├── .github └── workflows │ └── full-check.yml ├── .gitignore ├── AUTHORS ├── CHANGELOG ├── CONTRIBUTING.md ├── CREDITS ├── LICENSE ├── Makefile.am ├── README.md ├── autogen.sh ├── configure.ac ├── docs ├── PLUGIN-HOWTO ├── README.FIRST ├── UPDATE-CHECK ├── old-docs │ └── BETA-TESTING └── sniffit-FAQ ├── examples └── sample_config_file ├── man ├── sniffit.5 └── sniffit.8 └── src ├── Makefile.am ├── dns_plugin.plug ├── dummy_plugin.plug ├── sn_analyse.c ├── sn_cfgfile.c ├── sn_cfgfile.h ├── sn_config.h ├── sn_conn_desc.c ├── sn_curses.h ├── sn_data.h ├── sn_defines.h ├── sn_generation.c ├── sn_generation.h ├── sn_global.h ├── sn_interface.c ├── sn_interface.h ├── sn_logfile.c ├── sn_logfile.h ├── sn_packets.c ├── sn_packets.h ├── sn_packetstructs.h ├── sn_plugins.h ├── sn_resolv.c ├── sn_resolv.h ├── sn_structs.h ├── sniffit.c └── sniffit.h /.github/workflows/full-check.yml: -------------------------------------------------------------------------------- 1 | name: full-check 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | 8 | runs-on: ubuntu-latest 9 | 10 | steps: 11 | - uses: actions/checkout@v2 12 | - name: install_dependencies 13 | run: sudo apt install libncurses5-dev libpcap-dev 14 | - name: first_build 15 | run: | 16 | ./autogen.sh 17 | ./configure 18 | make 19 | sudo make install 20 | sudo make uninstall 21 | make distclean 22 | - name: second_build 23 | run: | 24 | ./autogen.sh 25 | ./configure 26 | make 27 | sudo make install 28 | - name: run_program 29 | run: | 30 | sudo sniffit 31 | 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | /src/*.o 3 | /src/.deps/ 4 | /src/sniffit 5 | /src/Makefile.in 6 | /src/Makefile 7 | /autom4te.cache/ 8 | /Makefile.in 9 | /Makefile 10 | /aclocal.m4 11 | /compile 12 | /config.guess 13 | /config.h.in 14 | /config.h 15 | /config.log 16 | /config.status 17 | /config.sub 18 | /configure 19 | /depcomp 20 | /install-sh 21 | /missing 22 | /stamp-h1 23 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | Initial author, the Sniffit creator, active up 2 | to 0.3.7 beta version (between 1996 and 1998): 3 | 4 | - Brecht Claerhout 5 | 6 | Current authors: 7 | 8 | - Joao Eriberto Mota Filho 9 | -------------------------------------------------------------------------------- /CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 0.6, 2024-04-23 2 | 3 | [ Sam James, from Gentoo.org ] 4 | 5 | * Fix -Wimplicit-function-declaration. 6 | 7 | Version 0.5, 2020-04-19 8 | 9 | [ Joao Eriberto Mota Filho ] 10 | 11 | * Created full-check.yml file to provide CI tests in GitHub. 12 | * Fixed a FTBFS with GCC-10. Thanks to Jaime Peñalba from netdiscover project. 13 | * Reorganized Makefile.am. 14 | * Updated URL of the projext in docs. 15 | 16 | Version 0.4.0, 2016-11-15 17 | 18 | [ Joao Eriberto Mota Filho ] 19 | 20 | * Added all patches from Debian. 21 | * Full conversion to autotools: 22 | - Previous configure.ac rewritten. 23 | - Created Makefile.am. 24 | - Created autogen.sh to use autoreconf (yes, it works fine now). 25 | * Removed embedded libpcap. 26 | * Removed the statement about libpcap from LICENSE file. 27 | * Reorganized the source code. 28 | * Several adjustments and fixes (including CVE-2014-5439). 29 | * Long life to sniffit! 30 | 31 | 32 | 33 | 34 | ############################################################################ 35 | ### ### 36 | ### THE FOLLOWING LINES ARE THE OLD CHANGELOG (UP TO 0.3.7 BETA VERSION) ### 37 | ### ### 38 | ############################################################################ 39 | 40 | 41 | #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 42 | * Sniffit History * 43 | #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 44 | 45 | BUGFIXES 46 | ---------- 47 | 48 | (PRIOR TO 0.2.0 - some are LINUX only) 49 | - Kernel 1.2.(some) incompatibility should be fixed. (like 1.2.5) 50 | (all credit for that to Godmar Back) 51 | - logging connections with lots of data is okay too now. 52 | 'the integer that needed to be a long'-bug. 53 | It was an overflow prob. 54 | - off course there are always minor ameliorations not worth mentioning 55 | 56 | (SINCE 0.2.0) 57 | - MAXCOUNT bug 58 | - interactive part lock-up bugs 59 | - output format 60 | 61 | (SINCE 0.3.0) 62 | - a wildcard bug 63 | - a Makefile bug (nothing important) 64 | 65 | (SINCE 0.3.1) 66 | - a typo caused the screwing up of the wildcard option (0.3.1) 67 | - 'select from host' didn't work... 68 | 69 | (SINCE 0.3.2) 70 | - a functions that had a parameter missing. 71 | - all interactive mode problems. 72 | 73 | (SINCE 0.3.3) 74 | - Interactive mode, with non-color-modes. 75 | - External program firing... 76 | 77 | (SINCE 0.3.4) 78 | - Interactive mode NON-IP packet detection. 79 | - errorhandeling starting of external programs from interface 80 | - various improvements for the porting (thx, beta-testers) 81 | 82 | (SINCE 0.3.5) 83 | - Seg fault on small Fragmented IP packets handled. 84 | - core dump bug fixed with unknown network devices 85 | 86 | NEW STUFF 87 | ----------- 88 | 89 | V.0.1.0 90 | - First test of the ncurses interface (never use this version, it's 91 | megaslow) 92 | 93 | V.0.1.1 94 | - Added '-x' for extra information on TCP packets 95 | - Added '-A ' for you 'password-horny-dudes' ;) 96 | - beginning of ICMP support ('-P ') 97 | - First 'real' test for the interface 98 | 99 | V.0.1.2 100 | - IP debugging info 101 | - UDP support 102 | - extended ICMP info (almost complete....) 103 | - logging on another terminal 104 | 105 | V.0.2.0 106 | - SUN port (I now hate SPARC's ;) 107 | 108 | V.0.2.1 109 | - SGI port 110 | 111 | V.0.2.2 112 | - Netload statistics (interactive part) 113 | - Massive debugging of interactive part 114 | 115 | V.0.3.0 116 | - Wildcards in non-interactive mode 117 | - time-out in non interactive mode, so you won't stuff memory by 118 | connections that weren't closed like they're supposed to be. 119 | - Forcing the use of a snif device 120 | - MTU changeble in config.h 121 | - ppp use 122 | 123 | V.0.3.1 (1996) 124 | - Flexible network trafic selection with config file. 125 | 126 | V.0.3.2 (1996) 127 | - IP checksum check 128 | - First introduction of a logfile for monitoring 129 | - Adding of loglevel: 1, 10, 12 130 | 131 | V.0.3.3 (Oct 1996) 132 | - rewrite of some parts (big clean-up of interactive part) 133 | - Auto adjusting to screen of interface 134 | - Starting of external programs from interface 135 | 136 | V.0.3.4 (Beta) 137 | - Use of Autoconf 138 | - Upgrade of Libpcap to 0.3 139 | - Added Packet generation 140 | - Added UDP selectivity 141 | - Added "plugins" 142 | 143 | V.0.3.5 (April 1997) 144 | - cleaned out 0.3.4 beta 145 | 146 | V.0.3.6 (alpha, special HIP preview) 147 | - '-I' mode (locally refered to as 'Iliet' mode (pronounce in Dutch), 148 | officialy 'Extended Interactive') 149 | - alpha version session recording 150 | - alpha version 'sniffit_pb' added (concept canceled in 0.3.7) 151 | - an init function for plugins 152 | 153 | V.0.3.7 (July 1998) 154 | - Thrown away the old style recording, and changed the concept 155 | - Gracefull shutdown with restoring original interface mode 156 | 157 | ------------------------ Thx for using Sniffit(tm) --------------------------- 158 | 159 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | ## HOW TO CONTRIBUTE TO SNIFFIT DEVELOPMENT 2 | 3 | Sniffit is available at https://github.com/resurrecting-open-source-projects/sniffit 4 | 5 | If you are interested in contribute to sniffit development, please, follow 6 | these steps: 7 | 8 | 1. Send me a patch that fix an issue or that implement a new feature. 9 | Alternatively, you can do a 'pull request'[1] in GitHub. 10 | 11 | [1] https://help.github.com/articles/using-pull-requests 12 | 13 | 2. Ask for join to the Sniffit project in GitHub, if you want to work 14 | officially. Note that this second step is not compulsory. However, 15 | to accept you in project, I need a minimum collaboration before. You 16 | can do easy works, as fix compilatiion warnings. 17 | 18 | If you want to join, please contact me: eriberto at eriberto.pro.br 19 | 20 | -- Eriberto, Tue, 15 Nov 2016 09:40:21 -0200 21 | -------------------------------------------------------------------------------- /CREDITS: -------------------------------------------------------------------------------- 1 | 0.6 version: 2 | 3 | - Sam James fixed a fail to build from source around 4 | -Wimplicit-function-declaration. 5 | 6 | 0.5 version: 7 | 8 | - Jaime Peñalba helped to solve a FTBFS with GCC 10. 9 | 10 | 0.4.0 version: 11 | 12 | - Cyril Brulebois 13 | Sent a patch to solve Debian bug #535506. It fixed a fail to build on 14 | GNU/kFreeBSD. 15 | 16 | - Hector Marco < hmarco@hmarco.org> and Ismael Ripoll written 17 | a fix for CVE-2014-5439 (Root shell on Sniffit). It was published at 18 | http://hmarco.org/bugs/CVE-2014-5439-sniffit_0.3.7-stack-buffer-overflow.html 19 | 20 | - James Westby 21 | Sent a patch to solve Debian bug #532581. It fixed crashes caused by missing 22 | #includes leads to wrong prototypes. 23 | 24 | - Joao Eriberto Mota Filho 25 | See the CHANGELOG. 26 | 27 | - Joshua Kwan 28 | Sent a patch to solve Debian bug #195548. It solved a fail with gcc-3.3. 29 | 30 | - LaMont Jones 31 | Sent a patch to solve Debian bug #103633. It fixed some issues in on-line 32 | program help. 33 | 34 | - Nicolas Sévelin-Radiguet 35 | Sent a patch to solve Debian bug #741125. I fixed a fail when building 36 | sniffit with clang. 37 | 38 | - Sebastian Harl 39 | Sent a patch to solve Debian bug #644978. It fixed a segfault on amd64. 40 | 41 | - "VDR dai \(deb\)" 42 | Sent a patch to solve Debian bug #649817. It enabled hardening options. 43 | 44 | 45 | - Debian maintainers over time, up to November 2016: 46 | 47 | 1997 Patrick J. Edwards 48 | 1998 Damjan Marion 49 | 1999 Hamish Moffatt 50 | 1999-2008 Edward Betts 51 | 2000-2002 Torsten Landschoff 52 | 2008-2012 William Vera 53 | 2011 HIGUCHI Daisuke (VDR dai) 54 | 2012 Aron Xu 55 | 2015-2016 Joao Eriberto Mota Filho 56 | 57 | (I am Eriberto, the current maintainer in Debian) 58 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Sniffit 0.4.0 Copyright 1996-1998 Brecht Claerhout 2 | Copyright 2016 Joao Eriberto Mota Filho 3 | All rights reserved. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions 7 | are met: 8 | 1. Redistributions of source code must retain the above copyright 9 | notice, this list of conditions and the following disclaimer. 10 | 2. Redistributions in binary form must reproduce the above copyright 11 | notice, this list of conditions and the following disclaimer in the 12 | documentation and/or other materials provided with the distribution. 13 | 3. The name of the author may not be used to endorse or promote products 14 | derived from this software without specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 18 | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 19 | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 20 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 21 | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 22 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 23 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 25 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /Makefile.am: -------------------------------------------------------------------------------- 1 | # Makefile.am for sniffit 2 | # Copyright 2016 Joao Eriberto Mota Filho 3 | # Under BSD-3-CLause license. 4 | 5 | SUBDIRS = src 6 | 7 | man_MANS = man/sniffit.5 man/sniffit.8 8 | 9 | distclean-local: 10 | rm -rf autom4te.cache 11 | rm -f aclocal.m4 compile config.h* configure depcomp install-sh \ 12 | Makefile.in missing src/Makefile.in 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SNIFFIT 2 | **Historical packet sniffer and monitoring tool** 3 | 4 | 5 |

