File: nast.8

package info (click to toggle)
nast 0.2.0-13
links: PTS, VCS
area: main
in suites: forky, sid
size: 1,824 kB
sloc: ansic: 7,516; sh: 2,768; makefile: 63
file content (771 lines) | stat: -rw-r--r-- 23,163 bytes
parent folder | download | duplicates (4)
.\"    Nast manpage
.\"
.\"    This program is free software; you can redistribute it and/or modify
.\"    it under the terms of the GNU General Public License as published by
.\"    the Free Software Foundation; either version 2 of the License, or
.\"    (at your option) any later version.
.\"		
.\"    This program is distributed in the hope that it will be useful,
.\"    but WITHOUT ANY WARRANTY; without even the implied
.\"    warranty of
.\"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"    GNU General Public License for more details.
.\"	
.\"    You should have received a copy of the GNU General Public License
.\"    along with this program; if not, write to the Free Software
.\"    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
.\"
.TH NAST "8" "20040216" "NAST 0.2.0"
.SH NAME
nast \- Network Analyzer Sniffer Tool

.SH SYNOPSIS
nast [\-G] [\-i interface] [\-l filename] [\-f filter] [\-\-ld filename] [\-pdxPmsgrSMLbcCBVh]

.SH DESCRIPTION
Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap.
.LP
It can sniff in normal mode or in promiscuous mode the packets on a network interface and log it. 
It dumps the headers of packets and the payload in ascii or ascii-hex format. 
You can apply a filter. The sniffed data can be saved in a separated file.
.TP
As analyzer tool, it has many features like:
.br
* Build LAN hosts list
.br
* Follow a TCP-DATA stream
.br
* Find LAN Internet gateways
.br
* Discover promiscuous nodes
.br
* Reset an established connection
.br
* Perform a single half-open portscanner 
.br
* Perform a multi half-open portscanner
.br
* Find link type (hub or switch)
.br
* Catch daemon banner of LAN nodes
.br
* Control ARP answers to discover possible ARP-spoofing
.br
* Byte counting with an optional filter
.br
* Write reports logging
.br
.TP
It also provides a new ncurses interface.
.PP
.SH CMDLINE SNIFFER OPTIONS
.TP
\fB\-i, \-\-interface\fR
Select the Interface, if not specified will be auto-detected.
.br
.TP
\fB\-p, \-\-promisc\fR
Disable promiscuous mode on NIC.
.br
.TP
\fB\-d, \-\-ascii-data\fR
Print data in ascii format.
.br
.TP
\fB\-x, \-\-ascii-hex-data\fR
Print data in ascii-hex format.
.br
.TP
\fB\-f, \-\-filter <"filter">\fR
Apply <"filter"> to sniffer (see "FILTER SYNTAX" section below for syntax)
.br
.TP
\fB    \-\-ld <filename>\fR
Log captured data to <filename> (only payload). Use \-l to log all packet instead, useful with \-B
.br
.TP
\fB\-T, \-\-tcpdump-log <filename>\fR
Log all packets in tcpdump format to <filename>
.br
.TP
\fB\-R, \-\-tcpdump-log-read <filename>\fR
Read all packets saved in tcpdump format from <filename>
.br
.PP
.SH ANALYZER FEATURES
.TP
\fB\-P, \-\-check-promisc <ip>\fR
Check other NIC on the LAN with the promiscuous flag set.
.br
By performing a fake ARP broadcast, we can determine if a NIC is in promiscuous mode or not. 
If the checked host is in promiscuous mode it will responds with an ARP response otherwise it drop the packet.	
.br
Note: This method doesn't work with all OS
.br
Use \fB-P all\fR to query all network NIC

eg: root@localhost:~/$ nast \-P 192.168.1.2

NAST "NETWORK ANALYZER SNIFFER TOOL"

192.168.1.2 (localhost.org)             Found!!

