sniffit(8)
NAME
sniffit - packet sniffer and monitoring tool
SYNOPSIS
sniffit [-xdabvnN] [-P proto ] [-A char ] [-p port ] [(-r|-R) recordfile ] [-l sniflen ] [-L logparam ] [-F snifdevice ] [-D tty ] [-M plugin ] [(-t Target-IP | -s Source-IP ) | (-i|-I) | -c config-file ]
DESCRIPTION
sniffit is a packet sniffer for TCP/UDP/ICMP packets. sniffit is able to give you very detailed technical info on these packets (SEQ, ACK, TTL, Window, ...) but also packet contents in different formats (hex or plain text, ...). sniffit can by default handle ethernet and PPP devices, but can easily be forced into using other devices (read the README.FIRST and sn_config.h files on this subject!) The sniffer can easily be configured in order to 'filter' the incoming packets (to make the sniffing results easier to study). The config file (see sniffit(5) ) allows you to be very specific on the packets to be processed. sniffit also has an interactive mode for active monitoring, and can also be used for continuous monitoring on different levels.
NOTE
This man page is supposed to be a reference manual. So please read README.FIRST first, and use this only for better understanding or for a quick check on the use of sniffit
OPTIONS
-v Shows the version of sniffit you are running and exits
(overrides all)
-t Target-IP
Only process packets TO Target-IP. If Target-IP is in dot-nr
notation, x' is allowed as wildcard. (e.g. '-t 157.193.x', '-t
x', ...) (NOT compatible with: '-s' '-i' '-I' '-c' '-v' '-L')
-s Source-IP
Similar to '-t', only process packets FROM Source-IP. (NOT
compatible with: '-t' '-i' '-I' '-c' '-v' '-L')
-b both' mode, together with '-s' or '-t', only process FROM/TO
the IP specified by '-s' or '-t' (NOT compatible with: '-t' '-i'
'-I' '-c' '-v' '-L')
-c config-file
Use config-file for the packet filtering. This allows you to be
very specific on the packets to be processed (see sniffit(5) for
details on the format). (NOT compatible with: '-t' '-s' '-i'
'-I' '-v' '-L')
-i Launch the ncurses interface for active monitoring ('interactive
mode'). (NOT available if you compiled without INTERACTIVE
support see sn_config.h and README.FIRST ) (one of the options
'-t' '-s' '-i' '-I' '-c' is required) (NOT compatible with: '-t'
'-s' '-c' '-v' '-L')
-I Same as '-i', but gives you more information. (one of the
options '-t' '-s' '-i' '-I' '-c' is required) (NOT compatible
with: '-t' '-s' '-c' '-v' '-L')
-R <file>
Record all traffic in <file> This file can then be fed to
Sniffit with the '-r' option. (Needs a selection parameter like
'-c' '-t' '-s') (NOT compatible with '-i' '-I' '-v' '-L' '-r')
-r <file>
This option feeds the recorded <file> to sniffit. It requires
the '-F' option with the correct device. Suppose you log a file
on a machine with 'eth0'. When feeding the logged file to
sniffit , you will need to add '-F eth0' or '-F eth' to the
command line. It doesn't need much explanation that using '-i'
or '-I' in combination with '-r' makes no sense (at this
moment). (requires '-F', NOT compatible with '-R' '-i' '-I')
-n Turn of IP checksum checking. This can show you bogus packets.
(mind you ARP, RARP, other non-IP packets will show up bogus
too) (compatible with ALL options)
-N Don't perform any of the build in Sniffit functions. Useful for
only running a Plugin. (compatible with ALL options)
-x Prints extended info on TCP packets to stdout (SEQ, ACK, Flags,
etc...) Interesting when tracing spoofs, packet loss and other
real net debugging/checking tasks. (if you want to log this,
pipe stdout to a file) (NOT compatible with: '-i' 'I' '-v')
-d dump mode', shows the packets on the screen (stdout) instead of
logging into files (default). Data is printed in bytes (hex).
(NOT compatible with: '-i' 'I' '-v' '-L')
-a dump mode', same of '-d' but outputs ASCII. Non printable chars
are replaced by '.'. ('-d' and '-a' mix without any problem)
(NOT compatible with: '-i' '-I' '-v' '-L')
-P proto
Specify the protocols that should be processed (default TCP).