6 | **1. HELP THIS PROJECT**
7 | **2. I AND SNIFFIT**
8 | **2. WHAT IS SNIFFIT?**
9 | **3. BUILDING FROM SOURCE**
10 | **4. LICENSE**
11 | 12 | 13 | 14 | -------------------- 15 | 1. HELP THIS PROJECT 16 | -------------------- 17 | 18 | Sniffit needs your help. **If you are a programmer** and if you want to 19 | help a nice project, this is your opportunity. 20 | 21 | My name is Eriberto and **I am not a C developer**. I imported Sniffit from 22 | Internet to GitHub (the original homepage and developer are inactive). 23 | After this, I applied all patches found in Debian project and other 24 | places for this program. All my initial work was registered in CHANGELOG 25 | file (version 0.4.0 and later releases). I also maintain Sniffit packaged 26 | in Debian[1]. 27 | 28 | If you are interested to help Sniffit, read the [CONTRIBUTING.md](CONTRIBUTING.md) file. 29 | 30 | [1] https://packages.qa.debian.org/s/sniffit.html
31 | 32 | 33 | ---------------- 34 | 2. I AND SNIFFIT 35 | ---------------- 36 | 37 | Well, sniffit is a very old packet sniffer, originally developed by 38 | Brecht Claerhout, between 1996 and 1998. This was the first program 39 | that I compiled in GNU/Linux (in 1997). So, I have a special fondness for 40 | this program. So, since 2015 I have maintained it as a package in Debian. 41 | Since November 2016 I am trying to maintain it in GitHub but I need help! 42 | Please, help this project (see above how to do it). 43 | 44 | 45 | ------------------- 46 | 3. WHAT IS SNIFFIT? 47 | ------------------- 48 | 49 | sniffit is a packet sniffer for TCP/UDP/ICMP packets over IPv4. It is able 50 | to give you a very detailed technical info on these packets, as SEQ, ACK, TTL, 51 | Window, etc. The packet contents also can be viewed, in different formats 52 | (hex or plain text, etc.). 53 | 54 | sniffit was originally developed by Brecht Claerhout. The initial homepage, now offline, was 55 | [here](http://reptile.rug.ac.be/~coder/sniffit/sniffit.html). 56 | 57 | 58 | ----------------------- 59 | 4. BUILDING FROM SOURCE 60 | ----------------------- 61 | 62 | Run `./autogen.sh` to create the configure script, then run 63 | ``` 64 | ./configure 65 | make 66 | make install 67 | ``` 68 | 69 | This program requires libpcap, it also uses libncurses if available. 70 | 71 | 72 | ---------- 73 | 5. LICENSE 74 | ---------- 75 | 76 | Sniffit is under BSD-3-Clause license. 77 | -------------------------------------------------------------------------------- /autogen.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # autogen.sh with clean option, v0.2 4 | # Copyright 2016 Joao Eriberto Mota Filho 5 | # 6 | # This file is under BSD-3-Clause license. 7 | # 8 | # Redistribution and use in source and binary forms, with or without 9 | # modification, are permitted provided that the following conditions 10 | # are met: 11 | # 1. Redistributions of source code must retain the above copyright 12 | # notice, this list of conditions and the following disclaimer. 13 | # 2. Redistributions in binary form must reproduce the above copyright 14 | # notice, this list of conditions and the following disclaimer in the 15 | # documentation and/or other materials provided with the distribution. 16 | # 3. Neither the name of the authors nor the names of its contributors 17 | # may be used to endorse or promote products derived from this software 18 | # without specific prior written permission. 19 | # 20 | # THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 21 | # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | # ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 24 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26 | # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27 | # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28 | # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29 | # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30 | # SUCH DAMAGE. 31 | 32 | 33 | # Use clean option 34 | if [ "$1" = "clean" -a ! -e Makefile ] 35 | then 36 | echo "Vanishing the code" 37 | rm -rf aclocal.m4 autom4te.cache compile config.h.* configure depcomp \ 38 | .deps install-sh Makefile.in missing stamp-h1 src/Makefile.in 39 | echo "Done" 40 | exit 0 41 | fi 42 | 43 | # Do not use clean option 44 | if [ "$1" = "clean" -a -e Makefile ] 45 | then 46 | echo "I can not clean. Use '$ make distclean'." 47 | exit 0 48 | fi 49 | 50 | # Do autoreconf 51 | autoreconf -fi \ 52 | && { echo " "; \ 53 | echo "Done. You can use the 'clean' option to vanish the source code."; \ 54 | echo "Example of use: $ ./autogen.sh clean"; \ 55 | echo " "; \ 56 | echo "Now run ./configure, make, and make install."; \ 57 | } \ 58 | || { echo "We have a problem..."; exit 1; } 59 | -------------------------------------------------------------------------------- /configure.ac: -------------------------------------------------------------------------------- 1 | # configure.ac for sniffit 2 | # Copyright 1997-1998 Brecht Claerhout 3 | # Copyright 2016-2020 Joao Eriberto Mota Filho 4 | # Under BSD-3-CLause license. 5 | 6 | AC_PREREQ([2.69]) 7 | AC_INIT([sniffit], [0.6], [https://github.com/resurrecting-open-source-projects/sniffit/issues]) 8 | AC_CONFIG_SRCDIR([src/sn_generation.h]) 9 | AC_CONFIG_HEADERS([config.h]) 10 | 11 | # Checks for programs. 12 | AC_PROG_CC 13 | 14 | # Checks for libraries. 15 | # FIXME: sniffit links with libncurses when it is available, even if it does 16 | # not use it because src/sn_config.h does not define INCLUDE_INTERFACE because 17 | # other conditions are not met. It would be better to move that logic entirely 18 | # to Autoconf and to define (or not) INCLUDE_INTERFACE only here. 19 | AC_CHECK_LIB(ncurses, initscr) 20 | AC_CHECK_LIB(pcap, pcap_open_live, , [AC_MSG_ERROR([Couldn't find libpcap])]) 21 | 22 | # Checks for header files. 23 | AC_CHECK_HEADERS([ncurses.h]) 24 | AC_CHECK_HEADERS([pcap.h], , AC_MSG_ERROR([pcap.h not found])) 25 | 26 | dnl Check Shared Memory support 27 | AC_CHECK_FUNCS(shmget) 28 | 29 | dnl exit function check 30 | AC_CHECK_FUNCS(atexit) 31 | 32 | # Other checks 33 | # On Haiku sendto(), socket(), setservent() and inet_addr() are in libnetwork. 34 | AC_CHECK_FUNC(setservent, , 35 | [ 36 | AC_CHECK_LIB(network, 37 | setservent, 38 | [LIBS="-lnetwork $LIBS"], 39 | [AC_MSG_ERROR([setservent() is required, but wasn't found])] 40 | ) 41 | ] 42 | ) 43 | 44 | dnl Check the datalength 45 | AC_CHECK_SIZEOF(unsigned short int) 46 | if test $ac_cv_sizeof_unsigned_short_int -ne 2; then 47 | AC_MSG_ERROR([unsigned short is NOT 2 bytes... quiting]) 48 | fi 49 | 50 | AC_CHECK_SIZEOF(unsigned long int) 51 | if test $ac_cv_sizeof_unsigned_long_int -eq 4; then 52 | AC_DEFINE(USE_32_LONG_INT, 1, [none]) 53 | else 54 | echo "unsigned long is NOT 4 bytes... hmmm..." 55 | AC_CHECK_SIZEOF(unsigned int) 56 | if test $ac_cv_sizeof_unsigned_int -ne 4; then 57 | AC_MSG_ERROR([unsigned int is NOT 4 bytes either... quiting]) 58 | else 59 | AC_DEFINE(USE_32_INT, 1, [none]) 60 | fi 61 | fi 62 | 63 | AC_CONFIG_FILES([Makefile src/Makefile]) 64 | AM_INIT_AUTOMAKE([foreign]) 65 | 66 | AC_OUTPUT 67 | -------------------------------------------------------------------------------- /docs/PLUGIN-HOWTO: -------------------------------------------------------------------------------- 1 | 1. What are Sniffit plugins (READ) 2 | 2. How to install a plugin (READ) 3 | 3. How to make a plugin (Only for programmers) 4 | 4. Contense of structs (Only for programmers) 5 | 5. Standard Plugins (READ) 6 | 7 | 8 | 1. What are Sniffit plugins 9 | --------------------------- 10 | 11 | Sniffit Plugins are a very fancy name for a very primitive system. The 12 | plugins allow you to add your own code to Sniffit without many problems. 13 | This has the advantage you can create your own sniffer within Sniffit, 14 | without having to worry about the packet filtering. 15 | 16 | 2. How to install a plugin 17 | -------------------------- 18 | 19 | Well, as I plan to release some plugins myself, and maybe ppl are going 20 | to share their own plugins, a little word on the installation. 21 | 22 | It's pretty simple, you get the plugin, put it in the sniffit directory 23 | and you edit the sn_plugin.h file like this: 24 | 25 | #define PLUGIN0_NAME "Dummy Plugin" 26 | #define PLUGIN0(x) main_plugin_function(x) 27 | #define PLUGIN0_INIT() init_plugin() /* (optional) */ 28 | #include "my_plugin.plug" 29 | 30 | Some notes: 31 | a) You can have plugins from 0 to 9 so PLUGIN0_NAME to PLUGIN1_NAME. 32 | Numbers don't have to be consecutive. 33 | (so also a PLUGIN0(x) to PLUGIN9(x) corresponding with the PLUGIN?_NAMES) 34 | 35 | b) The PLUGIN?_NAME contains the name that will be displayed when just 36 | typing sniffit. 37 | 38 | c) main_plugin_function should be a name provided by the author of the 39 | plugin. It is the name of the function that should be called by Sniffit. 40 | Details on this for making your own plugins are explained below. 41 | 42 | d) init_plugin() is also a function that can be provided by the author. 43 | Some plugins will not have an init function. 44 | 45 | e) #include "my_plugin.plug" 46 | Where my_plugin.plug is the name of the plugin source code file. 47 | 48 | 49 | 3. How to make a plugin 50 | ----------------------- 51 | 52 | I know it's primitive, but it pretty much works and is very easy. 53 | A plugins should consists of a function (here PL_dummy) 54 | 55 | void PL_dummy (struct Plugin_data *PLD) 56 | { 57 | .... 58 | } 59 | 60 | It's no problem to use several functions. 61 | It's no problem to use global data, as long as it doesn't interfer with 62 | sniffits global data (or other plugins global data). 63 | So it is wise to make all global variables and functions like: 64 | PL_nameofplugin_nameofvariable/function 65 | 66 | * NEW: If you define a PL_init_function 67 | * e.g: #define PLUGIN0_INIT() init_plugin() 68 | * 69 | * This function will be runned when Sniffit starts, and the plugin 70 | * is selected by the user, it is usefull for initialising some data. 71 | 72 | 73 | 4. Contense of structs 74 | ---------------------- 75 | 76 | NOTE: I don't use the standard structures for packets. This has it's 77 | 'historical' reasons, and has rather become a drag than a positive 78 | point. But it would be even a greater drag (time loss) to overturn 79 | everything completely and recode the appropriate parts of Sniffit, maybe 80 | I will do it someday, maybe I won't. 81 | I hope you can live with it... 82 | 83 | Notice you get a pointer to a structure ('struct Plugin_data *PLD') when 84 | your plugin is called. 85 | This structure is totally yours and you may modify it without any problems. 