1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
------[ The Sniffit-FAQ V.0.2]------------------------------------------------
As the same questions keep popping up in my mailbox, I decided to write a
Sniffit-FAQ.
------[ The Questions ]-------------------------------------------------------
1. 'sniffit -i' doesn't work. It says unknown option.
1.b. I'm sure I have NCURSES, but I still have that problem!
2. I can only see packets to/from my own computer, what is wrong? (BTW:
I'm on PPP).
3. I have e.g. to ethernetcards, but 'sniffit -F /dev/eth1' doesn't work,
why?
4. How can I find the device names?
5. Why can't my LINUX capture packets?
6. Why can't my BSD style system capture packets?
------[ The Answers ]---------------------------------------------------------
1. 'sniffit -i' doesn't work. It says unknown option.
Prior to 0.3.5 you had to configure Sniffit manual, that was a drag,
so I made it configure itself. Problem now is that it is too automatic.
When running the 'configure' script, it looks for 'ncurses' (which is
needed for the interactive mode), when it does not find 'ncurses', it
just excludes interactive mode, so '-i' becomes an unknown option.
Solution: if you haven't got 'ncurses', install it (to be found at any
sunsite mirror). If you are sure you have it, well it probably isn't
in the right directories, maybe use some symbolic links.
These are the dirs 'configue' looks in:
/usr/include:/usr/include/ncurses:/usr/include/curses
/usr/local/include:/usr/local/include/ncurses:
/usr/local/include/curses
and as of 0.3.6 Sniffit also looks in:
./:./ncurses
(BTW: it looks for a file 'ncurses.h')
1.b. I'm sure I have NCURSES, but I still have that problem!
Sometimes you have NCURSES, but no 'ncurses.h' file. Simple, just link
(soft) 'ncurses.h' to 'curses.h'.
2. I can only see packets to/from my own computer, what is wrong? (BTW:
I'm on PPP)
PPP: Point to Point connection.
Per defenition, this protocol will only carry packets that contain
information for the connected computer.
As a consequence on your side, you see only things that got to/come
from your computer, so Sniffit works fine.
To see traffic of whole subnets, you need protocols like ethernet (the
coax cable).
3. I have e.g. to ethernetcards, but 'sniffit -F /dev/eth1' doesn't work,
why?
Don't put any path in front of the devices. These names aren't even
listed in /dev/.
The correct line would be: 'sniffit -F eth1'
4. How can I find the device names?
Well in case Sniffit doesn't find the correct name itself, you will
have to find it, and use the '-F' parameter.
The devices can be found by using the 'ifconfig' or 'route' commands.
5. Why can't my LINUX capture packets?
You should upgrade the kernel.
Normally Sniffit should work on all kernels older then 2.0.0.
But I advise using a kernel older then 2.0.25.
(You could also downgrade the libpcap version to that used wityh
Sniffit 0.3.3 if all else fails)
6. Why can't my BSD style system capture packets?
You should recompile your kernel with BPF support.
------[ The End ]-------------------------------------------------------------
|
