SNIFFIT(8) SNIFFIT(8)
NAME
sniffit - packet sniffer and monitoring tool
SYNOPSIS
sniffit [-xdabvnN] [-P proto ] [-A char ] [-p port ]
[(-r|-R) recordfile ] [-l sniflen ] [-L logparam ] [-F
snifdevice ] [-D tty ] [-M plugin ] [(-t Target-IP | -s
Source-IP ) | (-i|-I) | -c config-file ]
DESCRIPTION
sniffit is a packet sniffer for TCP/UDP/ICMP packets.
sniffit is able to give you very detailed technical info
on these packets (SEQ, ACK, TTL, Window, ...) but also
packet contence in different formats (hex or plain text,
...).
sniffit can by default handle ethernet and PPP devices,
but can easily be forced into using other devices (read
the README.FIRST and sn_config.h files on this subject!)
The sniffer can easily be configured in order to 'filter'
the incomming packets (to make the sniffing results easier
to study). The config file (see sniffit(5) ) allows you to
be verry specific on the packets to be processed.
sniffit also has an interactive mode for active monitor-
ing, and can also be used for continuous monitoring on
different levels.
NOTE
This man page is supposed to be a reference manual. So
please read README.FIRST first, and use this only for bet-
ter understanding or for a quick check on the use of snif-
fit
OPTIONS
-v Shows the version of sniffit you are running and
exits (overrides all)
-t Target-IP
Only process packets TO Target-IP. If Target-IP is
in dot-nr notation, (NOT compatible with: '-s' '-i'
'-I' '-c' '-v' '-L')
-s Source-IP
Similar to '-t', only process packets FROM Source-
IP. (NOT compatible with: '-t' '-i' '-I' '-c' '-v'
'-L')
1
SNIFFIT(8) SNIFFIT(8)
-b specified by '-s' or '-t' (NOT compatible with:
'-t' '-i' '-I' '-c' '-v' '-L')
-c config-file
Use config-file for the packet filtering. This
allows you to be very specific on the packets to be
processed (see sniffit(5) for details on the for-
mat). (NOT compatible with: '-t' '-s' '-i' '-I'
'-v' '-L')
-i Launch the ncurses interface for active monitoring
('interactive mode'). (NOT available if you com-
piled without INTERACTIVE support see sn_config.h
and README.FIRST ) (one of the options '-t' '-s'
'-i' '-I' '-c' is required) (NOT compatible with:
'-t' '-s' '-c' '-v' '-L')
-I Same as '-i', but gives you more information. (one
of the options '-t' '-s' '-i' '-I' '-c' is
required) (NOT compatible with: '-t' '-s' '-c' '-v'
'-L')
-R <file>
Record all traffic in <file> (Needs a selection
parameter like '-c' '-t' '-s') (NOT compatible with
'-i' '-I' '-v' '-L' '-r')
-r <file>
This option feeds the recorded <file> to sniffit.
It requires the '-F' option with the correct
device. Suppose you log a file on a machine with
'eth0'. When feeding the logged file to sniffit ,
you will need to add '-F eth0' or '-F eth' to the
command line. It doesn't need much explanation that
using '-i' or '-I' in combination with '-r' makes
no sense (at this moment). (requires '-F', NOT
compatible with '-R' '-i' '-I')
-n Turn of IP checksum checking. This can show you
bogus packets. (mind you ARP, RARP, other non-IP
packets will show up bogus too) (compatible with
ALL options)
-N Don't perform any of the build in Sniffit func-
tions. Usefull for only running a Plugin. (compat-
ible with ALL options)
2
SNIFFIT(8) SNIFFIT(8)
-x Prints extended info on TCP packets to stdout (SEQ,
ACK, Flags, etc...) Interesting when tracing
spoofs, packet loss and other real net debug-
ging/checking tasks. (if you want to log this,
pipe stdout to a file) (NOT compatible with: '-i'
'I' '-v')
-d into files (default). Data is printed in bytes
(hex). (NOT compatible with: '-i' 'I' '-v' '-L')
-a replaced by '.'. ('-d' and '-a' mix without any
problem) (NOT compatible with: '-i' '-I' '-v' '-L')
-P proto
Specify the protocols that should be processed
(default TCP). Possible options currently are: IP,
TCP, ICMP, UDP. They can be combined. IP, ICMP,
UDP info is dumped to stdout. IP gives ADDITIONAL
info on the IPwrapping around other packets, it is
not needed to specify IP for TCP packet logging.