86 | It is defined as: 87 | 88 | struct Plugin_data { 89 | struct unwrap PL_info; 90 | struct IP_header PL_iphead; 91 | struct TCP_header PL_tcphead; 92 | struct UDP_header PL_udphead; 93 | unsigned char PL_data[MTU]; 94 | unsigned char PL_packet[MTU]; 95 | }; 96 | 97 | 98 | PL_info : contains some general usefull info 99 | PL_iphead : contains the IP_header (no options) 100 | PL_tcphead: contains the TCP_header if it is a TCP packet (no options) 101 | PL_udphead: contains the TCP_header if it is a UDP packet (no options) 102 | PL_data : contains the packet data (no headers) 103 | PL_packet : contains the entire packet 104 | 105 | Details on the Packet structures below (You know, the unconventional ones) 106 | (It is best that you grab your book on packets and have a look at the 107 | fields. The structures are composed the same way, and are an exact copy 108 | of those headers. So watch it! You might need to use ntohs() and ntohl() 109 | now and then!) 110 | (Have a look at the Dummy Plugin and the DNS Plugin for examples) 111 | 112 | struct IP_header /* The IPheader (without options) */ 113 | { 114 | unsigned char verlen, type; 115 | unsigned short length, ID, flag_offset; 116 | unsigned char TTL, protocol; 117 | unsigned short checksum; 118 | unsigned long int source, destination; 119 | }; 120 | 121 | 122 | struct TCP_header /* The TCP header (without options) */ 123 | { 124 | unsigned short source, destination; 125 | unsigned long int seq_nr, ACK_nr; 126 | unsigned short offset_flag, window, checksum, urgent; 127 | }; 128 | 129 | 130 | struct UDP_header /* The UDP header */ 131 | { 132 | unsigned short source, destination; 133 | unsigned short length, checksum; 134 | }; 135 | 136 | 137 | 5. Standard Plugins 138 | ------------------- 139 | 140 | There are 2 Plugins that are currently included in the distribution of 141 | Sniffit: A dummy Plugin, and a DNS Plugin. 142 | 143 | The Dummy Plugin: 144 | As it says, it does nothing ;) 145 | example: sniffit -M 0 -bN -t foo.bar 146 | Will output some useless information on the intercepted packet 147 | (that has passed the filtering you defined). 148 | Example of output: 149 | 150 | Dummy Plugin Report: 151 | IP header: 20 bytes 152 | TCP header: 20 bytes / 1 Databytes 153 | 154 | The DNS Plugin: 155 | The DNS plugin will examine any UDP packet that is passes the filter 156 | you have setup for sniffit from/to port 53. 157 | These packets are DNS packets, and that plugin will decode them and 158 | output some information to the standard output. 159 | 160 | e.g.: sniffit -M1 -N -P UDP -t @ 161 | Will examine all DNS traffic. 162 | 163 | An example of output is: 164 | 165 | DNS Sniffit Plugin Report: 166 | Packet: 111.33.111.11 53 -> 111.111.66.33 53 167 | ID: 5782 168 | STATUS: Answer (opcode: 0) , , , , rec. NOT Av. , ret: 0 169 | Q: 1 Answ: 0 Auth: 2 Add: 2 170 | Query: 21.158.245.200.in-addr.arpa. 171 | Type: 12 Class: IP 172 | Answer 1/4: 245.200.IN-ADDR.ARPA. 173 | Type: 2 Class: IP 174 | Answer 2/4: 245.200.IN-ADDR.ARPA. 175 | Type: 2 Class: IP 176 | Answer 3/4: DIXIT.ANSP.BR. 177 | Type: 1 Class: IP 178 | Data: 143.108.1.17. 179 | Answer 4/4: FPSP.FAPESP.BR. 180 | Type: 1 Class: IP 181 | Data: 143.108.1.1. 182 | 183 | -------------------------------------------------------------------------------- /docs/README.FIRST: -------------------------------------------------------------------------------- 1 | #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 2 | * Sniffit V.0.3.7 Beta * 3 | # By Brecht Claerhout # 4 | * * 5 | # This program is intended to demonstrate the unsafeness of TCP (currently) # 6 | * No illegal activities are encouraged! * 7 | # Please read the LICENSE file # 8 | * * 9 | # Sniffit grew a little upon its original intentions and is now # 10 | * extended for network debugging (UDP, ICMP, netload, etc.) * 11 | #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 12 | * Libpcap library * 13 | # This product includes software developed by the Computer Systems # 14 | * Engineering Group at Lawrence Berkeley Laboratory. * 15 | #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*# 16 | 17 | 0. Introduction, and some stuff you should know. 18 | 0.1 Credits and contact 19 | 0.2 Compiling 20 | 0.3 License 21 | 1. Programmers notes 22 | excuses for my incompetence 23 | 2. Use of the program 24 | flags and examples 25 | 3. Extra info on use 26 | 3.1 Running interactive mode 27 | 3.2 Forcing network devices (*READ*) 28 | 3.3 Format of the config file 29 | 3.4 Loglevels 30 | 4. The output 31 | 4.1 Normal 32 | 4.2 Logfile 33 | 5. IMPORTANT NOTES, READ! 34 | this also! 35 | 36 | ------------------------------------------------------------------------------ 37 | 38 | 0. Introduction, and some stuff you should know. 39 | ------------------------------------------------ 40 | 41 | 0.3.7 (Beta). It has been a while I know. But this year has been a hell, last 42 | year of uni, projects, thesis, .... it didn't stop. Well that is behind us 43 | now, the most important thing, is that I'm back working on the program again, 44 | and intend to keep on doing it. 45 | 46 | I hope you enjoy this beta version. Like always, I removed some bugs. There 47 | is a new 'logging' feature. It is now possible to record traffic with 48 | Sniffit and process it later! (it is completely different from the logging 49 | done in the 0.3.6 version, that is known to some hardcore Sniffit users) 50 | Please take a minute to skim through the text and read the passages marked 51 | with a '*', these are the new features. 52 | (Please read BETA-TESTING) 53 | 54 | I use the libpcap library developed at Berkeley Laboratory, for easy 55 | porting (Read the licence). 56 | 57 | 0.1 Credits and contact 58 | ----------------------- 59 | 60 | Credits go to (in order of appearance on the Sniffit scene): 61 | Wim Vandeputte , 62 | best friend and UNIX guru, for support, testing and 63 | providing me with a WWW site. 64 | Godmar Back, for fixing that kernel 1.2.X bug (Sniffit 0.1.X). 65 | Peter Kooiman, of Paradigm Systems Technology for providing the 66 | facilities to port Sniffit, and for the endless testing 67 | (although he laughs this away with "no big deal, I 68 | don't need no credits"). 69 | Without him, there would have been no ports at all. 70 | Brooke Paul, for providing me with an SGI account. 71 | Qing Long, for the bash/zsh libpcap/configure script. 72 | Guy Gustavson, for giving me a FreeBSD account. 73 | Woju , for the ncurses SunOS/FreeBSD fixing, 74 | and for his other efforts. 75 | Amlan Saha , for adding Packet Generation to 76 | Sniffit, and adding other features (not implemented yet). 77 | I'm sure that in the near future you will see more of his 78 | work in Sniffit. 79 | Shudoh Kazuyuki, for changing getaddrbyname() and improving the 80 | config-file interpreting. 81 | Fyodor , for pointing out the hideous small 82 | fragments problem. 83 | David O'Brien , for netbsd information. 84 | everybody, who ever mailed me with suggestions help, etc... 85 | 86 | Also a big thanks to my Beta testers (alphabetically, I hope)... 87 | Charles G Stuart IRIX / RedHat LINUX 88 | Patrick Schoppenhorst IRIX 89 | Shahid Mahmood Slackware LINUX / SunOS 90 | Stephen Hillier RedHat LINUX 91 | 92 | And many others who wish to be anonymous.... 93 | 94 | Suggestions and comments can be sent to: 95 | coder@reptile.rug.ac.be 96 | 97 | Brecht Claerhout 98 | Meulebeeksestw. 51 99 | 8700 Tielt 100 | Belgium 101 | 102 | The original distribution program can be obtained from (my site): 103 | http://sniffit.rug.ac.be/sniffit/sniffit.html 104 | 105 | MIND YOU: this program is run as root, and thus could easily contain 106 | dangerous trojans. If you get it from the above site you can 107 | safely compile and use it. 108 | (no trojan versions are discovered yet.. it's just a warning) 109 | 110 | 0.2 Compiling 111 | ------------- 112 | 113 | Just type 'configure' and then 'make' (if configure made it without errors). 114 | Mind you, you can still modify some things in the 'sn_config.h' file, but 115 | by default all sections that can be added on your system are added. 116 | 117 | IMPORTANT NOTES: 118 | 1. This source code has only been tested with GNU versions of make/C 119 | compiler. (i.e. don't come complaining to me if your 'native' system 120 | compiler screws up, use GNU!) 121 | 2. curses IS NOT equal to ncurses. 122 | (ncurses is available at your local sunsite mirror.) 123 | 3. READ THE FAQ when experiencing problems. 124 | 125 | Other stuff.... 126 | make clean : cleans all directories for a compiling from scratch 127 | 128 | 0.3 License (this is a copy of the LICENSE file) 129 | ----------- 130 | 131 | Sniffit 0.3.7 Copyright (c) 1996-1998 Brecht Claerhout 132 | All rights reserved. 133 | 134 | Redistribution and use in source and binary forms, with or without 135 | modification, are permitted provided that the following conditions 136 | are met: 137 | 1. Redistributions of source code must retain the above copyright 138 | notice, this list of conditions and the following disclaimer. 139 | 2. Redistributions in binary form must reproduce the above copyright 140 | notice, this list of conditions and the following disclaimer in the 141 | documentation and/or other materials provided with the distribution. 142 | 3. The name of the author may not be used to endorse or promote products 143 | derived from this software without specific prior written permission. 144 | 4. Redistribution of source code must be conform with the 'libpcap' 145 | copyright conditions, if that library is included. 146 | 147 | THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 148 | IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 149 | OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 150 | IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 151 | INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 152 | NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 153 | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 154 | THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 155 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 156 | THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 157 | 158 | 159 | 1. Programmers notes 160 | -------------------- 161 | 162 | I wasn't educated to be a programmer, so I write lousy code. Please forgive 163 | me. 164 | 165 | Still I note the use of shared memory, with Linux you should take extra 166 | care when recompiling your kernel! Answer YES to 'System V IPC 167 | (CONFIG_SYSVIPC) [y]'. 168 | 169 | 2. Use of the program 170 | --------------------- 171 | 172 | (The man pages have detailed info on what parameters you can mix) 173 | (* indicates New Features) 174 | 175 | Options: 176 | ONE of these is required! 177 | 178 | -v Show version and exit (just added because it's such a 179 | wide spread option) 180 | -t tells the sniffer to check out packets GOING TO 181 | -s tells the sniffer to check out packets COMING FROM 182 | You can use the '@' wildcard (only IP NUMBERS of course). 183 | e.g. -t 199.145.@ 184 | -t 199.14@ 185 | mind you -t @ is also a valid option. 186 | -i Interactive mode, overrides all other options 187 | * -I Extended Interactive mode, overrides all other options 188 | * Much more fun than -i, watch and enjoy... 189 | * (best viewed in a xterm that is stretched wide...) 190 | -c Use as a config file for Sniffit 191 | See 3.3 for format of the config file. 192 | 193 | NOTE: -t or -s only apply to TCP and UDP packages, ICMP, IP packages 194 | are ALL interpreted. 195 | Also, any selection on ports, -p only applies to TCP, UDP packages. 196 | 197 | Parameters for all modes: 198 | -F force sniffit to use a network device 199 | (READ 3.2 ON THIS SUBJECT, IMPORTANT) 200 | -n Turn off IP checksum checking. This can show you 201 | bogus packets. (mind you ARP, RARP, other non-IP 202 | packets will show up bogus too) (compatible with 203 | ALL options) 204 | -N Disables all functions that Sniffit has build in, useful 205 | for wanting to run ONLY a plugin 206 | 207 | Parameters for not running in -i: 208 | -b does both -t and -s, doesn't matter what function you used 209 | (-t or -s) 210 | -d Dump mode, shows the packets on the screen in bytes (not 211 | like tcpdump). For test purposes. (numbers are hex) 212 | -a same of '-d' but outputs ASCII. 213 | -x Prints extended info on TCP packets (SEQ numbers, ACK, Flags) 214 | Like SEQ, ACK, the flags, etc... (works wit '-a', '-d', '-s', 215 | '-t', '-b' or on its own.) 216 | (Mind you it is always shown on stdout, so not logged when 217 | using '-t', '-s', '-b' without another parameter) 218 | * -R Record all traffic in 219 | * This file can then be fed to Sniffit with the '-r' option. 