We can check all nodes by using:
.br
root@localhost:~/$ nast \-P all

.TP
\fB\-m, \-\-host-list\fR
Map the LAN by performing a series of ARP request to sequential subnet IP
addresses.

eg: root@localhost:~/$ nast \-m

NAST "NETWORK ANALYZER SNIFFER TOOL"

Mapping the Lan for 255.255.255.0 subnet ... please wait

MAC address             IP address (hostname)
.br
===========================================================
.br
00:4R:BR:3E:21:12       192.168.1.1(nast.experiment.net)
.br
00:50:BA:80:AC:11       192.168.1.2 (localhost.org) (*)

(*) This is localhost

.br
.TP
\fB\-s, \-\-tcp-stream\fR
Follow a TCP/IP connection printing all data in payload. You must specify the IP addresses of the ends.

eg of a ftp connection:
.br
root@localhost:~/$ nast \-s

NAST "NETWORK ANALYZER SNIFFER TOOL"

Type connection extremes
.br
------------------------
.br
1st ip : 192.168.1.1
.br
1st port : 1041
.br
2nd : 192.168.1.2
.br
2nd port : 21
.br

NAST TCP STREAM LOG
.br
.br
192.168.1.1->mistaya.neverland.org
.br
PASV
.br
192.168.1.1<-mistaya.neverland.org
.br
227 Entering Passive Mode (192,168,1,2,4,12).
.br
192.168.1.1->mistaya.neverland.org
.br
LIST
.br
(...)
.br
.br
.TP
\fB\-g, \-\-find-gateway\fR
Try to find possible Internet-gateways.
.br
We send a SYN packet to a public host on port 80 through sequential host-lan and if a SYN-ACK
return we have find the gateway.
.br
.TP
\fB\-r, \-\-reset-connection\fR
Destroy an established connection. You must specify the IP addresses of the ends and at least one port . 
Please, pay attention when use this function.

eg: root@localhost:~/$ nast \-r

NAST "NETWORK ANALYZER SNIFFER TOOL"

Type connection extremes
.br
------------------------
.br
1 ip / hostname : 192.168.1.1
.br
1 port (0 to autodetect) : 0
.br
2 ip / hostname : 192.168.1.2
.br
2 port (0 to autodetect) : 21
.br

- Waiting for SEQ ACK (192.168.1.1 -> 192.168.1.2:21)
.br
- Stoled SEQ (247656261) ACK (3764364876)...
.br
- Connection has been reset
.br

.br
This feature works only if we can read SEQ and ACK numbers, because RST
mechanism works with them.
.br
.TP
\fB\-S, \-\-port-scanner\fR
Performs a half-open port scanning on the selected host. It tries also to determine some firewall (just iptables) rules.
.br
About this technique NMAP says:
This technique is often referred to as "half-open" scanning, because you
don't open a full TCP  connection.  You send  a SYN packet, as if you are going to open a real
connection and you wait for a response. A SYN|ACK indicates the port is
listening. A RST is indicative of a non-listener.  If a SYN|ACK is received, a RST is immediately sent 
to tear down  the  connection  (actually  our OS kernel does this for us). 
The primary advantage to this scanning technique is that fewer sites will
log it.  Unfortunately you need root privileges to build these custom SYN packets.
.br

eg: root@localhost:~/$ nast \-S
.br
.br
NAST "NETWORK ANALYZER SNIFFER TOOL"
.br
Port Scanner extremes
.br
Insert IP to scan   : 192.168.1.3
.br
Insert Port range   : 1-100
.br

Wait for scanning...
.br

State           Port            Services                Notes
.br
Open            22              ssh                     None
.br
Open            27              nsw-fe                  None

All the other 98 ports are in state closed
.br
Scanning terminated on Apr 14 21:46:55

The Port range could be in the following style:
.br
eg: 1-100       (means from port 1 to 100)
    1,3,5,1000  (means ports 1,3,5 and 1000)
    1-50,60     (means from port 1 to 50 and port 60)
.br

