type  are  assumed.
                     E.g.,  ‘src  foo’  means  ‘(ip  or  arp or rarp) src foo’
                     (except the latter is not legal syntax), ‘net bar’  means
                     ‘(ip  or  arp or rarp) net bar’ and ‘port 53’ means ‘(tcp
                     or udp) port 53’.

              [‘fddi’ is actually an alias for ‘ether’; the parser treats them
              identically  as  meaning  ‘‘the  data  link  level  used  on the
              specified network interface.’’  FDDI headers  contain  Ethernet-
              like   source  and  destination  addresses,  and  often  contain
              Ethernet-like packet types, so you  can  filter  on  these  FDDI
              fields just as with the analogous Ethernet fields.  FDDI headers
              also contain other fields, but you cannot name  them  explicitly
              in a filter expression.

              Similarly,   ‘tr’   is   an  alias  for  ‘ether’;  the  previous
              paragraph’s statements about FDDI headers also  apply  to  Token
              Ring headers.]

              In  addition  to  the  above, there are some special ‘primitive’
              keywords that don’t  follow  the  pattern:  gateway,  broadcast,
              less,  greater  and  arithmetic  expressions.   All of these are
              described below.

              More complex filter expressions are built up by using the  words
              and,  or and not to combine primitives.  E.g., ‘host foo and not
              port ftp and not port  ftp-data’.   To  save  typing,  identical
              qualifier lists can be omitted.  E.g., ‘tcp dst port ftp or ftp-
              data or domain’ is exactly the same as ‘tcp dst port ftp or  tcp
              dst port ftp-data or tcp dst port domain’.

              Allowable primitives are:

              dst host host
                     True  if  the  IPv4/v6 destination field of the packet is
                     host, which may be either an address or a name.

              src host host
                     True if the IPv4/v6 source field of the packet is host.

              host host
                     True if either the IPv4/v6 source or destination  of  the
                     packet is host.  Any of the above host expressions can be
                     prepended with the keywords, ip, arp, rarp, or ip6 as in:
                          ip host host
                     which is equivalent to:
                          ether proto \ip and host host
                     If  host  is  a  name  with  multiple  IP addresses, each
                     address will be checked for a match.

              ether dst ehost
                     True if the ethernet destination address is ehost.  Ehost
                     may  be  either  a name from /etc/ethers or a number (see
                     ethers(3N) for numeric format).

              ether src ehost
                     True if the ethernet source address is ehost.

              ether host ehost
                     True if either the ethernet source or destination address
                     is ehost.

              gateway host
                     True  if  the  packet  used host as a gateway.  I.e., the
                     ethernet source  or  destination  address  was  host  but
                     neither  the  IP  source nor the IP destination was host.
                     Host must be a  name  and  must  be  found  both  by  the
                     machine’s  host-name-to-IP-address  resolution mechanisms
                     (host name file, DNS, NIS, etc.)  and  by  the  machine’s
                     host-name-to-Ethernet-address     resolution    mechanism
                     (/etc/ethers, etc.).  (An equivalent expression is
                          ether host ehost and not host host
                     which can be used with either names or numbers for host /
                     ehost.)   This  syntax  does  not  work  in  IPv6-enabled
                     configuration at this moment.

              dst net net
                     True if the IPv4/v6 destination address of the packet has
                     a  network  number of net.  Net may be either a name from
                     /etc/networks or a network number  (see  networks(4)  for
                     details).

              src net net
                     True  if  the  IPv4/v6 source address of the packet has a
                     network number of net.

              net net
                     True if either the IPv4/v6 source or destination  address
                     of the packet has a network number of net.

              net net mask netmask
                     True  if  the  IP  address  matches net with the specific
                     netmask.  May be qualified with src or  dst.   Note  that
                     this syntax is not valid for IPv6 net.

              net net/len
                     True  if  the  IPv4/v6 address matches net with a netmask
                     len bits wide.  May be qualified with src or dst.