220 | * -r This option feeds the recorded to Sniffit. This 221 | * option requires the '-F' option with the correct device. 222 | * Suppose you log a file on a machine with 'eth0'. When 223 | * feeding the logged file to sniffit, you will need to add '-F eth0' 224 | * or '-F eth' to the command line. 225 | * It doesn't need much explanation that using '-i' or '-I' 226 | * in combination with '-r' makes no sense (at this moment). 227 | -A When in logging mode, all non-printable chars will be 228 | replaced by . (see note below 4.The output) 229 | -P protocol specify the protocols examined (default TCP) 230 | possible options currently are: IP, TCP, ICMP, UDP 231 | They can be combined. 232 | -p Logs connections on port , 0 means all ports, default 233 | is 0 (all), look out with that on loaded nets! 234 | -l Amount of information to log (default 300 bytes). 235 | Length 0 logs everything. (look out with diskspace when 236 | logging everything!) 237 | -M Activate Plugin nr. , for a list on all plugins 238 | compiled in your version, just type 'sniffit'. 239 | Read all about Plugins in the PLUGIN-HOWTO (READ IT!) 240 | 241 | Parameters with -i,-I: 242 | -D All logging output will be send to that device. 243 | It's cool to get the same IRC screen as the guy y'r 244 | sniffing upon ;-) 245 | 246 | Parameters with -c: 247 | * -L enable logging with as 'loglevel' 248 | * 'loglevels' were not flexible enough I think, so I changed 249 | * the system to 'logparameters'. 250 | * can be a concatenation of any of these words: 251 | * 252 | * raw : Raw level 253 | * norm : Normal level 254 | * telnet: Log passwords (login port 23) 255 | * ftp : Log passwords (ftp port 21) 256 | * mail : Log mailinfo (mail port 25) 257 | * e.g 'ftpmailnorm' would be a valid 258 | * (see '2. The Output' for more info) 259 | 260 | 261 | Some examples: 262 | Imagine the following setup: 2 hosts on a subnet, one is running the 263 | sniffer (sniffit.com), the other one is 66.66.66.7 (target.com). 264 | 1. You want to test if the sniffer is working: 265 | sniffit:~/# sniffit -d -p 7 -t 66.66.66.7 266 | and in another window: 267 | sniffit:~/$ telnet target.com 7 268 | you should see the sniffer giving you packets as you telnet to 269 | the 'echo' service. 270 | 2. I want to log some passwords from people on 66.66.66.7: 271 | sniffit:~/# sniffit -p 23 -t 66.66.66.7 272 | 3. Root of target.com tells me he gets strange ftp connections and 273 | wants to find out the commands typed: 274 | sniffit:~/# sniffit -p 21 -l 0 -t 66.66.66.7 275 | 4. You want to read all incoming and outgoing mail on target.com: 276 | sniffit:~/# sniffit -p 25 -l 0 -b -t 66.66.66.7 & 277 | or 278 | sniffit:~/# sniffit -p 25 -l 0 -b -s 66.66.66.7 & 279 | 5. You want to use the menu based interface. 280 | sniffit:~/# sniffit -i 281 | 6. Something is really wrong and you want to see the Control Messages 282 | with error codes. 283 | sniffit:~/# sniffit -P icmp -b -s 66.66.66.7 284 | 7. Go wild on scrolling the screen. 285 | sniffit:~/# sniffit -P ip -P icmp -P tcp -p 0 -b -a -d -x -s 286 | 66.66.66.7 287 | witch is the same as 288 | sniffit:~/# sniffit -P ipicmptcp -p 0 -b -a -d -x -s 66.66.66.7 289 | 8. Log passwords in that way you can read them with 'more 66*' 290 | sniffit:~/# sniffit -p 23 -A . -t 66.66.66.7 291 | or 292 | sniffit:~/# sniffit -p 23 -A ^ -t dummy.net 293 | 9. This could go on for ever.............. 294 | 295 | 296 | 297 | 3. Extra info on use 298 | -------------------- 299 | 300 | 3.1 Running interactive mode 301 | ---------------------------- 302 | When running in interactive mode: 303 | 304 | UP or 'k' : self explanatory 305 | DOWN or j': self explanatory 306 | F1 or '1' : Enter a host (enter 'all' for no mask) for packet filtering 307 | (host that sends the packets) 308 | F2 or '2' : Enter a host (enter 'all' for no mask) for packet filtering. 309 | (host that receives the packets) 310 | F3 or '3' : Enter a port (enter '0' for no mask) for packet filtering. 311 | (host that sends the packets) 312 | F4 or '4' : Enter a port (enter '0' for no mask) for packet filtering. 313 | (host that receives the packets) 314 | F5 or '5' : Start a program 'sniffit_key5' with arguments 315 | 316 | If the program doesn't exist, nothing is done. Sniffit should 317 | be in the same path as sniffit was STARTED FROM (not necessarily 318 | the path sniffit is stored in) 319 | This is useful for interactive connection killing or extra 320 | monitoring. A little shell script can always transform the 321 | arguments given and pass them on to other programs. 322 | F6 or '6' : Same as F5 or '5', but with program 'sniffit_key6' 323 | F7 or '7' : Same as F5 or '5', but with program 'sniffit_key7' 324 | F8 or '8' : Same as F5 or '5', but with program 'sniffit_key8' 325 | ENTER : a window will pop up and log the connection, or the connection 326 | output will be send at a chosen device if you used the '-D' 327 | option. 328 | 'q' : When in logging mode, stop logging. Otherwise, quit. 329 | 'n' : Toggle netstatistics. These are sampled at 3 secs, look in 330 | the config.h file to change this (could be needed if y'r 331 | computer is slow). 332 | 'g' : Generate Packets! 333 | Sniffit is now able to generate some traffic load. Currently 334 | this is a 'underdeveloped' feature with very few options, 335 | but it will be expanded a lot... 336 | Currently only UDP packets are generated. When pressing 'G' 337 | you will be asked the source/dest IP/port and how many packets 338 | are to be transmitted. 339 | Packets contain the line: "This Packet was fired with Sniffit!" 340 | 'r' : Reset.. clears all current connections from memory and restarts. 341 | 342 | 343 | 3.2 Forcing network devices (*READ*) 344 | -------------------------------------- 345 | 346 | NOTE: the correct name (for sniffit) of a device can be found by running 347 | 'ifconfig', 'route', ... 348 | 349 | When forcing network devices, sniffit tries to find out what device it is. 350 | If sniffit recognises the name, everything is okay. 351 | If it does not recognise the name it will set the ethernet headlength 352 | according to the compiled-in value FORCED_HEAD_LENGTH. The ethernet 353 | headlength is the length in bytes of an ethernet packet header. 354 | So if you have to force a non-ethernet device that is not recognised by 355 | sniffit, make sure you change that headlength correctly in the 'sn_config.h' 356 | file. 357 | 358 | The -F option was added, because I noticed device names can differ from 359 | system to system, and because some ppl have multiple devices present. 360 | When having problems with this option, please think twice before you mail me. 361 | 362 | e.g: sniffit -F eth1 -t foobar.com -dx 363 | 364 | Notice you don't have to add /dev/ (some ppl mentioned me this was not 365 | completely clear). 366 | 367 | 368 | 3.3 Format of the config file 369 | ----------------------------- 370 | 371 | The configfile should have lines with the following format: 372 | [] 373 | (separators are spaces (any number of), NO TABS!!!) 374 | 375 | Lines that don't match this pattern are discarded, so standard unix 376 | comments '#' can be used in this file... (this also means that if you 377 | have a typo there, Sniffit won't report it but just discard the line) 378 | * Be sure to end the file with a blank line. If you don't do so, the last 379 | * line of the command file will be ignored. 380 | 381 | (read this list, even if you don't get it at first, it will become clear 382 | in the examples) 383 | 384 | can be: 385 | select : Sniffit will look for packets that match the following 386 | description (other fields) 387 | deselect : Sniffit will ignore packets that match the description 388 | logfile : change the logfile name to instead of the 389 | default 'sniffit.log' 390 | 391 | can be: 392 | from : Packets FROM the host matching the following desc. are 393 | considered 394 | to : similar, Packets TO the.... 395 | both : similar, Packets FROM or TO the.... 396 | a filename : as an argument of 'logfile' in 397 | 398 | can be: 399 | host : The (de)selection criteria involves a hostname. 400 | port : similar, ... a portnumber 401 | mhosts : The (de)selection criteria involves multiple-hosts, like 402 | with the wildcards in 0.3.0, but without the 'x' 403 | 404 | can be: 405 | * either a hostname, a portnumber, a service name or a number-dot partial 406 | * notation indicating multiple hosts depending on 407 | * (service names like 'ftp' are resolved as the services available 408 | * present on the host that runs Sniffit, and translated into a port nr) 409 | 410 | can be: 411 | a portnumber or service name, if was 'host' or 'mhosts' 412 | 413 | 414 | Maybe it would have been wise to mention explicitly, that the config-file 415 | currently only works with TCP packets. 416 | 417 | examples: 418 | 419 | 1. Look at this configuration file: 420 | select from host 100.100.12.2 421 | select from host 100.100.12.3 1400 422 | select to host coder.sniffit.com 423 | select both port 23 424 | This file would cause Sniffit to give you the packets: 425 | a) Send by host 100.100.12.2 426 | b) Send by host 100.100.12.3 from port 1400 427 | c) Send to coder.sniffit.com 428 | d) All packets on our subnet going to or coming from a telnet port. 429 | 430 | 2. another example: 431 | select both mhosts 100.100.12. 432 | deselect both port 80 433 | select both host enemy.sniffit.com 434 | This file would cause Sniffit to give you the packets: 435 | a) Send by hosts '100.100.12.*' 436 | b) EXCEPT the WWW packets 437 | c) BUT showing the WWW packets concerning enemy.sniffit.com 438 | 439 | The config file is interpreted SEQUENTIALLY, so mixing up those lines 440 | could have unwanted results e.g.: 441 | select both mhosts 100.100.12. 442 | select both host enemy.sniffit.org 443 | deselect both port 80 444 | This will give you the packets: 445 | a) Send by hosts '100.100.12.*' 446 | b) Send from/to enemy.sniffit.org 447 | c) deselecting all WWW packets on the subnet 448 | So if someone on enemy.sniffit.org is netscaping (assuming his 'target' 449 | has his httpd installed on port 80), you would see the packets with 450 | the first config file, BUT NOT with the second file, and that could 451 | spoil y'r fun when he's surfing to some kinky page. 452 | 453 | 3. example: 454 | select both mhosts 1 455 | select both mhosts 2 456 | deselect both mhosts 1 80 457 | deselect both mhosts 2 80 458 | This would show you all subnet traffic excluding WWW traffic 459 | (concerning port 80.) 460 | 461 | 4. example: 462 | * select both host target.com 21 463 | * and 464 | * select both host target.com ftp 465 | * are equal configurations. 466 | 467 | 468 | NOTE: Everything is DESELECTED by default, so an empty config file will 469 | get you nothing. 470 | 471 | 472 | 3.4 Loglevels 473 | ------------- 474 | 475 | * The system of loglevels was not flexible enough, so I changed it. I expect 476 | * you will like it more this way. 477 | * 478 | * Loglevels are now activated by '-L '. 479 | * The following 's are valid (concatenation is allowed): 480 | * 481 | * 'raw': 482 | * Log all SYN, FIN, RST packets. This will give you an overview of 483 | * all network (TCP) traffic in a 'RAW' way (a connection starting could 484 | * give you at least 2 SYN packets, etc...). 485 | * This is a great way to waste diskspace... 