.TP
\fB\-M, \-\-multi-port-scanner\fR
Same as above but done on all hosts of the lan.
.br
.TP
\fB\-L, \-\-find-link\fR
Tries to determine what type of link is used in the LAN (Hub or switch).
.br
In the LAN segment is there a HUB or a SWITCH? We can find it by sending a
spoofed ICMP echo-request (to work there must be at least 3 host in LAN and
at least one of them must reply with a ICMP echo-replay)
.br    
.TP
\fB\-b, \-\-daemon-banner\fR
Checks the most famous daemon banner on the LAN's hosts.
.br
You can customize ports database adding them to ports[] variable in main.c
.br
.TP
\fB\-c, \-\-check-arp-poisoning\fR
Control ARP answers to discover possible ARP spoofing attacks like
man-in-the-middle
.br
When run, Nast make a database of all network node (IP and MAC address), 
then sniff ARP response and verify the correctness of IP-mac address association. 
Remember to execute Nast when you are sure that
nobody is making ARP-poisoning, than have fun and relax and check program output:).    
.br
.TP
\fB\-C, \-\-byte-counting <"filter">\fR
Apply traffic counting to <"filter"> (see FILTER SYNTAX section below for syntax)
.br
Use \fB-C any\fR if you don't want to use a filter.

eg: root@localhost:~/$ nast \-C any

NAST "NETWORK ANALYZER SNIFFER TOOL"

Reading from "eth0"

Packets         Total           Current speed           Average speed
.br
----------------------------------------------------------------
.br
- 24            1008B           18B/s                   21B/s

