NAME

SYNOPSIS

DESCRIPTION

sniffit can by default handle ethernet and PPP devices, but can easily be forced into using other devices (read the README.FIRST and sn_config.h files on this subject!)

The sniffer can easily be configured in order to 'filter' the incoming packets (to make the sniffing results easier to study). The config file (see sniffit(5) ) allows you to be very specific on the packets to be processed.

sniffit also has an interactive mode for active monitoring, and can also be used for continuous monitoring on different levels.

NOTE

OPTIONS

-v

Shows the version of sniffit you are running and exits (overrides all)

-t Target-IP

Only process packets TO Target-IP. If Target-IP is in dot-nr notation, ´x' is allowed as wildcard. (e.g. '-t 157.193.x', '-t x', ...) (NOT compatible with: '-s' '-i' '-I' '-c' '-v' '-L')

-s Source-IP

Similar to '-t', only process packets FROM Source-IP. (NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')

-b

´both' mode, together with '-s' or '-t', only process FROM/TO the IP specified by '-s' or '-t' (NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')

-c config-file

Use config-file for the packet filtering. This allows you to be very specific on the packets to be processed (see sniffit(5) for details on the format). (NOT compatible with: '-t' '-s' '-i' '-I' '-v' '-L')

-i

Launch the ncurses interface for active monitoring ('interactive mode'). (NOT available if you compiled without INTERACTIVE support see sn_config.h and README.FIRST ) (one of the options '-t' '-s' '-i' '-I' '-c' is required) (NOT compatible with: '-t' '-s' '-c' '-v' '-L')

-I

Same as '-i', but gives you more information. (one of the options '-t' '-s' '-i' '-I' '-c' is required) (NOT compatible with: '-t' '-s' '-c' '-v' '-L')

-R <file>

Record all traffic in <file> This file can then be fed to Sniffit with the '-r' option. (Needs a selection parameter like '-c' '-t' '-s') (NOT compatible with '-i' '-I' '-v' '-L' '-r')

-r <file>

This option feeds the recorded <file> to sniffit. It requires the '-F' option with the correct device. Suppose you log a file on a machine with 'eth0'. When feeding the logged file to sniffit , you will need to add '-F eth0' or '-F eth' to the command line. It doesn't need much explanation that using '-i' or '-I' in combination with '-r' makes no sense (at this moment). (requires '-F', NOT compatible with '-R' '-i' '-I')

-n

Turn of IP checksum checking. This can show you bogus packets. (mind you ARP, RARP, other non-IP packets will show up bogus too) (compatible with ALL options)

-N

Don't perform any of the build in Sniffit functions. Useful for only running a Plugin. (compatible with ALL options)

-x

Prints extended info on TCP packets to stdout (SEQ, ACK, Flags, etc...) Interesting when tracing spoofs, packet loss and other real net debugging/checking tasks. (if you want to log this, pipe stdout to a file) (NOT compatible with: '-i' 'I' '-v')

-d

´dump mode', shows the packets on the screen (stdout) instead of logging into files (default). Data is printed in bytes (hex). (NOT compatible with: '-i' 'I' '-v' '-L')

-a

´dump mode', same of '-d' but outputs ASCII. Non printable chars are replaced by '.'. ('-d' and '-a' mix without any problem) (NOT compatible with: '-i' '-I' '-v' '-L')

-P proto

Specify the protocols that should be processed (default TCP). Possible options currently are: IP, TCP, ICMP, UDP. They can be combined. IP, ICMP, UDP info is dumped to stdout. IP gives ADDITIONAL info on the IPwrapping around other packets, it is not needed to specify IP for TCP packet logging. IP, ICMP packets are not filtered (UDP packets are as of 0.3.4). (NOT compatible with: '-i' '-I' '-v' '-L')

-A char

When in 'normal mode' (not '-d','-a','-i','-I','-L'), all non-printable chars will be replaced by char (NOT compatible with: '-a' '-d' '-i' '-I' '-v' '-L')

