_                           _    _ 
                    | | __  __ _ _ __ _ __   ___| | _(_)
                    | |/ / / _` | '__| '_ \ / __| |/ / |
                    |   < | (_| | |  | |_) |\__ \   <| |
                    |_|\_(_)__,_|_|  | .__(_)___/_|\_\_|
                  ___________________|_|__________________
                  
                 A free ethernet protocol analyzer / sniffer


Introduction
------------

K.ARP.SKI (karpski) is an ethernet protocol analyzer / sniffer.  Its
abilities as a sniffer or scanner are limited, but this sniffer is much
easier to use than other popular sniffers such as tcpdump.  In addition,
there is a protocol definition file in which other protocols can be added. 
Karpski may also be used to launch programs against addresses on your local
network and as a local network intrusion tool.  Plus, it's free with source.

Its display is an Xwindows display.  This was a design decision based on my
need to display many windows simultaneously.  Console mode would just not
cut it.  I chose the Gtk display library because it's proven, portable and
free.  You may not like my choice; the source is included.

This program was originally based on my desire to detect someone plugging an
unauthorized computer into a LAN.  It did this originally by looking at ARP
packets.  This is where the arp in karpski comes from.

Features
--------
-- XWindows + Gtk output
-- Identifies Raw 802.3, SNAP, 802.3/802.2 AND Ethernet II packets.
-- Threaded for good responsiveness
-- Allows for on screen watches of one connection or all traffic for a
   particular network station.
-- Automatic location of network stations
-- Includes a frame/protocol description language to add other protocols.
-- Allows you to "freeze" a network list and have the program inform you 
   of when a new station comes up.
-- Allows to-disk captures of most frame type / protocol combos.
-- Allows to-disk captures of unidentifiable packets.
-- Allows one to launch user configurable programs at any IP speaking station
  on your network.
-- Watch realtime statistics on your whole network or on a particular
  station.
-- Plays a scanning sound (currently KITT's scanning sound from Knight Rider)
-- GNU GPL licensing - source code included; your freedom assured.

Protocols supported on any level
--------------------------------
IP (UDP, ICMP, TCP, IGMP - all others identified only)
Ethertalk
Appletalk AARP
Novell
SNMP
Cisco ID packets (frame type 2000)
All IANA registered 802.3/802.2 Ethernet frames

Beta
----
Karpski is BETA software.  I cannot guarantee that it will work on ANY
systems other than mine.  I cannot guarantee it will not bring your network
to its knees (although that would be weird; it doesn't send any packets :)

Development platform
--------------------
Redhat 5.0
Linux 1.2.117
gcc 2.8.1
Pentium 166
128M RAM
XFree-86 SVGA server
Gtk-1.04
Enlightenment DR 0.13.3

Installation
------------

Read INSTALL and follow the directions.  INSTALL is a file that should have
come with your karpski distribution.

Usage
-----

Just run karpski.  The commandline argument is the ethernet device to use.

Buttons
-------

Start		- This starts the scanning process.
Stop		- This stops the scanning process.
Log		- This displays the log for the current session.  A log
		  contains warning information (such as new addresses on the
		  network, vendors with unregistered ID's, etc.
Overall stats	- This displays the overall stats for all of the stations.
Connections	- This displays a list of connections.  Currently, only TCP
		  connections are supported.  Clicking on a connection is
		  SUPPOSED to tell you what the status of its connection is
		  (open / half closed / closed), but it doesn't work yet in
		  a lot of cases.
Launch		- Run a program, configured in your datdir (smashy.dat)
		  with the IP address being one of the parameters.  If
		  there are no items in your smashy.dat file, this button
		  will be greyed out.
Watch		- Watch all traffic to or from this MAC address.
Protocols	- View a non-realtime view of the protocols used on the
		  network.
Info		- Info about the hilighted MAC address.  Shows similar
		  information
Quit		- Quits!  You will not currently be asked if you want to
		  save the current network.  I had that option and it
		  bothered me because I'm still developing this.

Menus
-----

Open list	- This will open a previously saved network list and freeze
		  the current network list, making all new MAC addresses
		  log a warning.
Save list	- This will save a network list and freeze the current
		  network list so that new MAC addresses generate a warning.

About		- Displays the splash screen
Help		- Displays fairly useless help and a good Simpsons quote :)
		  Also has the reference to the GPL.

Datfiles
--------

I am not going to get into detail for protocol_parser.dat yet.  I have not
finished defining the language.  It should be apparant what most of the
commands do except for the number format.  

The number format is offset, len, mask, net order, shift where:

offset-			The offset

protocol_parser.dat -	This contains all of the packet parsing
			information except for the ether frame parsing
			which is done in proto.c.  I am not going to go 
			into detail for protocol_parser.dat yet.  I have 
			not finished defining the language.  Some of the
			language is easy.  Most values can be defined as
			either a number (absolute value) or by a description
			of where to find it.

This number format is offset, len, mask, net order, shift where:

offset-			The offset from within the packet (or subpacket)
len-			The length of the number
Mask-			Any mask that needs to be applied to get the value.
Net order-		Is this in net order (1) or not (0)?
Shift-			A positive number means shift right, negative shift
			left.  Therefore, 2 is (n >> 2) and -1 is (n << 1).

capture_fliters.dat - 	This file contains definitions for three kinds of
			capture filters (capture filters capture packets
			to disk).  Karpski will only save the best fit. 
			Therefore, if you have a capture on frame 0x0800 and
			a protocol capture on 0x800 / TCP, the TCP packet
			would be written ONLY to the TCP output file.

	- protoframe <frame_type> <protocol_name> <output_path>
		This captures all packets that match the frame type AND
		the protocol type to the file <output_path>.
	- frame <frame_type> <output_path>
		This captures all packets that have <frame_type> as their
		frame type to the file <output_path>
	- defcap <output_path>
		This captures all packets that are an unknown frame type to
		the file <output_path>.


scanner.au -		This is the sound heard when you scan, if you have
			scan sounds on (/dev/audio required).  This sound
			must be in Sun AU format.  To see if your sound is
			in the correct format, type cat yoursound.au >
			/dev/audio.

splash_karpksi.xpm -	The splash screen.
smashy.dat -		The launch vs. descriptions
vendor_codes.dat -	A list of the various NIC vendors whose names can
			be ascertained by the first three bytes of the MAC
			address.
karpskirc -		A Gtk rc style file for modifying the fonts that
			karpski uses.  I may use fonts that you don't use.


Code
----

karpski uses libpcap by The Lawrence Berkeley Labs people (ftp.ee.lbl.gov). 
You need it for this to run.  

I chose pcap and Gtk because these should theoretically be easily portable. 
Gtk should run on all popular UNIX platforms as should pcap.  Unfortunately,
I don't have any other test systems, so I have to rely on users success
stories.

My code is ugly, I use globals everywhere and I comment only some of my
routines.  Sorry, I have an excuse!  I added onto this piece by piece.  

BUGS
----

If you find a bug, send me a report!  I'll try to help with any weirdness,
but please try running another Gtk app before you ask me for help.  If
you've followed the instructions in INSTALL, done a make install, and you
have a properly working Gtk v1.0 or later, you can send me mail at
btx@calyx.net.

Make sure that you have the latest version of karpski, currently available
at http://mojo.calyx.net/~btx/karpski.html