.br
.PP
.SH GENERAL OPTIONS
.TP
\fB\-G, \-\-ncurses\fR
Run Nast with the ncurses interfaces (only if compiled with ncurses support)
.br
.TP
\fB\-l, \-\-log-file <filename>\fR
Log reports to <filename>. Work with many features.
.br
.TP
\fB\-B, \-\-daemon\fR
Run in background like daemon and turn off stdout (very useful for sniffer/stream/ARP control logging)
.br
.TP
\fB\-V, \-\-version\fR
Show version information
.PP
.SH NCURSES INTERFACE NOTE
Versions later 0.2.0 have a new ncurses interface which has many improvements 
regarding the correspondent command line version. For example you can select the 
connection interactively for tcp stream and reset features and byte counting 
module show much more information (packets type and connections load).
.TP
Please read NCURSES_README file before using the ncurses interface!
.PP
.SH FILTER SYNTAX, WHAT PCAP GIVE US!
Important: this section has been copied from Tcpdump 3.7.1 manpage 
and "expression" here stand from "filter".
.br
\fBRemeber\fR to enclose filter between apexes ("something like this")
.br
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.
If no \fIexpression\fP
is given, all packets on the net will be dumped.
Otherwise,
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers.
There are three
different kinds of qualifier:
.IP \fItype\fP
qualifiers say what kind of thing the id name or number refers to.
Possible types are
.BR host ,
.B net
and
.BR port .
E.g., `host foo', `net 128.3', `port 20'.
If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
qualifiers specify a particular transfer direction to and/or from
.IR id .
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.B "src and"
.BR dst .
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
If
there is no dir qualifier,
.B "src or dst"
is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
.B inbound
and
.B outbound
qualifiers can be used to specify a desired direction.
.IP \fIproto\fP
qualifiers restrict the match to a particular protocol.
Possible
protos are:
.BR ether ,
.BR fddi ,
.BR tr ,
.BR ip ,
.BR ip6 ,
.BR arp ,
.BR rarp ,
.BR decnet ,
.B tcp
and
.BR udp .
E.g., `ether src foo', `arp net 128.3', `tcp port 21'.
If there is
no proto qualifier, all protocols consistent with the type are
assumed.
E.g., `src foo' means `(ip or arp or rarp) src foo'
(except the latter is not legal syntax), `net bar' means `(ip or
arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'.
.LP
[`fddi' is actually an alias for `ether'; the parser treats them
identically as meaning ``the data link level used on the specified
network interface.''  FDDI headers contain Ethernet-like source
and destination addresses, and often contain Ethernet-like packet
types, so you can filter on these FDDI fields just as with the
analogous Ethernet fields.
FDDI headers also contain other fields,
but you cannot name them explicitly in a filter expression.
.LP
Similarly, `tr' is an alias for `ether'; the previous paragraph's
statements about FDDI headers also apply to Token Ring headers.]
.LP
In addition to the above, there are some special `primitive' keywords
that don't follow the pattern:
.BR gateway ,
.BR broadcast ,
.BR less ,
.B greater
and arithmetic expressions.
All of these are described below.
.LP
More complex filter expressions are built up by using the words
.BR and ,
.B or
and
.B not
to combine primitives.
E.g., `host foo and not port ftp and not port ftp-data'.
To save typing, identical qualifier lists can be omitted.
E.g.,
`tcp dst port ftp or ftp-data or domain' is exactly the same as
`tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'.
.LP
Allowable primitives are:
.IP "\fBdst host \fIhost\fR"
True if the IPv4/v6 destination field of the packet is \fIhost\fP,
which may be either an address or a name.
.IP "\fBsrc host \fIhost\fR"
True if the IPv4/v6 source field of the packet is \fIhost\fP.
.IP "\fBhost \fIhost\fP
True if either the IPv4/v6 source or destination of the packet is \fIhost\fP.
Any of the above host expressions can be prepended with the keywords,
\fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in:
.in +.5i
.nf
\fBip host \fIhost\fR
.fi
.in -.5i
which is equivalent to:
.in +.5i
.nf
\fBether proto \fI\\ip\fB and host \fIhost\fR
.fi
.in -.5i
If \fIhost\fR is a name with multiple IP addresses, each address will
be checked for a match.
.IP "\fBether dst \fIehost\fP
True if the ethernet destination address is \fIehost\fP.
\fIEhost\fP
may be either a name from /etc/ethers or a number (see
.IR ethers (3N)
for numeric format).
.IP "\fBether src \fIehost\fP
True if the ethernet source address is \fIehost\fP.
.IP "\fBether host \fIehost\fP
True if either the ethernet source or destination address is \fIehost\fP.
.IP "\fBgateway\fP \fIhost\fP
True if the packet used \fIhost\fP as a gateway.
I.e., the ethernet