IP, ICMP packets are not filtered (UDP packets are
as of 0.3.4). (NOT compatible with: '-i' '-I' '-v'
'-L')
-A char
When in 'normal mode' (not
'-d','-a','-i','-I','-L'), all non-printable chars
will be replaced by char (NOT compatible with: '-a'
'-d' '-i' '-I' '-v' '-L')
-p port
Only checks packets going TO (!!) port port , 0
means all ports, default is 0 (all). (NOT compati-
ble with: '-c' '-i' '-I' '-v' '-L')
-l sniflen
Ammount of data to log (default 300 bytes) in 'nor-
mal mode'. The first sniflen bytes of every connec-
tion are logged. Length 0 logs means everything.
(look out with diskspace!) (NOT compatible with:
'-i' '-I' '-v' '-L')
-F snifdevice
Force sniffit to use a certain network device.
snifdevice can be found with ifconfig (see ifcon-
fig(8) ). sniffit supports ethernet and PPP by
default. Read README.FIRST for info on forcing the
3
SNIFFIT(8) SNIFFIT(8)
use of other devices. (compatible with ALL
options)
-D tty All logging output will be send to that device.
(ONLY works with '-i' and '-I')
-M plugin
Activate Plugin nr. Plugin , for a list on all
plugins compiled in your version, just type ' snif-
fit (NOT compatible with: '-i' '-I' '-v')
-L logparam
Use sniffit as a monitoring tool and enable differ-
ent logging modes ( logparam ) The File for logging
can be specified in the config file (see sniffit(5)
) but is sniffit.log by default. Different logparam
can be combined. (ONLY works with '-c')
NORMAL MODE
A bunch of sniflen initial bytes (default 300) of each
connection is logged into a file x.x.x.x.p-y.y.y.y.o where
'x.x.x.x' is the sending host (port 'p') and 'y.y.y.y' the
receiving host (port 'o').
DUMP MODE ('-d' and/or '-a')
Output is dumped to stdout, the packet contence is shown
in it's unwrapped form (the complete IP packet).
INTERACTIVE MODE ('-i' or '-I')
Keys available in interactive mode:
'UP or 'k'
self explanatory
DOWN or j'
self explanatory
F1 or '1'
Enter a host (enter 'all' for no mask) for packet
filtering (host that sends the packets)
F2 or '2'
Enter a host (enter 'all' for no mask) for packet
filtering. (host that receives the packets)
F3 or '3'
Enter a port (enter '0' for no mask) for packet
filtering. (host that sends the packets)
4
SNIFFIT(8) SNIFFIT(8)
F4 or '4'
Enter a port (enter '0' for no mask) for packet
filtering. (host that receives the packets)
F5 or '5'
Start a program 'sniffit_key5' with arguments <from
IP> <from port> <to IP> <to port> If the program
doesn't exist, nothing is done. Sniffit should be
in the same path as sniffit was STARTED FROM (not
necessarely the path sniffit is stored in) This
function is usefull for interactive connection
killing or extra monitoring. A little shell script
can always transform the arguments given and pass
them on to other programs.
F6 or '6'
Same as F5 or '5', but with program 'sniffit_key6'
F7 or '7'
Same as F5 or '5', but with program 'sniffit_key7'
F8 or '8'
Same as F5 or '5', but with program 'sniffit_key8'
ENTER a window will pop up and log the connection, or the
connection output will be send at a chosen device
if you used the '-D' option.
'q' When in logging mode, stop logging. Otherwise,
quit.
'n' Toggle netstatistics. These are sampled at 3 secs,
look in the sn_config.h file to change this.
'g' Sniffit is now able to generate some trafic load.
Currently this is a 'underdevelloped' feature with
very few options, but it will be expanded a lot.
Currently only UDP packets are generated. When
pressing 'g' you will be asked the source/dest
IP/port and how much packets are needed to be
transmitted. Packets contain the line: "This
Packet was fired with Sniffit!
'r' Reset.. clears all current connections from memory
and restarts.
LOGGING MODE ('-L')
Output is saved to sniffit.log , unless you have specified
some other name in the config file (see sniffit(5) ).
raw Log all SYN, FIN, RST packets. This will give you
an overview of all network (TCP) trafic in a 'RAW'
5
SNIFFIT(8) SNIFFIT(8)
way (a connection starting could gives you at least
2 SYN packets, etc...).
norm Same as raw, but a bit more intelligent. Unless
packets are transmitted multiple times because of
packet loss, you will only get 1 notice of a con-
nection starting or ending. (the packet id will
give you the host that initiated the connection
first)
telnet Sniffit will try to catch login and passwords for
this application. (see telnet(1) )
ftp Sniffit will try to catch login and passwords for
this application. (see ftp(1) )
mail Sniffit will try to identify all mail that was
logged.
IP ICMP UDP LOGGING
Information on these packets is dumped to stdout. Packet
Filtering options only refer to TCP and UDP packets. The
contence of UDP packets is only shown when enabling '-a'
or '-d'.
AUTHOR
Brecht Claerhout <coder@reptile.rug.ac.be>
SEE ALSO
sniffit(5)
6