486 | * Messages are: 487 | * Connection initiated. (SYN) 488 | * Connection ending. (FIN) 489 | * Connection reset. (RST) 490 | * 491 | * 'norm' (levels 10-29) 492 | * Same as 'raw', but a bit more intelligent. Unless packets are 493 | * transmitted multiple times because of packet loss, you will 494 | * only get 1 notice of a connection starting or ending. (the packet id 495 | * will state the host that initiated the connection first) 496 | * Messages are: 497 | * Connection initiated. 498 | * Connection closed. 499 | * 500 | * 'telnet': 501 | * Sniffit will try to catch user and passwords for the telnet login 502 | * on port 23. 503 | * 504 | * NOTE: 505 | * We only try to catch the first attempt, so if someone fails the 506 | * first login, you will miss his password. 507 | * A '~' in the login and passwords fields can be a nonprintable 508 | * character (if in the beginning of a field, probably due to an early 509 | * start of registration) or a '~'. 510 | * This all makes it sound a little messy, but I 'test-drove' a lot and 511 | * was pleased with the results after adding some funky shit (if y'r 512 | * interested have a look at in function 'packethandler' in 513 | * sniffit.*.c) 514 | * 515 | * 'ftp': 516 | * Sniffit will try to catch user and passwords for ftp sessions 517 | * on port 21. 518 | * 519 | * NOTE: 520 | * Easy catching. Even multiple tries are registered. 521 | * 522 | * 'mail': 523 | * Interested in who writes mail to who? Well you get all senders and 524 | * recipients nicely logged with this feature (port 25 mail). 525 | 526 | 527 | 4. The output 528 | ------------- 529 | 530 | 4.1 Normal 531 | ---------- 532 | 533 | - IP header info (not logged, displayed): 534 | 535 | Examples: 536 | 537 | from 100.100.60.80 to 100.100.69.63 538 | IP Packet precedence: Routine (-T-) 539 | FLAGS: -- -- Time to live (secs): 59 540 | Protocol (6): TCP 541 | 542 | from 100.100.69.31 to 100.100.69.63 543 | IP Packet precedence: Routine (---) 544 | FLAGS: -- -- Time to live (secs): 60 545 | Protocol (17): UDP 546 | 547 | from 100.100.69.51 to 100.100.69.63 548 | IP Packet precedence: Routine (---) 549 | FLAGS: -- -- Time to live (secs): 255 550 | Protocol (1): ICMP 551 | 552 | explanation: 553 | 554 | Precedence can be: 555 | Routine, Priority, Immediate, Flash, Flash override, Critical, 556 | Internetwork Control, Network control 557 | The Flags between brackets: (DTR) Delay-Throughput-reliability 558 | FLAGS: DF MF DF=Don't Fragment MF=More Fragments 559 | 560 | - TCP Packets (logged or displayed): 561 | 562 | The sniffer logs the data in ascii format. So when logging telnet 563 | connections, you will need to use 'joe' or something else that can 564 | support control chars (look for '-A ' below). 565 | Telnet 'negotiates' (binary) in the beginning of every connection, and 566 | 'catting' an output file, will most of the time show nothing (due to 567 | control chars). 568 | Of course when logging mail, there are no problems. 569 | The new '-A ' takes care of the control characters, that way you 570 | will be able to read the logfiles with 'more', 'vi', etc... 571 | 572 | -a and -d give you raw packets i.e. not unwrapped, on the screen 573 | (nothing is logged), -x gives you more info on the TCP package 574 | (everything is still logged unless using -a or -d mode), 575 | The flags are: 576 | U: Urgent pointer significant 577 | A: Acknowledgement is signif (will be shown) 578 | P: Push function 579 | R: Reset the connection 580 | S: Synchronizes sequence numbers 581 | F: No more data from sender (end connection) 582 | 583 | Filenames Created: 584 | Imagine a subnet with the hosts 66.66.66.66 and 66.66.66.7, and we 585 | run a sniffer on the first. 586 | The sniffer creates the following files: 587 | When logging packets TO host 66.66.66.7 (-t 66.66.66.7) files like 588 | 77.77.7.7.15000-66.66.66.7.23 are created, when the data CAME FROM 589 | host 77.77.7.7-15000 (with 15000 port used on 77.77.7.7 for that 590 | connection, and received on port 23 of 66.66.66.7) 591 | 592 | When logging packets FROM host 66.66.66.7 (-s 66.66.66.7) files 593 | like 66.66.66.7.15000-77.77.7.7-23 are created, when the data 594 | GOES TO host 77.77.7.7 (with 15000 port used on 66.66.66.7 for 595 | that connection) 596 | 597 | 598 | - ICMP Packets (not logged, displayed): 599 | 600 | On host 100.100.69.63 someone tried 'telnet 100.100.23.23' 601 | Suppose this host is unreachable, this could be a possible output: 602 | 603 | ICMP message id: 100.100.69.254 > 100.100.69.63 604 | ICMP type: Destination unreachable 605 | Error: Host unreachable 606 | ICMP message concerned following IP packet: 607 | from 100.100.69.63 to 100.100.23.23 608 | IP Packet precedence: Routine (---) 609 | FLAGS: -- -- Time to live (secs): 63 610 | Protocol (6): TCP 611 | 612 | 613 | - UDP Packets (not logged, displayed) 614 | 615 | You get the package id. When using -d, -a you get the contents of the 616 | package. (pretty basic) 617 | 618 | 619 | 4.2 Logfile 620 | ----------- 621 | 622 | If you use a configfile (-c) and enable the Logging option, a logfile is 623 | created. Unless you set 'logfile' in the config file, that file will be 624 | named 'sniffit.log'. 625 | It will contain lines with the following FIXED format: 626 | 1) Date - Connection id.: message 627 | e.g. [Mon Aug 19 22:38:56 1996] - 100.100.10.10.1046-110.110.11.11.23: 628 | Connection initiated. 629 | (conn. init. on the same line as the rest) 630 | 631 | 2) Except the starting line and the ending line of each session, they are: 632 | 633 | [Mon Aug 19 22:38:51 1996] - Sniffit session started. 634 | [Mon Aug 19 22:39:44 1996] - Sniffit session ended. 635 | 636 | 3) Lines containing other data (future versions), will NOT begin with '[' 637 | and will have also easily interpretable formats. 638 | Other data is e.g. packet contents 639 | 640 | I do this because I can imagine (when this is more expanded) that people 641 | will use their own parsers for these logfiles. Well, if you respect those 3 642 | rules, your parser will work on all future versions of Sniffit. 643 | 644 | 645 | 5. IMPORTANT NOTES, READ! 646 | ------------------------- 647 | 648 | First of all, some stuff people who use this program should already know, 649 | if you don't, well here ya got it: 650 | 651 | Some other notes: 652 | 653 | - Sniffers can only be run by ROOT 654 | - Sniffers can only log packets that 'travel' on THEIR ethernet cable. 655 | So there has to be some host on your subnet involved (either as 656 | sender or receiver). 657 | - Working with '-d' or '-a' gives you raw packets, they are still 658 | packed in IP, when logging to files, only sent data is logged, 659 | the packets are 'unwrapped'. 660 | - Sniffers can NORMALLY not be detected by outsiders (or outsiders 661 | SHOULD not be able to...). 662 | Unfortunately some systems contain bugs that will allow outsiders to 663 | probe your network device for PROMISC mode (which is a good indication 664 | for 'sniffer running') 665 | - (LINUX) Your KERNEL should support System V IPC. 666 | If you will use '-i' or '-I'. 667 | - (BSD systems) Your KERNEL should have BPF included. 668 | 669 | ------------------------ Thx for using Sniffit(tm) --------------------------- 670 | -------------------------------------------------------------------------------- /docs/UPDATE-CHECK: -------------------------------------------------------------------------------- 1 | When updating, change these files (if needed): 2 | 3 | - AUTHORS 4 | - ChangeLog 5 | - CREDITS 6 | - configure.ac (VERSION) 7 | - LICENSE (header) 8 | - manpage version and date 9 | - src/sn_defines.h (VERSION) (check copyright years in header) 10 | -------------------------------------------------------------------------------- /docs/old-docs/BETA-TESTING: -------------------------------------------------------------------------------- 1 | This is a beta version, that means that some things need testing or 2 | fine-tuning. This file includes the things I would like to be informed 3 | about. So if you are able to test one of these things, please do so and mail 4 | me back the results. (coder@reptile.rug.ac.be) 5 | 6 | 1. LINUX 7 | 2. SunOS/Solaris 8 | 3. Irix 9 | 4. FreeBSD 10 | 5. BSDi 11 | 6. DEC/OSF 12 | 7. NetBSD 13 | 14 | ----------------------------------------------------------------------------- 15 | 16 | 1. LINUX 17 | 18 | - Does sniffing a SLIP connection work? 19 | 20 | 21 | 2. SunOS/Solaris 22 | 23 | 24 | 3. Irix 25 | 26 | - Does sniffing a PPP connection work? 27 | 28 | If sniffit just sits there, doing nothing, try changing (sn_data.h) 29 | 30 | #ifdef IRIX 31 | #define NETDEV_NR 2 32 | char *NETDEV[]={"ppp","et"}; 33 | int HEADSIZE[]={0 ,14}; /* ppp: 4 or 0 or nothing */ 34 | #endif 35 | 36 | to: 37 | 38 | #ifdef IRIX 39 | #define NETDEV_NR 2 40 | char *NETDEV[]={"ppp","et"}; 41 | int HEADSIZE[]={4 ,14}; /* ppp: 4 or 0 or nothing */ 42 | #endif 43 | 44 | 45 | 4. FreeBSD 46 | 47 | - Does sniffing a PPP connection work? 48 | To try this, remove the lines that are marked below with X in the 49 | sn_data.h file: 50 | 51 | #ifdef FREEBSD /* ppp: 4 or 0 ? */ 52 | /* X 53 | #define NETDEV_NR 2 54 | char *NETDEV[]={"ppp","ed"}; 55 | int HEADSIZE[]={4 ,14}; 56 | */ X 57 | #define NETDEV_NR 1 X 58 | char *NETDEV[]={"ed"}; X 59 | int HEADSIZE[]={14}; X 60 | #endif 61 | 62 | If it doesn't work, and sniffit just sits there, try changing: 63 | 64 | int HEADSIZE[]={4 ,14}; 65 | 66 | to: 67 | 68 | int HEADSIZE[]={0 ,14}; 69 | 70 | 71 | 5. BSDi 72 | 73 | - Does sniffing a PPP connection work? 74 | To try this, remove the lines that are marked below with X in the 75 | sn_data.h file: 76 | 77 | #ifdef BSDI /* ppp: 4 or 0 ? */ 78 | /* X 79 | #define NETDEV_NR 2 80 | char *NETDEV[]={"ppp","ef"}; 81 | int HEADSIZE[]={4 ,14}; 82 | */ X 83 | #define NETDEV_NR 1 X 84 | char *NETDEV[]={"ef"}; X 85 | int HEADSIZE[]={14}; X 86 | #endif 87 | 88 | If it doesn't work, and sniffit just sits there, try changing: 89 | 90 | int HEADSIZE[]={4 ,14}; 91 | 92 | to: 93 | 94 | int HEADSIZE[]={0 ,14}; 95 | 96 | 97 | 6. DEC/OSF 98 | 99 | 100 | 7. NetBSD 101 | 102 | - Does sniffing a PPP connection work? 103 | 104 | If sniffit just sits there, doing nothing, try changing the sn_data.h 105 | file. Search the line: 106 | 107 | #ifdef NETBSD 108 | 109 | from there on change in every "int HEADSIZE[]={}" the 4 to a 0. 110 | 111 | e.g.: int HEADSIZE[]={4 ,14 ,14}; 112 | becomes: int HEADSIZE[]={0 ,14 ,14}; 113 | 114 | -------------------------------------------------------------------------------- /docs/sniffit-FAQ: -------------------------------------------------------------------------------- 1 | ------[ The Sniffit-FAQ V.0.2]------------------------------------------------ 2 | 3 | As the same questions keep popping up in my mailbox, I decided to write a 4 | Sniffit-FAQ. 5 | 6 | ------[ The Questions ]------------------------------------------------------- 7 | 8 | 1. 'sniffit -i' doesn't work. It says unknown option. 9 | 10 | 1.b. I'm sure I have NCURSES, but I still have that problem! 11 | 12 | 2. I can only see packets to/from my own computer, what is wrong? (BTW: 13 | I'm on PPP). 14 | 15 | 3. I have e.g. two ethernetcards, but 'sniffit -F /dev/eth1' doesn't work, 16 | why? 17 | 18 | 4. How can I find the device names? 19 | 20 | 5. Why can't my LINUX capture packets? 21 | 22 | 6. Why can't my BSD style system capture packets? 23 | 24 | ------[ The Answers ]--------------------------------------------------------- 25 | 26 | 1. 'sniffit -i' doesn't work. It says unknown option. 27 | 28 | Prior to 0.3.5 you had to configure Sniffit manually, that was a drag, 29 | so I made it configure itself. Problem now is that it is too automatic. 