source or destination address was \fIhost\fP but neither the IP source
nor the IP destination was \fIhost\fP.
\fIHost\fP must be a name and
must be found both by the machine's host-name-to-IP-address resolution
mechanisms (host name file, DNS, NIS, etc.) and by the machine's
host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.).
(An equivalent expression is
.in +.5i
.nf
\fBether host \fIehost \fBand not host \fIhost\fR
.fi
.in -.5i
which can be used with either names or numbers for \fIhost / ehost\fP.)
This syntax does not work in IPv6-enabled configuration at this moment.
.IP "\fBdst net \fInet\fR"
True if the IPv4/v6 destination address of the packet has a network
number of \fInet\fP.
\fINet\fP may be either a name from /etc/networks
or a network number (see \fInetworks(4)\fP for details).
.IP "\fBsrc net \fInet\fR"
True if the IPv4/v6 source address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR"
True if either the IPv4/v6 source or destination address of the packet has a network
number of \fInet\fP.
.IP "\fBnet \fInet\fR \fBmask \fInetmask\fR"
True if the IP address matches \fInet\fR with the specific \fInetmask\fR.
May be qualified with \fBsrc\fR or \fBdst\fR.
Note that this syntax is not valid for IPv6 \fInet\fR.
.IP "\fBnet \fInet\fR/\fIlen\fR"
True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR
bits wide.
May be qualified with \fBsrc\fR or \fBdst\fR.
.IP "\fBdst port \fIport\fR"
True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a
destination port value of \fIport\fP.
The \fIport\fP can be a number or a name used in /etc/services (see
.IR tcp (4P)
and
.IR udp (4P)).
If a name is used, both the port
number and protocol are checked.
If a number or ambiguous name is used,
only the port number is checked (e.g., \fBdst port 513\fR will print both
tcp/login traffic and udp/who traffic, and \fBport domain\fR will print
both tcp/domain and udp/domain traffic).
.IP "\fBsrc port \fIport\fR"
True if the packet has a source port value of \fIport\fP.
.IP "\fBport \fIport\fR"
True if either the source or destination port of the packet is \fIport\fP.
Any of the above port expressions can be prepended with the keywords,
\fBtcp\fP or \fBudp\fP, as in:
.in +.5i
.nf
\fBtcp src port \fIport\fR
.fi
.in -.5i
which matches only tcp packets whose source port is \fIport\fP.
.IP "\fBless \fIlength\fR"
True if the packet has a length less than or equal to \fIlength\fP.
This is equivalent to:
.in +.5i
.nf
\fBlen <= \fIlength\fP.
.fi
.in -.5i
.IP "\fBgreater \fIlength\fR"
True if the packet has a length greater than or equal to \fIlength\fP.
This is equivalent to:
.in +.5i
.nf
\fBlen >= \fIlength\fP.
.fi
.in -.5i
.IP "\fBip proto \fIprotocol\fR"
True if the packet is an IP packet (see
.IR ip (4P))
of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or one of the names
\fIicmp\fP, \fIicmp6\fP, \fIigmp\fP, \fIigrp\fP, \fIpim\fP, \fIah\fP,
\fIesp\fP, \fIvrrp\fP, \fIudp\fP, or \fItcp\fP.
Note that the identifiers \fItcp\fP, \fIudp\fP, and \fIicmp\fP are also
keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell.
Note that this primitive does not chase the protocol header chain.
.IP "\fBip6 proto \fIprotocol\fR"
True if the packet is an IPv6 packet of protocol type \fIprotocol\fP.
Note that this primitive does not chase the protocol header chain.
.IP "\fBip6 protochain \fIprotocol\fR"
True if the packet is IPv6 packet,
and contains protocol header with type \fIprotocol\fR
in its protocol header chain.
For example,
.in +.5i
.nf
\fBip6 protochain 6\fR
.fi
.in -.5i
matches any IPv6 packet with TCP protocol header in the protocol header chain.
The packet may contain, for example,
authentication header, routing header, or hop-by-hop option header,
between IPv6 header and TCP header.
The BPF code emitted by this primitive is complex and
cannot be optimized by BPF optimizer code in \fItcpdump\fP,
so this can be somewhat slow.
.IP "\fBip protochain \fIprotocol\fR"
Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4.
.IP "\fBether broadcast\fR"
True if the packet is an ethernet broadcast packet.
The \fIether\fP
keyword is optional.
.IP "\fBip broadcast\fR"
True if the packet is an IP broadcast packet.
It checks for both
the all-zeroes and all-ones broadcast conventions, and looks up
the local subnet mask.
.IP "\fBether multicast\fR"
True if the packet is an ethernet multicast packet.
The \fIether\fP
keyword is optional.
This is shorthand for `\fBether[0] & 1 != 0\fP'.
.IP "\fBip multicast\fR"
True if the packet is an IP multicast packet.
.IP "\fBip6 multicast\fR"
True if the packet is an IPv6 multicast packet.
.IP  "\fBether proto \fIprotocol\fR"
True if the packet is of ether type \fIprotocol\fR.
\fIProtocol\fP can be a number or one of the names
\fIip\fP, \fIip6\fP, \fIarp\fP, \fIrarp\fP, \fIatalk\fP, \fIaarp\fP,