              dst port port
                     True if the packet is ip/tcp, ip/udp, ip6/tcp or  ip6/udp
                     and  has  a destination port value of port.  The port can
                     be a number or a name used in /etc/services (see  tcp(4P)
                     and  udp(4P)).   If  a name is used, both the port number
                     and protocol are checked.  If a number or ambiguous  name
                     is  used, only the port number is checked (e.g., dst port
                     513  will  print  both  tcp/login  traffic  and   udp/who
                     traffic,  and  port domain will print both tcp/domain and
                     udp/domain traffic).

              src port port
                     True if the packet has a source port value of port.

              port port
                     True if either the source  or  destination  port  of  the
                     packet is port.  Any of the above port expressions can be
                     prepended with the keywords, tcp or udp, as in:
                          tcp src port port
                     which matches only tcp packets whose source port is port.

              less length
                     True  if  the  packet  has a length less than or equal to
                     length.  This is equivalent to:
                          len <= length.

              greater length
                     True if the packet has a length greater than or equal  to
                     length.  This is equivalent to:
                          len >= length.

              ip proto protocol
                     True  if  the  packet  is  an  IP  packet (see ip(4P)) of
                     protocol type protocol.  Protocol can be a number or  one
                     of the names icmp, icmp6, igmp, igrp, pim, ah, esp, vrrp,
                     udp, or tcp.  Note that the  identifiers  tcp,  udp,  and
                     icmp  are also keywords and must be escaped via backslash
                     (\),  which  is  \\  in  the  C-shell.   Note  that  this
                     primitive does not chase the protocol header chain.

              ip6 proto protocol
                     True  if  the  packet  is an IPv6 packet of protocol type
                     protocol.  Note that this primitive does  not  chase  the
                     protocol header chain.

              ip6 protochain protocol
                     True  if the packet is IPv6 packet, and contains protocol
                     header with type protocol in its protocol  header  chain.
                     For example,
                          ip6 protochain 6
                     matches  any  IPv6 packet with TCP protocol header in the
                     protocol header  chain.   The  packet  may  contain,  for
                     example,  authentication  header, routing header, or hop-
                     by-hop option header, between IPv6 header and TCP header.
                     The  BPF  code  emitted  by this primitive is complex and
                     cannot be optimized by BPF optimizer code in tcpdump,  so
                     this can be somewhat slow.

              ip protochain protocol
                     Equivalent  to  ip6  protochain protocol, but this is for
                     IPv4.

              ether broadcast
                     True if the packet is an ethernet broadcast packet.   The
                     ether keyword is optional.

              ip broadcast
                     True  if the packet is an IP broadcast packet.  It checks
                     for  both   the   all-zeroes   and   all-ones   broadcast
                     conventions, and looks up the local subnet mask.

              ether multicast
                     True  if the packet is an ethernet multicast packet.  The
                     ether  keyword  is  optional.   This  is  shorthand   for
                     ‘ether[0] & 1 != 0’.

              ip multicast
                     True if the packet is an IP multicast packet.

              ip6 multicast
                     True if the packet is an IPv6 multicast packet.

              ether proto protocol
                     True  if  the packet is of ether type protocol.  Protocol
                     can be a number or one of the names ip, ip6,  arp,  rarp,
                     atalk,  aarp,  decnet,  sca, lat, mopdl, moprc, iso, stp,
                     ipx,  or  netbeui.   Note  these  identifiers  are   also
                     keywords and must be escaped via backslash (\).

                     [In  the  case  of  FDDI  (e.g., ‘fddi protocol arp’) and
                     Token Ring (e.g., ‘tr protocol arp’), for most  of  those
                     protocols,  the  protocol  identification  comes from the
                     802.2 Logical Link Control (LLC) header, which is usually
                     layered on top of the FDDI or Token Ring header.

                     When  filtering  for most protocol identifiers on FDDI or
                     Token Ring, tcpdump checks only the protocol ID field  of
                     an   LLC   header   in  so-called  SNAP  format  with  an
                     Organizational Unit Identifier  (OUI)  of  0x000000,  for
                     encapsulated  Ethernet;  it  doesn’t  check  whether  the
                     packet is in SNAP format with an OUI of 0x000000.

