oracular (8) sniffit.8.gz

Provided by: sniffit_0.6-1_amd64 bug

NAME

       sniffit - packet sniffer and monitoring tool

SYNOPSIS

       sniffit  [-xdabvnN]  [-P proto ] [-A char ] [-p port ] [(-r|-R) recordfile ] [-l sniflen ]
       [-L logparam ] [-F snifdevice ] [-D tty ] [-M plugin ] [(-t Target-IP | -s Source-IP  )  |
       (-i|-I) | -c config-file ]

DESCRIPTION

       sniffit  is  a  packet sniffer for TCP/UDP/ICMP packets.  sniffit is able to give you very
       detailed technical info on these packets (SEQ, ACK, TTL,  Window,  ...)  but  also  packet
       contents in different formats (hex or plain text, ...).

       sniffit  can  by  default  handle  ethernet and PPP devices, but can easily be forced into
       using other devices (read the README.FIRST and sn_config.h files on this subject!)

       The sniffer can easily be configured in order to 'filter' the incoming  packets  (to  make
       the  sniffing results easier to study). The config file (see sniffit(5) ) allows you to be
       very specific on the packets to be processed.

       sniffit also has an interactive mode for active monitoring,  and  can  also  be  used  for
       continuous monitoring on different levels.

NOTE

       This man page is supposed to be a reference manual. So please read README.FIRST first, and
       use this only for better understanding or for a quick check on the use of sniffit

OPTIONS

       -v     Shows the version of sniffit you are running and exits (overrides all)

       -t Target-IP
              Only process packets TO Target-IP. If Target-IP  is  in  dot-nr  notation,  ´x'  is
              allowed as wildcard. (e.g. '-t 157.193.x', '-t x', ...)  (NOT compatible with: '-s'
              '-i' '-I' '-c' '-v' '-L')

       -s Source-IP
              Similar to '-t', only process packets FROM Source-IP.  (NOT compatible  with:  '-t'
              '-i' '-I' '-c' '-v' '-L')

       -b     ´both'  mode,  together with '-s' or '-t', only process FROM/TO the IP specified by
              '-s' or '-t' (NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')

       -c config-file
              Use config-file for the packet filtering. This allows you to be  very  specific  on
              the  packets  to  be  processed  (see  sniffit(5) for details on the format).  (NOT
              compatible with: '-t' '-s' '-i' '-I' '-v' '-L')

       -i     Launch the ncurses interface for  active  monitoring  ('interactive  mode').   (NOT
              available   if  you  compiled  without  INTERACTIVE  support  see  sn_config.h  and
              README.FIRST ) (one of the options '-t' '-s'  '-i'  '-I'  '-c'  is  required)  (NOT
              compatible with: '-t' '-s' '-c' '-v' '-L')

       -I     Same  as  '-i', but gives you more information.  (one of the options '-t' '-s' '-i'
              '-I' '-c' is required) (NOT compatible with: '-t' '-s' '-c' '-v' '-L')

       -R <file>
              Record all traffic in <file> This file can then be fed to  Sniffit  with  the  '-r'
              option.   (Needs  a  selection  parameter like '-c' '-t' '-s') (NOT compatible with
              '-i' '-I' '-v' '-L' '-r')

       -r <file>
              This option feeds the recorded <file> to sniffit.  It requires the '-F' option with
              the  correct  device. Suppose you log a file on a machine with 'eth0'. When feeding
              the logged file to sniffit , you will need to add '-F eth0'  or  '-F  eth'  to  the
              command  line.  It  doesn't  need  much  explanation  that  using  '-i'  or '-I' in
              combination with '-r' makes  no  sense  (at  this  moment).   (requires  '-F',  NOT
              compatible with '-R' '-i' '-I')

       -n     Turn  of  IP  checksum  checking.  This can show you bogus packets.  (mind you ARP,
              RARP, other non-IP packets will show up bogus too) (compatible with ALL options)

       -N     Don't perform any of the build in Sniffit functions.  Useful  for  only  running  a
              Plugin.  (compatible with ALL options)

       -x     Prints   extended  info  on  TCP  packets  to  stdout  (SEQ,  ACK,  Flags,  etc...)
              Interesting when tracing spoofs, packet loss and other real net  debugging/checking
              tasks.  (if you want to log this, pipe stdout to a file) (NOT compatible with: '-i'
              'I' '-v')

       -d     ´dump mode', shows the packets on the screen (stdout) instead of logging into files
              (default).  Data  is  printed  in bytes (hex).  (NOT compatible with: '-i' 'I' '-v'
              '-L')

       -a     ´dump mode', same of '-d' but outputs ASCII. Non printable chars  are  replaced  by
              '.'.   ('-d' and '-a' mix without any problem) (NOT compatible with: '-i' '-I' '-v'
              '-L')

       -P proto
              Specify the protocols that should be  processed  (default  TCP).  Possible  options
              currently  are:  IP,  TCP,  ICMP, UDP. They can be combined.  IP, ICMP, UDP info is
              dumped to stdout. IP gives ADDITIONAL info on the IPwrapping around other  packets,
              it  is  not  needed to specify IP for TCP packet logging.  IP, ICMP packets are not
              filtered (UDP packets are as of 0.3.4).  (NOT compatible with: '-i' '-I' '-v' '-L')