\fIdecnet\fP, \fIsca\fP, \fIlat\fP, \fImopdl\fP, \fImoprc\fP,
\fIiso\fP, \fIstp\fP, \fIipx\fP, or \fInetbeui\fP.
Note these identifiers are also keywords
and must be escaped via backslash (\\).
.IP
[In the case of FDDI (e.g., `\fBfddi protocol arp\fR') and Token Ring
(e.g., `\fBtr protocol arp\fR'), for most of those protocols, the
protocol identification comes from the 802.2 Logical Link Control (LLC)
header, which is usually layered on top of the FDDI or Token Ring
header.
.IP
When filtering for most protocol identifiers on FDDI or Token Ring,
\fItcpdump\fR checks only the protocol ID field of an LLC header in
so-called SNAP format with an Organizational Unit Identifier (OUI) of
0x000000, for encapsulated Ethernet; it doesn't check whether the packet
is in SNAP format with an OUI of 0x000000.
.IP
The exceptions are \fIiso\fP, for which it checks the DSAP (Destination
Service Access Point) and SSAP (Source Service Access Point) fields of
the LLC header, \fIstp\fP and \fInetbeui\fP, where it checks the DSAP of
the LLC header, and \fIatalk\fP, where it checks for a SNAP-format
packet with an OUI of 0x080007 and the Appletalk etype.
.IP
In the case of Ethernet, \fItcpdump\fR checks the Ethernet type field
for most of those protocols; the exceptions are \fIiso\fP, \fIsap\fP,
and \fInetbeui\fP, for which it checks for an 802.3 frame and then
checks the LLC header as it does for FDDI and Token Ring, \fIatalk\fP,
where it checks both for the Appletalk etype in an Ethernet frame and
for a SNAP-format packet as it does for FDDI and Token Ring, \fIaarp\fP,
where it checks for the Appletalk ARP etype in either an Ethernet frame
or an 802.2 SNAP frame with an OUI of 0x000000, and \fIipx\fP, where it
checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC
header, the 802.3 with no LLC header encapsulation of IPX, and the IPX
etype in a SNAP frame.]
.IP "\fBdecnet src \fIhost\fR"
True if the DECNET source address is
.IR host ,
which may be an address of the form ``10.123'', or a DECNET host
name.
[DECNET host name support is only available on Ultrix systems
that are configured to run DECNET.]
.IP "\fBdecnet dst \fIhost\fR"
True if the DECNET destination address is
.IR host .
.IP "\fBdecnet host \fIhost\fR"
True if either the DECNET source or destination address is
.IR host .
.IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP"
Abbreviations for:
.in +.5i
.nf
\fBether proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
.IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR"
Abbreviations for:
.in +.5i
.nf
\fBether proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
Note that
\fItcpdump\fP does not currently know how to parse these protocols.
.IP "\fBvlan \fI[vlan_id]\fR"
True if the packet is an IEEE 802.1Q VLAN packet.
If \fI[vlan_id]\fR is specified, only true is the packet has the specified
\fIvlan_id\fR.
Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR
changes the decoding offsets for the remainder of \fIexpression\fR
on the assumption that the packet is a VLAN packet.
.IP  "\fBtcp\fR, \fBudp\fR, \fBicmp\fR"
Abbreviations for:
.in +.5i
.nf
\fBip proto \fIp\fR\fB or ip6 proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
.IP "\fBiso proto \fIprotocol\fR"
True if the packet is an OSI packet of protocol type \fIprotocol\fP.
\fIProtocol\fP can be a number or one of the names
\fIclnp\fP, \fIesis\fP, or \fIisis\fP.
.IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR"
Abbreviations for:
.in +.5i
.nf
\fBiso proto \fIp\fR
.fi
.in -.5i
where \fIp\fR is one of the above protocols.
Note that \fItcpdump\fR does an incomplete job of parsing these protocols.
.PP
.SH EXAMPLES
Here are some examples of the use of NAST:
.br
.SH
   nast \-f "src 192.168.1.2"
.br
In this example with the help of the filter we choose to see only the
traffic from 192.168.1.2
.br
.SH
   nast \-p \-B \-\-ld logfile.txt
.br
Here we run nast in background mode and log all data that pass through our NIC.
.br
.SH
   nast \-S \-l logfile.txt
.br
In this other case we log the results of the port scanner in the file "logfile.txt"
.br
.SH
   nast \-c \-B
.br
This is a very useful options. We run in background mode nast that checks if someone
is arp-poisoning.
.br
.PP
.SH SUPPORTED PLATFORMS
Tested:
.br
* Linux 2.4.x
.br
* Linux 2.6.x
.br
* FreeBSD 5.x
.br
* FreeBSD 4.x
.LP
Not tested yet:
.br
* Linux 2.2.x
.PP

.SH AVAILABILITY
Official web site: http://nast.berlios.de
.br
Newsletter: http://lists.berlios.de/mailman/listinfo/nast-news
.PP

.SH KNOWN BUGS
* Promiscuous mode scanner many times returns wrong results
.br
* Sometimes the port scanner generates false results
.LP
Please report bugs to authors
.PP

.SH AUTHORS
Embyte <embyte@madlab.it>
.br
Snifth <snifth@box.it>
.PP

.SH LICENSE
GNU GENERAL PUBLIC LICENSE Version 2, June 1991
.br
See COPYING for details.