30 | When running the 'configure' script, it looks for 'ncurses' (which is 31 | needed for the interactive mode), when it does not find 'ncurses', it 32 | just excludes interactive mode, so '-i' becomes an unknown option. 33 | Solution: if you haven't got 'ncurses', install it (to be found at any 34 | sunsite mirror). If you are sure you have it, well it probably isn't 35 | in the right directories, maybe use some symbolic links. 36 | These are the dirs 'configue' looks in: 37 | /usr/include:/usr/include/ncurses:/usr/include/curses 38 | /usr/local/include:/usr/local/include/ncurses: 39 | /usr/local/include/curses 40 | and as of 0.3.6 Sniffit also looks in: 41 | ./:./ncurses 42 | (BTW: it looks for a file 'ncurses.h') 43 | 44 | 1.b. I'm sure I have NCURSES, but I still have that problem! 45 | 46 | Sometimes you have NCURSES, but no 'ncurses.h' file. Simple, just link 47 | (soft) 'ncurses.h' to 'curses.h'. 48 | 49 | 2. I can only see packets to/from my own computer, what is wrong? (BTW: 50 | I'm on PPP) 51 | 52 | PPP: Point to Point connection. 53 | Per definition, this protocol will only carry packets that contain 54 | information for the connected computer. 55 | As a consequence on your side, you see only things that got to/come 56 | from your computer, so Sniffit works fine. 57 | To see traffic of whole subnets, you need protocols like ethernet (the 58 | coax cable). 59 | 60 | 3. I have e.g. two ethernetcards, but 'sniffit -F /dev/eth1' doesn't work, 61 | why? 62 | 63 | Don't put any path in front of the devices. These names aren't even 64 | listed in /dev/. 65 | The correct line would be: 'sniffit -F eth1' 66 | 67 | 4. How can I find the device names? 68 | 69 | Well in case Sniffit doesn't find the correct name itself, you will 70 | have to find it, and use the '-F' parameter. 71 | The devices can be found by using the 'ifconfig' or 'route' commands. 72 | 73 | 5. Why can't my LINUX capture packets? 74 | 75 | You should upgrade the kernel. 76 | Normally Sniffit should work on all kernel versions >= 2.0.0. 77 | But I advise using a kernel version >= 2.0.25. 78 | (You could also downgrade the libpcap version to that used with 79 | Sniffit 0.3.3 if all else fails.) 80 | 81 | 6. Why can't my BSD style system capture packets? 82 | 83 | You should recompile your kernel with BPF support. 84 | 85 | ------[ The End ]------------------------------------------------------------- 86 | -------------------------------------------------------------------------------- /examples/sample_config_file: -------------------------------------------------------------------------------- 1 | # Sniffit V.0.3.3-0.3.7 Sample Config file -- Brecht Claerhout 2 | 3 | # First select all packets! 4 | select both mhosts 1 5 | select both mhosts 2 6 | 7 | # Now deselect all packets from/to those damn 'surfers' 8 | deselect both port 80 9 | deselect both port 8001 10 | 11 | # Be sure to end this file with a blank line! -------------------------------------------------------------------------------- /man/sniffit.5: -------------------------------------------------------------------------------- 1 | .\" sniffit config file man page - Brecht Claerhout 2 | .\" Some fixes by Joao Eriberto Mota Filho 3 | .\" 4 | .TH SNIFFIT 5 5 | .SH NAME 6 | sniffit \- configuration file for sniffit (name arbitrary) 7 | 8 | .SH DESCRIPTION 9 | This page describes the format for the config file for 10 | .B sniffit 11 | (see 12 | .BR sniffit (8) 13 | ). This file allows you to specify in great detail witch packets should 14 | be processed by 15 | .B sniffit. 16 | This file also controls (or will control) some functions for the 17 | continuous logging ('\-L' option). 18 | .LP 19 | A 20 | .B sniffit 21 | config file might look like (Be sure to end it with a BLANK line): 22 | .IP 23 | .nf 24 | # Sniffit Sample Config file -- Brecht Claerhout 25 | 26 | logfile /var/log/sniffit.today.log 27 | 28 | # First select all packets! 29 | select both mhosts 1 30 | select both mhosts 2 31 | 32 | # Now deselect all packets from/to those damn 'surfers' 33 | deselect both port 80 34 | deselect both port 8001 35 | .fi 36 | .LP 37 | This file will tell 38 | .B sniffit 39 | to process all packets on the subnet except those FROM/TO ports 80 and 40 | 8001 (thus we don't want logs of those mass WWW connections witch turn 41 | our logs unreadable). 42 | 43 | .SH "GLOBAL FORMAT" 44 | The file consists of lines, lines are formed by fields, fields are 45 | separated with SPACES (NO TABS). 46 | Unix comment lines (starting with '#' are allowed). 47 | So this gives us: 48 | .IP 49 | 50 | 51 | .SH "FIELD FORMAT" 52 | .IP "" 53 | .B select 54 | - 55 | .B Sniffit 56 | will look for packets that match the following description 57 | (other fields) 58 | .IP 59 | .B deselect 60 | - 61 | .B Sniffit 62 | will ignore packets that match the description 63 | .IP 64 | .B logfile 65 | - change the logfile name to instead of the default 'sniffit.log' 66 | 67 | .IP "" 68 | .B from 69 | - Packets FROM the host matching the following desc. are considered. 70 | .IP 71 | .B to 72 | - similar, Packets TO the.... 73 | .IP 74 | .B both 75 | - similar, Packets FROM or TO the.... 76 | .IP 77 | .B "a filename" 78 | - as an argument of 'logfile' in 79 | 80 | .IP "" 81 | .B host 82 | - The (de)selection criteria involves a hostname. 83 | .IP 84 | .B port 85 | - similar, ... a portnumber 86 | .IP 87 | .B mhosts 88 | - The (de)selection criteria involves multiple-hosts, like with the 89 | wildcards in 0.3.0, but without the 'x' 90 | 91 | .IP "" 92 | Either a hostname, a portnumber, a service name or a number-dot partial 93 | notation indicating multiple hosts depending on 94 | (service names like 'ftp' are resolved as the services available present on 95 | the host that runs Sniffit, and translated into a port nr) 96 | 97 | .IP "" 98 | A portnumber, if was 'host' or 'mhosts' (optional, if not filled 99 | in, all ports are going to be (de)selected) 100 | 101 | .SH "FILE INTERPRETING" 102 | The config file is interpreted SEQUENTIAL, so watch it, don't mix lines 103 | in a file. Example: 104 | .IP 105 | .nf 106 | select both mhosts 100.100.12. 107 | deselect both port 80 108 | select both host 100.100.12.2 109 | 110 | This file will get you the packets: 111 | a) Send by hosts '100.100.12.*' 112 | b) EXCEPT the WWW packets 113 | c) BUT showing the WWW packets concerning 114 | 100.100.12.2 115 | .fi 116 | .IP 117 | .nf 118 | select both mhosts 100.100.12. 119 | select both host 100.100.12.2 120 | deselect both port 80 121 | 122 | Will give you the packets (probably unwanted result): 123 | a) Send by hosts '100.100.12.*' 124 | b) Send from/to 100.100.12.2 (useless line) 125 | c) deselecting all WWW packets on the subnet 126 | 127 | .SH AUTHOR 128 | Brecht Claerhout 129 | 130 | .SH "SEE ALSO" 131 | .BR sniffit (8) 132 | -------------------------------------------------------------------------------- /man/sniffit.8: -------------------------------------------------------------------------------- 1 | .\" Sniffit man page file - Brecht Claerhout 2 | .\" Some fixes by Joao Eriberto Mota Filho 3 | .\" Process this file with 4 | .\" groff -man -Tascii foo.1 5 | .\" 6 | .TH SNIFFIT 8 7 | 8 | .SH NAME 9 | sniffit \- packet sniffer and monitoring tool 10 | 11 | .SH SYNOPSIS 12 | .B sniffit [-xdabvnN] [-P 13 | .I proto 14 | .B ] [-A 15 | .I char 16 | .B ] [-p 17 | .I port 18 | .B ] [(-r|-R) 19 | .I recordfile 20 | .B ] [-l 21 | .I sniflen 22 | .B ] [-L 23 | .I logparam 24 | .B ] [-F 25 | .I snifdevice 26 | .B ] [-D 27 | .I tty 28 | .B ] [-M 29 | .I plugin 30 | .B ] [(-t 31 | .I Target-IP 32 | .B | -s 33 | .I Source-IP 34 | .B ) | (-i|-I) | -c 35 | .I config-file 36 | .B ] 37 | 38 | .SH DESCRIPTION 39 | .B sniffit 40 | is a packet sniffer for TCP/UDP/ICMP packets. 41 | .B sniffit 42 | is able to give you very detailed technical info on these 43 | packets (SEQ, ACK, TTL, Window, ...) but also packet contents in 44 | different formats (hex or plain text, ...). 45 | .LP 46 | .B sniffit 47 | can by default handle ethernet and PPP devices, but can easily be 48 | forced into using other devices (read the 49 | .B README.FIRST 50 | and 51 | .B sn_config.h 52 | files on this subject!) 53 | .LP 54 | The sniffer can easily be configured in order to 'filter' the incoming 55 | packets (to make the sniffing results easier to study). The config file (see 56 | .BR sniffit (5) 57 | ) allows you to be very specific on the packets to be processed. 58 | .LP 59 | .B sniffit 60 | also has an interactive mode for active monitoring, and can also be used 61 | for continuous monitoring on different levels. 62 | 63 | .SH NOTE 64 | This man page is supposed to be a reference manual. So please read 65 | .B README.FIRST 66 | first, and use this only for better understanding or for a quick check on 67 | the use of 68 | .B sniffit 69 | 70 | .SH OPTIONS 71 | 72 | .IP -v 73 | Shows the version of 74 | .B sniffit 75 | you are running and exits 76 | .I "(overrides all)" 77 | 78 | .IP "-t Target-IP" 79 | Only process packets TO Target-IP. If Target-IP is in dot-nr notation, 80 | \'x' is allowed as wildcard. (e.g. '\-t 157.193.x', '\-t x', ...) 81 | .I "(NOT compatible with: '-s' '-i' '-I' '-c' '-v' '-L')" 82 | 83 | .IP "-s Source-IP" 84 | Similar to '\-t', only process packets FROM Source-IP. 85 | .I "(NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')" 86 | 87 | .IP -b 88 | \'both' mode, together with '\-s' or '\-t', only process FROM/TO the IP 89 | specified by '\-s' or '\-t' 90 | .I "(NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')" 91 | 92 | .IP "-c config-file" 93 | Use 94 | .I config-file 95 | for the packet filtering. This allows you to be very specific on the 96 | packets to be processed (see 97 | .BR sniffit (5) 98 | for details on the format). 99 | .I "(NOT compatible with: '-t' '-s' '-i' '-I' '-v' '-L')" 100 | 101 | .IP -i 102 | Launch the ncurses interface for active monitoring ('interactive mode'). 103 | (NOT available if you compiled without INTERACTIVE support see 104 | .B sn_config.h 105 | and 106 | .B README.FIRST 107 | ) 108 | (one of the options '\-t' '\-s' '\-i' '\-I' '\-c' is required) 109 | .I "(NOT compatible with: '-t' '-s' '-c' '-v' '-L')" 110 | 111 | .IP -I 112 | Same as '\-i', but gives you more information. 113 | (one of the options '\-t' '\-s' '\-i' '\-I' '\-c' is required) 114 | .I "(NOT compatible with: '-t' '-s' '-c' '-v' '-L')" 115 | 116 | .IP "-R " 117 | Record all traffic in 118 | .I 119 | This file can then be fed to Sniffit with the '\-r' option. 120 | .I "(Needs a selection parameter like '-c' '-t' '-s')" 121 | .I "(NOT compatible with '-i' '-I' '-v' '-L' '-r')" 122 | 123 | .IP "-r " 124 | This option feeds the recorded 125 | .I to 126 | .B sniffit. 127 | It requires the '\-F' option with the correct device. Suppose you log a file 128 | on a machine with 'eth0'. When feeding the logged file to 129 | .B sniffit 130 | , you will need to add '\-F eth0' or '\-F eth' to the command line. It doesn't 131 | need much explanation that using '\-i' or '\-I' in combination with '\-r' makes 132 | no sense (at this moment). 133 | .I "(requires '-F', NOT compatible with '-R' '-i' '-I')" 134 | 135 | .IP -n 136 | Turn of IP checksum checking. This can show you bogus packets. 137 | (mind you ARP, RARP, other non-IP packets will show up bogus too) 138 | .I "(compatible with ALL options)" 139 | 140 | .IP -N 141 | Don't perform any of the build in Sniffit functions. Useful for only 142 | running a Plugin. 143 | .I "(compatible with ALL options)" 144 | 145 | .IP -x 146 | Prints extended info on TCP packets to stdout (SEQ, ACK, Flags, etc...) 147 | Interesting when tracing spoofs, packet loss and other real net 148 | debugging/checking tasks. 