1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
.\" Sniffit man page file - Brecht Claerhout
.\" Process this file with
.\" groff -man -Tascii foo.1
.\"
.TH SNIFFIT 8
.SH NAME
sniffit \- packet sniffer and monitoring tool
.SH SYNOPSIS
.B sniffit [-xdabvnN] [-P
.I proto
.B ] [-A
.I char
.B ] [-p
.I port
.B ] [-l
.I sniflen
.B ] [-L
.I loglevel
.B ] [-F
.I snifdevice
.B ] [-D
.I tty
.B ] [-M
.I plugin
.B ] [(-t
.I Target-IP
.B | -s
.I Source-IP
.B ) | -i | -c
.I config-file
.B ]
.SH DESCRIPTION
.B sniffit
is a packet sniffer for TCP/UDP/ICMP packets.
.B sniffit
is able to give you very detailed technical info on these
packets (SEQ, ACK, TTL, Window, ...) but also packet contence in
different formats (hex or plain text, ...).
.LP
.B sniffit
can by default handle ethernet and PPP devices, but can easily be
forced into using other devices (read the
.B README.*
and
.B config.h
files on this subject!)
.LP
The sniffer can easily be configured in order to 'filter' the incomming
packets (to make the sniffing results easier to study). The config file (see
.BR sniffit (5)
) allows you to be verry specific on the packets to be processed.
.LP
.B sniffit
also has an interactive mode for active monitoring, and can also be used
for continuous monitoring on different levels.
.SH NOTE
This man page is supposed to be a reference manual. So please read
.B README.*
first, and use this only for better understanding or for a quick check on
the use of
.B sniffit
.SH OPTIONS
.IP -v
Shows the version of
.B sniffit
you are running and exits
.I "(overrides all)"
.IP "-t Target-IP"
Only process packets TO Target-IP. If Target-IP is in dot-nr notation,
'x' is allowed as wildcard. (e.g. '-t 157.193.x', '-t x', ...)
.I "(NOT compatible with: '-s' '-i' '-c' '-v' '-L')"
.IP "-s Source-IP"
Similar to '-t', only process packets FROM Source-IP.
.I "(NOT compatible with: '-t' '-i' '-c' '-v' '-L')"
.IP -b
'both' mode, together with '-s' or '-t', only process FROM/TO the IP
specified by '-s' or '-t'
.I "(NOT compatible with: '-t' '-i' '-c' '-v' '-L')"
.IP "-c config-file"
Use
.I config-file
for the packet filtering. This allows you to be very specific on the
packets to be processed (see
.BR sniffit (5)
for details on the format).
.I "(NOT compatible with: '-t' '-s' '-i' '-v' '-L')"
.IP -i
Launch the ncurses interface for active monitoring ('interactive mode').
(NOT available if you compiled without INTERACTIVE support see
.B config.h
and
.B README.*
)
(one of the options '-t' '-s' '-i' '-c' is required)
.I "(NOT compatible with: '-t' '-s' '-c' '-v' '-L')"
.IP -n
Turn of IP checksum checking. This can show you bogus packets.
(mind you ARP, RARP, other non-IP packets will show up bogus too)
.I "(compatible with ALL options)"
.IP -N
Don't perform any of the build in Sniffit functions. Usefull for only
running a Plugin.
.I "(compatible with ALL options)"
.IP -x
Prints extended info on TCP packets to stdout (SEQ, ACK, Flags, etc...)
Interesting when tracing spoofs, packet loss and other real net
debugging/checking tasks.
(if you want to log this, pipe stdout to a file)
.I "(NOT compatible with: '-i' '-v')"
.IP -d
'dump mode', shows the packets on the screen (stdout) instead of logging
into files (default). Data is printed in bytes (hex).
.I "(NOT compatible with: '-i' '-v' '-L')"
.IP -a
'dump mode', same of '-d' but outputs ASCII. Non printable chars are
replaced by '.'.
('-d' and '-a' mix without any problem)
.I "(NOT compatible with: '-i' '-v' '-L')"
.IP "-P proto"
Specify the protocols that should be processed (default TCP). Possible
options currently are: IP, TCP, ICMP, UDP. They can be combined.
IP, ICMP, UDP info is dumped to stdout. IP gives ADDITIONAL info on the
IPwrapping around other packets, it is not needed to specify IP for TCP
packet logging.
IP, ICMP packets are not filtered (UDP packets are as of 0.3.4).
.I "(NOT compatible with: '-i' '-v' '-L')"
.IP "-A char"
When in 'normal mode' (not '-d','-a','-i','-L'), all non-printable chars
will be replaced by
.I char
.I "(NOT compatible with: '-a' '-d' '-i' '-v' '-L')"
.IP "-p port"
Only checks packets going TO (!!) port
.I port
, 0 means all ports, default is 0 (all).
.I "(NOT compatible with: '-c' '-i' '-v' '-L')"
.IP "-l sniflen"
Ammount of data to log (default 300 bytes) in 'normal mode'. The first
.B sniflen
bytes of every connection are logged. Length 0 logs means everything. (look
out with diskspace!)
.I "(NOT compatible with: '-i' '-v' '-L')"
.IP "-F snifdevice"
Force sniffit to use a certain network device.