Possible options currently are: IP, TCP, ICMP, UDP. They can be
combined. IP, ICMP, UDP info is dumped to stdout. IP gives
ADDITIONAL info on the IPwrapping around other packets, it is
not needed to specify IP for TCP packet logging. IP, ICMP
packets are not filtered (UDP packets are as of 0.3.4). (NOT
compatible with: '-i' '-I' '-v' '-L')
-A char
When in 'normal mode' (not '-d','-a','-i','-I','-L'), all non-
printable chars will be replaced by char (NOT compatible with:
'-a' '-d' '-i' '-I' '-v' '-L')
-p port
Only checks packets going TO (!!) port port , 0 means all
ports, default is 0 (all). (NOT compatible with: '-c' '-i' '-I'
'-v' '-L')
-l sniflen
Amount of data to log (default 300 bytes) in 'normal mode'. The
first sniflen bytes of every connection are logged. Length 0
logs means everything. (look out with diskspace!) (NOT
compatible with: '-i' '-I' '-v' '-L')
-F snifdevice
Force sniffit to use a certain network device. snifdevice can
be found with ifconfig (see ifconfig(8)). sniffit supports
ethernet and PPP by default. Read README.FIRST for info on
forcing the use of other devices. (compatible with ALL options)
-D tty All logging output will be send to that device. (ONLY works
with '-i' and '-I')
-M plugin
Activate Plugin nr. Plugin , for a list on all plugins compiled
in your version, just type ' sniffit . Read all about Plugins
in the PLUGIN-HOWTO (READ IT!) (NOT compatible with: '-i' '-I'
'-v')
-L logparam
Use sniffit as a monitoring tool and enable different logging
modes ( logparam ) The File for logging can be specified in the
config file (see sniffit(5) ) but is sniffit.log by default.
Different logparam can be combined. (ONLY works with '-c')
NORMAL MODE
A bunch of sniflen initial bytes (default 300) of each connection is logged into a file x.x.x.x.p-y.y.y.y.o where 'x.x.x.x' is the sending host (port 'p') and 'y.y.y.y' the receiving host (port 'o').
DUMP MODE ('-d' and/or '-a')
Output is dumped to stdout, the packet contents is shown in it's unwrapped form (the complete IP packet).
INTERACTIVE MODE ('-i' or '-I')
Keys available in interactive mode:
'UP or 'k'
self explanatory
DOWN or j'
self explanatory
F1 or '1'
Enter a host (enter 'all' for no mask) for packet filtering
(host that sends the packets)
F2 or '2'
Enter a host (enter 'all' for no mask) for packet filtering.
(host that receives the packets)
F3 or '3'
Enter a port (enter '0' for no mask) for packet filtering. (host
that sends the packets)
F4 or '4'
Enter a port (enter '0' for no mask) for packet filtering. (host
that receives the packets)
F5 or '5'
Start a program 'sniffit_key5' with arguments <from IP> <from
port> <to IP> <to port> If the program doesn't exist, nothing is
done. Sniffit should be in the same path as sniffit was STARTED
FROM (not necessarily the path sniffit is stored in) This
function is useful for interactive connection killing or extra
monitoring. A little shell script can always transform the
arguments given and pass them on to other programs.
F6 or '6'
Same as F5 or '5', but with program 'sniffit_key6'
F7 or '7'
Same as F5 or '5', but with program 'sniffit_key7'
F8 or '8'
Same as F5 or '5', but with program 'sniffit_key8'
ENTER a window will pop up and log the connection, or the connection
output will be send at a chosen device if you used the '-D'
option.
'q' When in logging mode, stop logging. Otherwise, quit.
'n' Toggle netstatistics. These are sampled at 3 secs, look in the
sn_config.h file to change this.
'g' Sniffit is now able to generate some traffic load. Currently
this is a 'underdevelloped' feature with very few options, but
it will be expanded a lot. Currently only UDP packets are
generated. When pressing 'g' you will be asked the source/dest
IP/port and how much packets are needed to be transmitted.
Packets contain the line: "This Packet was fired with Sniffit!
'r' Reset.. clears all current connections from memory and restarts.
LOGGING MODE ('-L')
Output is saved to sniffit.log , unless you have specified some other name in the config file (see sniffit(5) ). raw Log all SYN, FIN, RST packets. This will give you an overview of all network (TCP) trafic in a 'RAW' way (a connection starting could gives you at least 2 SYN packets, etc...). norm Same as raw, but a bit more intelligent. Unless packets are transmitted multiple times because of packet loss, you will only get 1 notice of a connection starting or ending. (the packet id will give you the host that initiated the connection first) telnet Sniffit will try to catch login and passwords for this application. (see telnet(1) ) ftp Sniffit will try to catch login and passwords for this application. (see ftp(1) ) mail Sniffit will try to identify all mail that was logged.
IP ICMP UDP LOGGING
Information on these packets is dumped to stdout. Packet Filtering options only refer to TCP and UDP packets. The contents of UDP packets is only shown when enabling '-a' or '-d'.
AUTHOR
Brecht Claerhout <[email protected]>
SEE ALSO
sniffit(5) SNIFFIT(8)
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