149 | (if you want to log this, pipe stdout to a file) 150 | .I "(NOT compatible with: '-i' 'I' '-v')" 151 | 152 | .IP -d 153 | \'dump mode', shows the packets on the screen (stdout) instead of logging 154 | into files (default). Data is printed in bytes (hex). 155 | .I "(NOT compatible with: '-i' 'I' '-v' '-L')" 156 | 157 | .IP -a 158 | \'dump mode', same of '\-d' but outputs ASCII. Non printable chars are 159 | replaced by '.'. 160 | ('\-d' and '\-a' mix without any problem) 161 | .I "(NOT compatible with: '-i' '-I' '-v' '-L')" 162 | 163 | .IP "-P proto" 164 | Specify the protocols that should be processed (default TCP). Possible 165 | options currently are: IP, TCP, ICMP, UDP. They can be combined. 166 | IP, ICMP, UDP info is dumped to stdout. IP gives ADDITIONAL info on the 167 | IPwrapping around other packets, it is not needed to specify IP for TCP 168 | packet logging. 169 | IP, ICMP packets are not filtered (UDP packets are as of 0.3.4). 170 | .I "(NOT compatible with: '-i' '-I' '-v' '-L')" 171 | 172 | .IP "-A char" 173 | When in 'normal mode' (not '\-d','\-a','\-i','\-I','\-L'), all non-printable chars 174 | will be replaced by 175 | .I char 176 | .I "(NOT compatible with: '-a' '-d' '-i' '-I' '-v' '-L')" 177 | 178 | .IP "-p port" 179 | Only checks packets going TO (!!) port 180 | .I port 181 | , 0 means all ports, default is 0 (all). 182 | .I "(NOT compatible with: '-c' '-i' '-I' '-v' '-L')" 183 | 184 | .IP "-l sniflen" 185 | Amount of data to log (default 300 bytes) in 'normal mode'. The first 186 | .B sniflen 187 | bytes of every connection are logged. Length 0 logs means everything. (look 188 | out with diskspace!) 189 | .I "(NOT compatible with: '-i' '-I' '-v' '-L')" 190 | 191 | .IP "-F snifdevice" 192 | Force sniffit to use a certain network device. 193 | .I snifdevice 194 | can be found with 195 | .I ifconfig 196 | (see 197 | .BR ifconfig (8)). 198 | .B sniffit 199 | supports ethernet and PPP by default. Read 200 | .B README.FIRST 201 | for info on forcing the use of other devices. 202 | .I "(compatible with ALL options)" 203 | 204 | .IP "-D tty" 205 | All logging output will be send to that device. 206 | .I "(ONLY works with '-i' and '-I')" 207 | 208 | .IP "-M plugin" 209 | Activate Plugin nr. 210 | .B Plugin 211 | , for a list on all plugins compiled in your version, just type ' 212 | .B sniffit 213 | \'. Read all about Plugins in the PLUGIN-HOWTO (READ IT!) 214 | .I "(NOT compatible with: '-i' '-I' '-v')" 215 | 216 | .IP "-L logparam" 217 | Use 218 | .B sniffit 219 | as a monitoring tool and enable different logging modes ( 220 | .I logparam 221 | ) The File for logging can be specified in the config file (see 222 | .BR sniffit (5) 223 | ) but is 224 | .B sniffit.log 225 | by default. Different 226 | .I logparam can be combined. 227 | .I "(ONLY works with '-c')" 228 | 229 | .SH "NORMAL MODE" 230 | A bunch of 231 | .I sniflen 232 | initial bytes (default 300) of each connection is logged into a file 233 | .B x.x.x.x.p-y.y.y.y.o 234 | where 'x.x.x.x' is the sending host (port 'p') and 'y.y.y.y' the 235 | receiving host (port 'o'). 236 | 237 | .SH "DUMP MODE ('-d' and/or '-a')" 238 | Output is dumped to stdout, the packet contents is shown in it's 239 | unwrapped form (the complete IP packet). 240 | 241 | .SH "INTERACTIVE MODE ('-i' or '-I')" 242 | Keys available in interactive mode: 243 | .IP "'UP or 'k'" 244 | self explanatory 245 | .IP "DOWN or j'" 246 | self explanatory 247 | .IP "F1 or '1'" 248 | Enter a host (enter 'all' for no mask) for packet filtering (host that 249 | sends the packets) 250 | .IP "F2 or '2'" 251 | Enter a host (enter 'all' for no mask) for packet filtering. (host that 252 | receives the packets) 253 | .IP "F3 or '3'" 254 | Enter a port (enter '0' for no mask) for packet filtering. (host that 255 | sends the packets) 256 | .IP "F4 or '4'" 257 | Enter a port (enter '0' for no mask) for packet filtering. (host that 258 | receives the packets) 259 | .IP "F5 or '5'" 260 | Start a program 'sniffit_key5' with arguments 261 | .I " " 262 | If the program doesn't exist, nothing is done. Sniffit should be in the 263 | same path as sniffit was STARTED FROM (not necessarily the path sniffit is 264 | stored in) This function is useful for interactive connection killing or 265 | extra monitoring. A little shell script can always transform the arguments 266 | given and pass them on to other programs. 267 | .IP "F6 or '6'" 268 | Same as F5 or '5', but with program 'sniffit_key6' 269 | .IP "F7 or '7'" 270 | Same as F5 or '5', but with program 'sniffit_key7' 271 | .IP "F8 or '8'" 272 | Same as F5 or '5', but with program 'sniffit_key8' 273 | .IP "ENTER" 274 | a window will pop up and log the connection, or the connection output 275 | will be send at a chosen device if you used the '\-D' option. 276 | .IP "'q'" 277 | When in logging mode, stop logging. Otherwise, quit. 278 | .IP "'n'" 279 | Toggle netstatistics. These are sampled at 3 secs, look in the sn_config.h 280 | file to change this. 281 | .IP "'g'" 282 | .B Sniffit 283 | is now able to generate some traffic load. Currently this is a 'underdevelloped' 284 | feature with very few options, but it will be expanded a lot. 285 | Currently only UDP packets are generated. When pressing 'g' you will be 286 | asked the source/dest IP/port and how much packets are needed to be 287 | transmitted. 288 | Packets contain the line: "This Packet was fired with Sniffit! 289 | .IP "'r'" 290 | Reset.. clears all current connections from memory and restarts. 291 | 292 | .SH "LOGGING MODE ('-L')" 293 | Output is saved to 294 | .B sniffit.log 295 | , unless you have specified some other name in the config file (see 296 | .BR sniffit (5) 297 | ). 298 | .LP 299 | .IP "raw" 300 | Log all SYN, FIN, RST packets. This will give you an overview of all 301 | network (TCP) trafic in a 'RAW' way (a connection starting could gives 302 | you at least 2 SYN packets, etc...). 303 | .IP "norm" 304 | Same as raw, but a bit more intelligent. Unless packets are 305 | transmitted multiple times because of packet loss, you will only get 1 306 | notice of a connection starting or ending. (the packet id 307 | will give you the host that initiated the connection first) 308 | .IP "telnet" 309 | Sniffit will try to catch login and passwords for this application. (see 310 | .BR telnet (1) 311 | ) 312 | .IP "ftp" 313 | Sniffit will try to catch login and passwords for this application. 314 | (see 315 | .BR ftp (1) 316 | ) 317 | .IP "mail" 318 | Sniffit will try to identify all mail that was logged. 319 | 320 | .SH "IP ICMP UDP LOGGING" 321 | Information on these packets is dumped to stdout. Packet 322 | Filtering options only refer to TCP and UDP packets. 323 | The contents of UDP packets is only shown when enabling '\-a' or '\-d'. 324 | 325 | .SH AUTHOR 326 | Brecht Claerhout 327 | 328 | .SH "SEE ALSO" 329 | .BR sniffit (5) 330 | -------------------------------------------------------------------------------- /src/Makefile.am: -------------------------------------------------------------------------------- 1 | # Makefile.am for sniffit 2 | # Copyright 2016-2020 Joao Eriberto Mota Filho 3 | # Under BSD-3-CLause license. 4 | 5 | sbin_PROGRAMS = sniffit 6 | sniffit_SOURCES = sn_packets.c sn_generation.c sn_interface.c sn_cfgfile.c sn_logfile.c sn_resolv.c sniffit.c 7 | -------------------------------------------------------------------------------- /src/dns_plugin.plug: -------------------------------------------------------------------------------- 1 | /* Sniffit Plugin example */ 2 | /* - by: Brecht Claerhout */ 3 | /* */ 4 | /* This Plugin scans for DNS packets and decodes them. */ 5 | /* It is used to demonstrate how you can easily add your own features */ 6 | /* without having to worry about the packet intercepting and filtering. */ 7 | /* Plus the fact that all other features of Sniffit remain functional, */ 8 | /* and that multiple plugins are combinable. */ 9 | 10 | struct PL_DNS_header 11 | { 12 | unsigned short id, flags; 13 | unsigned short nr_quest, nr_answ_RR, nr_auth_RR, nr_add_RR; 14 | }; 15 | int PL_pos_max; 16 | 17 | #define PL_DNS_QR 0x8000 18 | #define PL_DNS_OPCODE 0x7800 19 | #define PL_DNS_AA 0x0400 20 | #define PL_DNS_TC 0x0200 21 | #define PL_DNS_RD 0x0100 22 | #define PL_DNS_RA 0x0080 23 | #define PL_DNS_RCODE 0x000F 24 | 25 | void PL_DNS_error(void) 26 | { 27 | printf("\n\nSorry... could not decode the DNS packet!\n\n"); 28 | } 29 | 30 | int PL_DNS_decode(char *buf, int start_pos,char *string, int start_string) 31 | { 32 | int count, pos, i, j; 33 | unsigned short offset; 34 | 35 | j=start_string; 36 | pos=start_pos; 37 | 38 | if(pos > PL_pos_max) return -1; 39 | if( (count=(buf[pos]&63))!=buf[pos] ) 40 | { 41 | offset= ((short)(buf[pos]&63)*256) + ((short)(buf[pos+1])&0xFF); 42 | if(offset > PL_pos_max+12) return -1; 43 | if(PL_DNS_decode(buf,offset-12,string,j)<0) return -1; 44 | pos++; 45 | goto end_field; 46 | } 47 | while(count!=0) 48 | { 49 | for(i=0;i PL_pos_max) return -1; 52 | if(string==NULL) 53 | {printf("%c",buf[pos]);} 54 | else 55 | {string[j]=buf[pos];string[j+1]=0;j++;} 56 | } 57 | printf("."); 58 | pos++; 59 | if( (count=(buf[pos]&63))!=buf[pos] ) 60 | { 61 | offset= ((short)(buf[pos]&63)*256) + ((short)(buf[pos+1])&0xFF); 62 | if(PL_DNS_decode(buf,offset-12,string,j)<0) return -1; 63 | pos++; 64 | goto end_field; 65 | } 66 | } 67 | end_field: pos++; 68 | return pos; 69 | } 70 | 71 | void PL_DNS_plugin (struct Plugin_data *PLD) 72 | { 73 | struct IP_header *dns_iphead; 74 | struct UDP_header *dns_udphead; 75 | struct PL_DNS_header *dns_dnshead; 76 | int i, j, dec_pos, answers, count, udp_start, len; 77 | long pos; 78 | unsigned char *so,*dest, *dns_p, *dns_buffer; 79 | unsigned short fl, *r_dlen; 80 | unsigned short *type, *class; 81 | 82 | dns_buffer=PLD->PL_packet; 83 | udp_start = PLD->PL_info.IP_len; 84 | len=PLD->PL_info.IP_len + PLD->PL_info.UDP_len + PLD->PL_info.DATA_len; 85 | dns_iphead= (struct IP_header *) dns_buffer; 86 | dns_udphead= (struct UDP_header *) (dns_buffer+udp_start); 87 | dns_dnshead= (struct PL_DNS_header *) (dns_buffer+udp_start+sizeof(struct UDP_header)); 88 | 89 | PL_pos_max = PLD->PL_info.DATA_len - 12; 90 | 91 | so=(unsigned char *)&(dns_iphead->source); 92 | dest=(unsigned char *)&(dns_iphead->destination); 93 | if((ntohs(dns_udphead->source)!=53)&&(ntohs(dns_udphead->destination)!=53)) 94 | return; 95 | printf("DNS Sniffit Plugin Report:\n"); 96 | printf("Packet: %u.%u.%u.%u %u -> %u.%u.%u.%u %u\n", 97 | so[0],so[1],so[2],so[3],ntohs(dns_udphead->source), 98 | dest[0],dest[1],dest[2],dest[3],ntohs(dns_udphead->destination)); 99 | 100 | printf("ID: %d \n",ntohs(dns_dnshead->id)); 101 | fl=ntohs(dns_dnshead->flags); 102 | 103 | printf(" STATUS: %s ",(fl & PL_DNS_QR)? "Answer": "Query"); 104 | printf("(opcode: %X) , ",(fl & PL_DNS_OPCODE)>>11); 105 | printf("%s , ",(fl & PL_DNS_AA)? "Auth. A.": ""); 106 | printf("%s , ",(fl & PL_DNS_TC)? "TRUNC": ""); 107 | printf("%s , ",(fl & PL_DNS_RD)? "Rec. Desired": ""); 108 | printf("%s , ",(fl & PL_DNS_RA)? "rec. Avail.": "rec. NOT Av."); 109 | printf("ret: %d\n",(fl & PL_DNS_RCODE)); 110 | 111 | printf(" Q: %d Answ: %d Auth: %d Add: %d", 112 | ntohs(dns_dnshead->nr_quest), 113 | ntohs(dns_dnshead->nr_answ_RR), 114 | ntohs(dns_dnshead->nr_auth_RR), 115 | ntohs(dns_dnshead->nr_add_RR)); 116 | 117 | dns_p=(dns_buffer+udp_start+sizeof(struct UDP_header)+12); 118 | dec_pos=0; 119 | for(i=0;inr_quest);i++) 120 | { 121 | printf("\n Query: "); 122 | dec_pos=PL_DNS_decode(dns_p,dec_pos,NULL,0); 123 | if(dec_pos<0) {PL_DNS_error(); return;} 124 | type=(unsigned short *) &(dns_p[dec_pos]); 125 | class=(unsigned short *) &(dns_p[dec_pos+2]); 126 | printf("\n Type: %d Class: %s",ntohs(*type),(ntohs(*class))?"IP":"Unknown"); 127 | dec_pos+=4; 128 | } 129 | 130 | if(fl & PL_DNS_TC) 131 | { 132 | printf("Truncated packet, not displayed...