-p port

Only checks packets going TO (!!) port port , 0 means all ports, default is 0 (all). (NOT compatible with: '-c' '-i' '-I' '-v' '-L')

-l sniflen

Amount of data to log (default 300 bytes) in 'normal mode'. The first sniflen bytes of every connection are logged. Length 0 logs means everything. (look out with diskspace!) (NOT compatible with: '-i' '-I' '-v' '-L')

-F snifdevice

Force sniffit to use a certain network device. snifdevice can be found with ifconfig (see ifconfig(8)). sniffit supports ethernet and PPP by default. Read README.FIRST for info on forcing the use of other devices. (compatible with ALL options)

-D tty

All logging output will be send to that device. (ONLY works with '-i' and '-I')

-M plugin

Activate Plugin nr. Plugin , for a list on all plugins compiled in your version, just type ' sniffit ´. Read all about Plugins in the PLUGIN-HOWTO (READ IT!) (NOT compatible with: '-i' '-I' '-v')

-L logparam

Use sniffit as a monitoring tool and enable different logging modes ( logparam ) The File for logging can be specified in the config file (see sniffit(5) ) but is sniffit.log by default. Different logparam can be combined. (ONLY works with '-c')

NORMAL MODE

DUMP MODE ('-d' and/or '-a')

INTERACTIVE MODE ('-i' or '-I')

'UP or 'k'

self explanatory

DOWN or j'

self explanatory

F1 or '1'

Enter a host (enter 'all' for no mask) for packet filtering (host that sends the packets)

F2 or '2'

Enter a host (enter 'all' for no mask) for packet filtering. (host that receives the packets)

F3 or '3'

Enter a port (enter '0' for no mask) for packet filtering. (host that sends the packets)

F4 or '4'

Enter a port (enter '0' for no mask) for packet filtering. (host that receives the packets)

F5 or '5'

Start a program 'sniffit_key5' with arguments <from IP> <from port> <to IP> <to port> If the program doesn't exist, nothing is done. Sniffit should be in the same path as sniffit was STARTED FROM (not necessarily the path sniffit is stored in) This function is useful for interactive connection killing or extra monitoring. A little shell script can always transform the arguments given and pass them on to other programs.

F6 or '6'

Same as F5 or '5', but with program 'sniffit_key6'

F7 or '7'

Same as F5 or '5', but with program 'sniffit_key7'

F8 or '8'

Same as F5 or '5', but with program 'sniffit_key8'

ENTER

a window will pop up and log the connection, or the connection output will be send at a chosen device if you used the '-D' option.

'q'

When in logging mode, stop logging. Otherwise, quit.

'n'

Toggle netstatistics. These are sampled at 3 secs, look in the sn_config.h file to change this.

'g'

Sniffit is now able to generate some traffic load. Currently this is a 'underdevelloped' feature with very few options, but it will be expanded a lot. Currently only UDP packets are generated. When pressing 'g' you will be asked the source/dest IP/port and how much packets are needed to be transmitted. Packets contain the line: "This Packet was fired with Sniffit!

'r'

Reset.. clears all current connections from memory and restarts.

LOGGING MODE ('-L')

raw

Log all SYN, FIN, RST packets. This will give you an overview of all network (TCP) trafic in a 'RAW' way (a connection starting could gives you at least 2 SYN packets, etc...).

norm

Same as raw, but a bit more intelligent. Unless packets are transmitted multiple times because of packet loss, you will only get 1 notice of a connection starting or ending. (the packet id will give you the host that initiated the connection first)

telnet

Sniffit will try to catch login and passwords for this application. (see telnet(1) )

ftp

Sniffit will try to catch login and passwords for this application. (see ftp(1) )

mail

Sniffit will try to identify all mail that was logged.

IP ICMP UDP LOGGING

AUTHOR

SEE ALSO