       -A char
              When in 'normal mode' (not '-d','-a','-i','-I','-L'), all non-printable chars  will
              be replaced by char (NOT compatible with: '-a' '-d' '-i' '-I' '-v' '-L')

       -p port
              Only  checks  packets  going  TO  (!!)  port port , 0 means all ports, default is 0
              (all).  (NOT compatible with: '-c' '-i' '-I' '-v' '-L')

       -l sniflen
              Amount of data to log (default 300 bytes) in 'normal mode'. The first sniflen bytes
              of  every  connection  are  logged.  Length 0 logs means everything. (look out with
              diskspace!)  (NOT compatible with: '-i' '-I' '-v' '-L')

       -F snifdevice
              Force sniffit to use a certain  network  device.   snifdevice  can  be  found  with
              ifconfig  (see  ifconfig(8)).   sniffit  supports ethernet and PPP by default. Read
              README.FIRST for info on forcing the use of other devices.   (compatible  with  ALL
              options)

       -D tty All logging output will be send to that device.  (ONLY works with '-i' and '-I')

       -M plugin
              Activate  Plugin  nr.  Plugin , for a list on all plugins compiled in your version,
              just type ' sniffit ´. Read all about Plugins in the PLUGIN-HOWTO (READ IT!)   (NOT
              compatible with: '-i' '-I' '-v')

       -L logparam
              Use  sniffit  as  a monitoring tool and enable different logging modes ( logparam )
              The File for logging can be specified in the config file (see sniffit(5) )  but  is
              sniffit.log by default. Different logparam can be combined.  (ONLY works with '-c')

NORMAL MODE

       A  bunch  of  sniflen initial bytes (default 300) of each connection is logged into a file
       x.x.x.x.p-y.y.y.y.o where 'x.x.x.x' is the sending  host  (port  'p')  and  'y.y.y.y'  the
       receiving host (port 'o').

DUMP MODE ('-d' and/or '-a')

       Output  is  dumped  to  stdout,  the  packet contents is shown in it's unwrapped form (the
       complete IP packet).

INTERACTIVE MODE ('-i' or '-I')

       Keys available in interactive mode:

       'UP or 'k'
              self explanatory

       DOWN or j'
              self explanatory

       F1 or '1'
              Enter a host (enter 'all' for no mask) for packet filtering (host  that  sends  the
              packets)

       F2 or '2'
              Enter  a  host  (enter 'all' for no mask) for packet filtering. (host that receives
              the packets)

       F3 or '3'
              Enter a port (enter '0' for no mask) for packet filtering.  (host  that  sends  the
              packets)

       F4 or '4'
              Enter  a port (enter '0' for no mask) for packet filtering. (host that receives the
              packets)

       F5 or '5'
              Start a program 'sniffit_key5' with arguments <from IP> <from  port>  <to  IP>  <to
              port>  If the program doesn't exist, nothing is done. Sniffit should be in the same
              path as sniffit was STARTED FROM (not necessarily the path sniffit  is  stored  in)
              This  function  is useful for interactive connection killing or extra monitoring. A
              little shell script can always transform the arguments given and pass  them  on  to
              other programs.

       F6 or '6'
              Same as F5 or '5', but with program 'sniffit_key6'

       F7 or '7'
              Same as F5 or '5', but with program 'sniffit_key7'

       F8 or '8'
              Same as F5 or '5', but with program 'sniffit_key8'

       ENTER  a  window will pop up and log the connection, or the connection output will be send
              at a chosen device if you used the '-D' option.

       'q'    When in logging mode, stop logging. Otherwise, quit.

       'n'    Toggle netstatistics. These are sampled at 3 secs, look in the sn_config.h file  to
              change this.

       'g'    Sniffit   is  now  able  to  generate  some  traffic  load.  Currently  this  is  a
              'underdevelloped' feature with very few options, but it will  be  expanded  a  lot.
              Currently  only  UDP packets are generated. When pressing 'g' you will be asked the
              source/dest IP/port and how much packets are needed  to  be  transmitted.   Packets
              contain the line: "This Packet was fired with Sniffit!

       'r'    Reset.. clears all current connections from memory and restarts.

LOGGING MODE ('-L')

       Output  is  saved to sniffit.log , unless you have specified some other name in the config
       file (see sniffit(5) ).

       raw    Log all SYN, FIN, RST packets. This will give you an overview of all network  (TCP)
              trafic  in  a  'RAW'  way  (a  connection  starting  could gives you at least 2 SYN
              packets, etc...).

       norm   Same as raw, but a bit more intelligent. Unless packets  are  transmitted  multiple
              times  because  of packet loss, you will only get 1 notice of a connection starting
              or ending. (the packet id will give you the  host  that  initiated  the  connection
              first)

       telnet Sniffit  will try to catch login and passwords for this application. (see telnet(1)
              )

       ftp    Sniffit will try to catch login and passwords for this application.  (see ftp(1) )

       mail   Sniffit will try to identify all mail that was logged.

IP ICMP UDP LOGGING

       Information on these packets is dumped to stdout. Packet Filtering options only  refer  to
       TCP  and  UDP  packets.   The  contents of UDP packets is only shown when enabling '-a' or
       '-d'.

AUTHOR

       Brecht Claerhout <coder@reptile.rug.ac.be>

SEE ALSO

       sniffit(5)

                                                                                       SNIFFIT(8)