.I snifdevice
can be found with
.I ifconfig
(see
.BR ifconfig (8)
).
.B sniffit
supports ethernet and PPP by default. Read
.B README.*
for info on forcing the use of other devices.
.I "(compatible with ALL options)"
.IP "-D tty"
All logging output will be send to that device.
.I "(ONLY works with '-i')"
.IP "-M plugin"
Activate Plugin nr.
.B Plugin
, for a list on all plugins compiled in your version, just type '
.B sniffit
'. Read all about Plugins in the PLUGIN-HOWTO (READ IT!)
.I "(NOT compatible with: '-i' '-v')"
.IP "-L loglevel"
Use
.B sniffit as a monitoring tool and enable loglevel
.I loglevel
The File for logging can be specified in the config file (see
.BR sniffit (5)
) but is
.B sniffit.log
by default.
.I "(ONLY works with '-c')"
.SH "NORMAL MODE"
A bunch of
.I sniflen
initial bytes (default 300) of each connection is logged into a file
.B x.x.x.x.p-y.y.y.y.o
where 'x.x.x.x' is the sending host (port 'p') and 'y.y.y.y' the
receiving host (port 'o').
.SH "DUMP MODE ('-d' and/or '-a')"
Output is dumped to stdout, the packet contence is shown in it's
unwrapped form (the complete IP packet).
.SH "INTERACTIVE MODE ('-i')"
Keys available in interactive mode:
.IP "'UP or 'k'"
self explanatory
.IP "DOWN or j'"
self explanatory
.IP "F1 or '1'"
Enter a host (enter 'all' for no mask) for packet filtering (host that
sends the packets)
.IP "F2 or '2'"
Enter a host (enter 'all' for no mask) for packet filtering. (host that
receives the packets)
.IP "F3 or '3'"
Enter a port (enter '0' for no mask) for packet filtering. (host that
sends the packets)
.IP "F4 or '4'"
Enter a port (enter '0' for no mask) for packet filtering. (host that
receives the packets)
.IP "F5 or '5'"
Start a program 'sniffit_key5' with arguments
.I "<from IP> <from port> <to IP> <to port>"
If the program doesn't exist, nothing is done. Sniffit should be in the
same path as sniffit was STARTED FROM (not necessarely the path sniffit is
stored in) This function is usefull for interactive connection killing or
extra monitoring. A little shell script can always transform the arguments
given and pass them on to other programs.
.IP "F6 or '6'"
Same as F5 or '5', but with program 'sniffit_key6'
.IP "F7 or '7'"
Same as F5 or '5', but with program 'sniffit_key7'
.IP "F8 or '8'"
Same as F5 or '5', but with program 'sniffit_key8'
.IP "ENTER"
a window will pop up and log the connection, or the connection output
will be send at a chosen device if you used the '-D' option.
.IP "'q'"
When in logging mode, stop logging. Otherwise, quit.
.IP "'n'"
Toggle netstatistics. These are sampled at 3 secs, look in the config.h
file to change this.
.IP "'g'"
.B Sniffit
is now able to generate some trafic load. Currently this is a 'underdevelloped'
feature with very few options, but it will be expanded a lot.
Currently only UDP packets are generated. When pressing 'g' you will be
asked the source/dest IP/port and how much packets are needed to be
transmitted.
Packets contain the line: "This Packet was fired with Sniffit!
.SH "LOGGING MODE ('-L')"
Output is saved to
.B sniffit.log
,unless you have specified some other name in the config file (see
.BR sniffit (5)
).
.LP
.IP "Loglevel 1 (Raw level)"
Log all SYN, FIN, RST packets. This will give you an overview of all
network (TCP) trafic in a 'RAW' way (a connection starting could gives
you at least 2 SYN packets, etc...).
.IP "Loglevel 10 (Normal level)"
Same as Raw level 1, but a bit more intelligent. Unless packets are
transmitted multiple times because of packet loss, you will only get 1
notice of a connection starting or ending. (the packet id
will give you the host that initiated the connection first)
.IP "Loglevel 12 (Normal level)"
This option will spy on trafic concerning ports 21 and 23 on the subnet.
Yes indeed,
.B ftp
(see
.BR ftp (1)
) and
.B telnet
(see
.BR telnet (1)
). Sniffit will try to catch login and passwords
for these applications.
.IP
.B ftp
- Easy catching. Even multiple tries are registered.
.IP
.B telnet
- A bit harder. We only try to catch the first attempt, so if someone
fails the first login, you will miss his password.
A '~' in the login and passwords fields can be a nonprintable character
(if in the beginning of a field, probably due to an early
start of registration) or a '~'. Interested in some tricks that made this
work? Have a look at in function 'packethandler' in the sniffit.*.c
file)
.SH "IP ICMP UDP LOGGING"
Information on these packets is dumped to stdout. Packet
Filtering options only refer to TCP and UDP packets.
The contence of UDP packets is only shown when enabling '-a' or '-d'.
.SH AUTHOR
Brecht Claerhout <coder@reptile.rug.ac.be>
.SH "SEE ALSO"
.BR sniffit (5)
|