                     The exceptions are iso, for  which  it  checks  the  DSAP
                     (Destination  Service  Access  Point)  and  SSAP  (Source
                     Service Access Point) fields of the LLC header,  stp  and
                     netbeui,  where it checks the DSAP of the LLC header, and
                     atalk, where it checks for a SNAP-format packet  with  an
                     OUI of 0x080007 and the Appletalk etype.

                     In the case of Ethernet, tcpdump checks the Ethernet type
                     field for most of those  protocols;  the  exceptions  are
                     iso,  sap,  and netbeui, for which it checks for an 802.3
                     frame and then checks the LLC header as it does for  FDDI
                     and  Token  Ring,  atalk,  where  it  checks both for the
                     Appletalk etype in an Ethernet  frame  and  for  a  SNAP-
                     format  packet  as it does for FDDI and Token Ring, aarp,
                     where it checks for the Appletalk ARP etype in either  an
                     Ethernet  frame  or  an  802.2  SNAP frame with an OUI of
                     0x000000, and ipx, where it checks for the IPX  etype  in
                     an  Ethernet  frame,  the IPX DSAP in the LLC header, the
                     802.3 with no LLC header encapsulation of  IPX,  and  the
                     IPX etype in a SNAP frame.]

              decnet src host
                     True  if  the DECNET source address is host, which may be
                     an address of the form ‘‘10.123’’, or a DECNET host name.
                     [DECNET  host  name  support  is only available on Ultrix
                     systems that are configured to run DECNET.]

              decnet dst host
                     True if the DECNET destination address is host.

              decnet host host
                     True if either the DECNET source or  destination  address
                     is host.

              ip, ip6, arp, rarp, atalk, aarp, decnet, iso, stp, ipx, netbeui
                     Abbreviations for:
                          ether proto p
                     where p is one of the above protocols.

              lat, moprc, mopdl
                     Abbreviations for:
                          ether proto p
                     where p is one of the above protocols.  Note that tcpdump
                     does not currently know how to parse these protocols.

              vlan [vlan_id]
                     True if the packet is an IEEE  802.1Q  VLAN  packet.   If
                     [vlan_id]  is  specified, only true is the packet has the
                     specified vlan_id.  Note  that  the  first  vlan  keyword
                     encountered  in  expression  changes the decoding offsets
                     for the remainder of expression on  the  assumption  that
                     the packet is a VLAN packet.

              tcp, udp, icmp
                     Abbreviations for:
                          ip proto p or ip6 proto p
                     where p is one of the above protocols.

              iso proto protocol
                     True  if  the  packet  is  an OSI packet of protocol type
                     protocol.  Protocol can be a number or one of  the  names
                     clnp, esis, or isis.

              clnp, esis, isis
                     Abbreviations for:
                          iso proto p
                     where p is one of the above protocols.  Note that tcpdump
                     does an incomplete job of parsing these protocols.

EXAMPLES

       Here are some examples of the use of NAST:

   nast -p -f "src 192.168.1.2"
       In this example we put the NIC in promiscuous mode and with the help of
       the filter we choose to see only the traffic from 192.168.1.2

   nast -p -B --ld logfile.txt
       Here  we run nast in background mode and log all data that pass through
       our NIC.

   nast -S -l logfile.txt
       In this other case we log the results of the port scanner in  the  file
       "logfile.txt"

   nast -c -B
       This  is  a  very  useful  options. We run in background mode nast that
       checks if someone is arp-poisoning.

SUPPORTED PLATFORMS

       Tested:
       * Linux 2.4.x
       * Linux 2.6.x
       * FreeBSD 5.x
       * FreeBSD 4.x

       Not tested yet:
       * Linux 2.2.x

AVAILABILITY

       Official web site: http://nast.berlios.de
       Newsletter: http://lists.berlios.de/mailman/listinfo/nast-news

KNOWN BUGS

       * Promiscuous mode scanner many times returns wrong results
       * Sometimes the port scanner generates false results

       Please report bugs to authors

AUTHORS

       Embyte <embyte@madlab.it>
       Snifth <snifth@box.it>

LICENSE

       GNU GENERAL PUBLIC LICENSE Version 2, June 1991
       See COPYING for details.