1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215
|
_ _ _
| | __ __ _ _ __ _ __ ___| | _(_)
| |/ / / _` | '__| '_ \ / __| |/ / |
| < | (_| | | | |_) |\__ \ <| |
|_|\_(_)__,_|_| | .__(_)___/_|\_\_|
___________________|_|__________________
A free ethernet protocol analyzer / sniffer
Introduction
------------
K.ARP.SKI (karpski) is an ethernet protocol analyzer / sniffer. Its
abilities as a sniffer or scanner are limited, but this sniffer is much
easier to use than other popular sniffers such as tcpdump. In addition,
there is a protocol definition file in which other protocols can be added.
Karpski may also be used to launch programs against addresses on your local
network and as a local network intrusion tool. Plus, it's free with source.
Its display is an Xwindows display. This was a design decision based on my
need to display many windows simultaneously. Console mode would just not
cut it. I chose the Gtk display library because it's proven, portable and
free. You may not like my choice; the source is included.
This program was originally based on my desire to detect someone plugging an
unauthorized computer into a LAN. It did this originally by looking at ARP
packets. This is where the arp in karpski comes from.
Features
--------
-- XWindows + Gtk output
-- Identifies Raw 802.3, SNAP, 802.3/802.2 AND Ethernet II packets.
-- Threaded for good responsiveness
-- Allows for on screen watches of one connection or all traffic for a
particular network station.
-- Automatic location of network stations
-- Includes a frame/protocol description language to add other protocols.
-- Allows you to "freeze" a network list and have the program inform you
of when a new station comes up.
-- Allows to-disk captures of most frame type / protocol combos.
-- Allows to-disk captures of unidentifiable packets.
-- Allows one to launch user configurable programs at any IP speaking station
on your network.
-- Watch realtime statistics on your whole network or on a particular
station.
-- Plays a scanning sound (currently KITT's scanning sound from Knight Rider)
-- GNU GPL licensing - source code included; your freedom assured.
Protocols supported on any level
--------------------------------
IP (UDP, ICMP, TCP, IGMP - all others identified only)
Ethertalk
Appletalk AARP
Novell
SNMP
Cisco ID packets (frame type 2000)
All IANA registered 802.3/802.2 Ethernet frames
Beta
----
Karpski is BETA software. I cannot guarantee that it will work on ANY
systems other than mine. I cannot guarantee it will not bring your network
to its knees (although that would be weird; it doesn't send any packets :)
Development platform
--------------------
Redhat 5.0
Linux 1.2.117
gcc 2.8.1
Pentium 166
128M RAM
XFree-86 SVGA server
Gtk-1.04
Enlightenment DR 0.13.3
Installation
------------
Read INSTALL and follow the directions. INSTALL is a file that should have
come with your karpski distribution.
Usage
-----
Just run karpski. The commandline argument is the ethernet device to use.
Buttons
-------
Start - This starts the scanning process.
Stop - This stops the scanning process.
Log - This displays the log for the current session. A log
contains warning information (such as new addresses on the
network, vendors with unregistered ID's, etc.
Overall stats - This displays the overall stats for all of the stations.
Connections - This displays a list of connections. Currently, only TCP
connections are supported. Clicking on a connection is
SUPPOSED to tell you what the status of its connection is
(open / half closed / closed), but it doesn't work yet in
a lot of cases.
Launch - Run a program, configured in your datdir (smashy.dat)
with the IP address being one of the parameters. If
there are no items in your smashy.dat file, this button
will be greyed out.
Watch - Watch all traffic to or from this MAC address.
Protocols - View a non-realtime view of the protocols used on the
network.
Info - Info about the hilighted MAC address. Shows similar
information
Quit - Quits! You will not currently be asked if you want to
save the current network. I had that option and it
bothered me because I'm still developing this.
Menus
-----
Open list - This will open a previously saved network list and freeze
the current network list, making all new MAC addresses
log a warning.
Save list - This will save a network list and freeze the current
network list so that new MAC addresses generate a warning.
About - Displays the splash screen
Help - Displays fairly useless help and a good Simpsons quote :)
Also has the reference to the GPL.
Datfiles
--------
I am not going to get into detail for protocol_parser.dat yet. I have not
finished defining the language. It should be apparant what most of the
commands do except for the number format.
The number format is offset, len, mask, net order, shift where:
offset- The offset
protocol_parser.dat - This contains all of the packet parsing
information except for the ether frame parsing
which is done in proto.c. I am not going to go
into detail for protocol_parser.dat yet. I have
not finished defining the language. Some of the
language is easy. Most values can be defined as
either a number (absolute value) or by a description
of where to find it.
This number format is offset, len, mask, net order, shift where:
offset- The offset from within the packet (or subpacket)
len- The length of the number
Mask- Any mask that needs to be applied to get the value.
Net order- Is this in net order (1) or not (0)?
Shift- A positive number means shift right, negative shift
left. Therefore, 2 is (n >> 2) and -1 is (n << 1).
capture_fliters.dat - This file contains definitions for three kinds of
capture filters (capture filters capture packets
to disk). Karpski will only save the best fit.
Therefore, if you have a capture on frame 0x0800 and
a protocol capture on 0x800 / TCP, the TCP packet
would be written ONLY to the TCP output file.
- protoframe <frame_type> <protocol_name> <output_path>
This captures all packets that match the frame type AND
the protocol type to the file <output_path>.
- frame <frame_type> <output_path>
This captures all packets that have <frame_type> as their
frame type to the file <output_path>
- defcap <output_path>
This captures all packets that are an unknown frame type to
the file <output_path>.
scanner.au - This is the sound heard when you scan, if you have
scan sounds on (/dev/audio required). This sound
must be in Sun AU format. To see if your sound is
in the correct format, type cat yoursound.au >
/dev/audio.
splash_karpksi.xpm - The splash screen.
smashy.dat - The launch vs. descriptions
vendor_codes.dat - A list of the various NIC vendors whose names can
be ascertained by the first three bytes of the MAC
address.
karpskirc - A Gtk rc style file for modifying the fonts that
karpski uses. I may use fonts that you don't use.
Code
----
karpski uses libpcap by The Lawrence Berkeley Labs people (ftp.ee.lbl.gov).
You need it for this to run.
I chose pcap and Gtk because these should theoretically be easily portable.
Gtk should run on all popular UNIX platforms as should pcap. Unfortunately,
I don't have any other test systems, so I have to rely on users success
stories.
My code is ugly, I use globals everywhere and I comment only some of my
routines. Sorry, I have an excuse! I added onto this piece by piece.
BUGS
----
If you find a bug, send me a report! I'll try to help with any weirdness,
but please try running another Gtk app before you ask me for help. If
you've followed the instructions in INSTALL, done a make install, and you
have a properly working Gtk v1.0 or later, you can send me mail at
btx@calyx.net.
Make sure that you have the latest version of karpski, currently available
at http://mojo.calyx.net/~btx/karpski.html
|