\n"); 133 | return; 134 | } 135 | 136 | /* dec_pos at beginning first answer field */ 137 | answers=ntohs(dns_dnshead->nr_answ_RR)+ntohs(dns_dnshead->nr_auth_RR)+ 138 | ntohs(dns_dnshead->nr_add_RR); 139 | for(i=0;iPL_info.IP_len); 15 | 16 | if(PLD->PL_info.TCP_len!=0) 17 | { 18 | printf(" TCP header: %d bytes / %d Databytes\n",PLD->PL_info.TCP_len, 19 | PLD->PL_info.DATA_len); 20 | } 21 | if(PLD->PL_info.UDP_len!=0) 22 | { 23 | printf(" UDP header: %d bytes / %d Databytes\n",PLD->PL_info.UDP_len, 24 | PLD->PL_info.DATA_len); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/sn_analyse.c: -------------------------------------------------------------------------------- 1 | /* Analyse traffic for logging mode */ 2 | /* - by: Brecht Claerhout */ 3 | 4 | const unsigned char *data; 5 | memcpy(&tcphead,header,sizeof(struct TCP_header)); 6 | 7 | dummy_pointer=search_dynam(filename, TCP); 8 | if(dummy_pointer!=NULL) status=1; 9 | if(status==0) /* make a new entry unless it's reset */ 10 | { 11 | if(finish!=TCP_FINISH) 12 | if((dummy_pointer=add_dynam(filename, TCP, 0,ntohl(tcphead.seq_nr),info.DATA_len))==NULL) 13 | return; 14 | }; 15 | 16 | if(finish==TCP_FINISH) /* let's reset the connection */ 17 | {delete_dynam(filename, TCP, 0);} 18 | 19 | /*** return before using any search or pointer!!!!!!!! ***/ 20 | /* Connections with FIN have deleted entries! */ 21 | 22 | dummy=ntohs(tcphead.offset_flag); 23 | 24 | if(LOGPARAM & LOGPARAM_RAW) /* Raw logging */ 25 | { 26 | if(dummy&SYN) print_conn(filename,"Connection initiated. (SYN)"); 27 | if(dummy&FIN) print_conn(filename,"Connection ending. (FIN)"); 28 | if(dummy&RST) print_conn(filename,"Connection reset. (RST)"); 29 | return; 30 | }; 31 | 32 | data = sp+PROTO_HEAD+info.IP_len+info.TCP_len; 33 | if(LOGPARAM & LOGPARAM_NORM) /* NORM logging */ 34 | { 35 | if(search_dynam(filename2, TCP)==NULL) 36 | { 37 | if(dummy&SYN) print_conn(filename,"Connection initiated."); 38 | if(dummy&FIN) print_conn(filename2,"Connection closed."); 39 | if(dummy&RST) print_conn(filename2,"Connection closed."); 40 | }; 41 | }; 42 | 43 | if((dummy&FIN)||(dummy&RST)) return; /* needed, cauz entry don't exist */ 44 | 45 | /*** TELNET *****************************************************************/ 46 | if(LOGPARAM & LOGPARAM_TELNET) 47 | { 48 | dummy_pointer=search_dynam(filename, TCP); 49 | /* don't forget to check dummy_pointer!!! */ 50 | 51 | if( (ntohs(tcphead.source) == 23)&&(dummy_pointer!=NULL))/* from telnet */ 52 | { 53 | sbuf_update(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len); 54 | /* detect login */ 55 | strlower(dummy_pointer->scroll_buf); 56 | 57 | if((dummy_pointer->log!=LOG_NO_DETECT)&& 58 | (strstr(dummy_pointer->scroll_buf,"login")!=NULL)) 59 | { 60 | dummy_pointer->log=LOG_NO_DETECT; 61 | dummy_pointer=search_dynam(filename2, TCP); 62 | if(dummy_pointer!=NULL) 63 | { 64 | dummy_pointer->log=LOG_LOGIN; 65 | dummy_pointer->bytes=0; 66 | dummy_pointer->buffer=malloc(LOG_PASS_BUF); 67 | if(dummy_pointer->buffer==NULL) exit(1); 68 | dummy_pointer->buffer[0]=0; 69 | } 70 | else 71 | {print_conn(filename2,"Password missed due to overload.");};\ 72 | 73 | #ifdef DEBUG_ONSCREEN 74 | printf("Login detected, data initialised.\n"); 75 | #endif 76 | } 77 | } 78 | 79 | if( (ntohs(tcphead.destination) == 23)&&(dummy_pointer!=NULL))/* TO telnet */ 80 | { 81 | if(dummy_pointer->log==LOG_LOGIN) /* log login */ 82 | { 83 | record_buf(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len,0); 84 | if(dummy_pointer->log==LOG_LOGIN_RECORDED) /* login recorded */ 85 | { 86 | print_login(filename,dummy_pointer->buffer); 87 | dummy_pointer->log=LOG_PWD; dummy_pointer->bytes=0; 88 | dummy_pointer->buffer[0]=0; 89 | } 90 | } 91 | else 92 | { 93 | if(dummy_pointer->log==LOG_PWD) /* log pwd */ 94 | { 95 | record_buf(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len,0); 96 | if(dummy_pointer->log==LOG_PWD_RECORDED) /* passwd recorded */ 97 | { 98 | print_pwd(filename,dummy_pointer->buffer); 99 | dummy_pointer->log=LOG_NO_LOG; dummy_pointer->bytes=0; 100 | dummy_pointer->buffer[0]=0; 101 | } 102 | } 103 | } 104 | } 105 | } 106 | /*** END TELNET - LOGIN ***************************************************/ 107 | 108 | /*** FTP *******************************************************************/ 109 | if(LOGPARAM & LOGPARAM_FTP) /* loglevel 12 */ 110 | { 111 | dummy_pointer=search_dynam(filename, TCP); 112 | /* don't forget to check dummy_pointer!!! */ 113 | 114 | if( (ntohs(tcphead.destination) == 21) && 115 | (dummy_pointer!=NULL))/* to FTP */ 116 | { 117 | sbuf_update(dummy_pointer,ntohl(tcphead.seq_nr),data,info.DATA_len); 118 | /* detect USER en PASS */ 119 | if((help=strstr(dummy_pointer->scroll_buf,"USER"))!=NULL) 120 | { 121 | help+=strlen("USER "); 122 | for(i=0;iscroll_buf[i]==FTP_ENTER) 124 | dummy_pointer->scroll_buf[i]=0; 125 | print_ftp_user(filename,help); 126 | for(i=0;iscroll_buf[i]=' '; 127 | } 128 | 129 | if((help=strstr(dummy_pointer->scroll_buf,"PASS"))!=NULL) 130 | { 131 | help+=strlen("PASS "); 132 | for(i=0;iscroll_buf[i]==FTP_ENTER) 134 | dummy_pointer->scroll_buf[i]=0; 135 | print_ftp_pass(filename,help); 136 | for(i=0;iscroll_buf[i]=' '; 137 | } 138 | } 139 | } 140 | /*** END FTP ***************************************************************/ 141 | 142 | /*** MAIL ******************************************************************/ 143 | if(LOGPARAM & LOGPARAM_MAIL) /* loglevel 12 */ 144 | { 145 | /* dummy_pointer=search_dynam(filename, TCP); */ 146 | /* don't forget to check dummy_pointer!!! */ 147 | 148 | if( (ntohs(tcphead.destination) == 25) ) /* to MAIL */ 149 | { 150 | if(info.DATA_len!=0) 151 | { 152 | char workbuf1[MTU]; 153 | char *wb_dummy; 154 | char *p; 155 | size_t len = info.DATA_len <= MTU-1 ? info.DATA_len : MTU-1; 156 | 157 | strncpy(workbuf1,data,len); 158 | workbuf1[len]=0; 159 | strlower(workbuf1); 160 | 161 | if((p=strstr(workbuf1,"mail from"))!=NULL) 162 | { 163 | char workbuf2[MTU]; 164 | 165 | strcpy(workbuf2, p); 166 | if(strchr(workbuf2,13)!=NULL) /* remove trailing enter */ 167 | {wb_dummy=strchr(workbuf2,13); *wb_dummy=0;} 168 | if(strchr(workbuf2,10)!=NULL) 169 | {wb_dummy=strchr(workbuf2,10); *wb_dummy=0;} 170 | print_mail(filename,workbuf2); 171 | } 172 | 173 | if((p=strstr(workbuf1,"rcpt to"))!=NULL) 174 | { 175 | char workbuf2[MTU]; 176 | 177 | strcpy(workbuf2, p); 178 | if(strchr(workbuf2,13)!=NULL) /* remove trailing enter */ 179 | {wb_dummy=strchr(workbuf2,13); *wb_dummy=0;} 180 | if(strchr(workbuf2,10)!=NULL) 181 | {wb_dummy=strchr(workbuf2,10); *wb_dummy=0;} 182 | print_mail(filename,workbuf2); 183 | } 184 | } 185 | } 186 | } 187 | /*** END MAIL **************************************************************/ 188 | 189 | 190 | if( (dummy_pointer=search_dynam(filename, TCP)) !=NULL) 191 | { 192 | if(ntohl(tcphead.seq_nr)==dummy_pointer->exp_seq) 193 | dummy_pointer->exp_seq+=info.DATA_len; 194 | /* if we miss a packet... no probs seq nr's get updated */ 195 | /* cauz' we can't rely on ACK's from other side */ 196 | /* it's pretty good this way */ 197 | if(ntohl(tcphead.seq_nr)>dummy_pointer->exp_seq) 198 | dummy_pointer->exp_seq=ntohl(tcphead.seq_nr)+info.DATA_len; 199 | } 200 | return; 201 | return; /* DON'T FORGET THEM!!!! */ 202 | -------------------------------------------------------------------------------- /src/sn_cfgfile.c: -------------------------------------------------------------------------------- 1 | /* Sniffit Cfgfile source file */ 2 | /* - by : Brecht Claerhout */ 3 | /* - improvements: Shudoh Kazuyuki */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include /* for getservbyname() */ 10 | 11 | #include "sn_config.h" 12 | #include "sn_defines.h" 13 | #include "sn_structs.h" 14 | #include "sn_cfgfile.h" 15 | #include "sn_resolv.h" 16 | 17 | #include "sniffit.h" 18 | /* #include "sn_generation.h" */ 19 | 20 | extern struct cfg_file_contense *select_from_list; /* pointers for cfg lists */ 21 | extern struct cfg_file_contense *select_to_list; 22 | extern struct cfg_file_contense *deselect_from_list; 23 | extern struct cfg_file_contense *deselect_to_list; 24 | 25 | extern int select_from_length; /* length of cfg lists */ 26 | extern int select_to_length; 27 | extern int deselect_from_length; 28 | extern int deselect_to_length; 29 | extern int Priority; /* The higher the priority, the more important */ 30 | extern char dot_notation[20]; /* for easy working, Q&D */ 31 | extern char Logfile[250]; 32 | 33 | static void clear_list_buffer (struct cfg_file_contense *help) 34 | { 35 | help->host[0]=0; 36 | help->priority=0; 37 | help->port=0; 38 | help->wildcard=0; 39 | } 40 | 41 | static struct cfg_file_contense *adjust_select_from_list (void) 42 | { 43 | Priority++; 44 | select_from_length++; 45 | 46 | if(select_from_list==NULL) 47 | { 48 | select_from_list=(struct cfg_file_contense *)malloc(sizeof(struct cfg_file_contense)); 49 | } 50 | else { 51 | select_from_list=(struct cfg_file_contense *)realloc(select_from_list, 52 | select_from_length*sizeof(struct cfg_file_contense)); 53 | } 54 | if(select_from_list==NULL) 55 | {printf("Sniffit heartattack... out of memory!\n"); exit(1);} 56 | clear_list_buffer(&(select_from_list[select_from_length-1])); 57 | return &(select_from_list[select_from_length-1]); 58 | } 59 | 60 | static struct cfg_file_contense *adjust_select_to_list (void) 61 | { 62 | Priority++; 63 | select_to_length++; 64 | 65 | if(select_to_list==NULL) 66 | { 67 | select_to_list=(struct cfg_file_contense *)malloc(sizeof(struct cfg_file_contense)); 68 | } 69 | else 70 | { 71 | select_to_list=(struct cfg_file_contense *)realloc(select_to_list, 72 | select_to_length*sizeof(struct cfg_file_contense)); 73 | }; 74 | if(select_to_list==NULL) 75 | {printf("Sniffit heartattack... out of memory!\n"); exit(1);} 76 | clear_list_buffer(&(select_to_list[select_to_length-1])); 77 | return &(select_to_list[select_to_length-1]); 78 | } 79 | 80 | static struct cfg_file_contense *adjust_deselect_from_list (void) 81 | { 82 | Priority++; 83 | deselect_from_length++; 84 | if(deselect_from_list==NULL) 85 | { 86 | deselect_from_list=(struct cfg_file_contense *)malloc(sizeof(struct cfg_file_contense)); 87 | } 88 | else 89 | { 90 | deselect_from_list=(struct cfg_file_contense *)realloc(deselect_from_list, 91 | deselect_from_length*sizeof(struct cfg_file_contense)); 92 | } 93 | if(deselect_from_list==NULL) 94 | {printf("Sniffit heartattack... out of memory!\n"); exit(1);} 95 | clear_list_buffer(&(deselect_from_list[deselect_from_length-1])); 96 | return (&(deselect_from_list[deselect_from_length-1])); 97 | } 98 | 99 | static struct cfg_file_contense *adjust_deselect_to_list (void) 100 | { 101 | Priority++; 102 | deselect_to_length++; 103 | 104 | if(deselect_to_list==NULL) 105 | { 106 | deselect_to_list=(struct cfg_file_contense *)malloc(sizeof(struct cfg_file_contense)); 107 | } 108 | else 109 | { 110 | deselect_to_list=(struct cfg_file_contense *)realloc(deselect_to_list, 111 | deselect_to_length*sizeof(struct cfg_file_contense)); 112 | } 113 | if(deselect_to_list==NULL) 114 | {printf("Sniffit heartattack... out of memory!\n"); exit(1);} 115 | clear_list_buffer(&(deselect_to_list[deselect_to_length-1])); 116 | return &(deselect_to_list[deselect_to_length-1]); 117 | } 118 | 119 | static char *clean_string (char *string) 120 | { 121 | char help[20]; 122 | int i, j; 123 | 124 | if(strlen(string) >= 20){ 125 | fprintf(stderr, "Error: String too long [%s]\n", string); 126 | exit(-1); 127 | } 128 | 129 | j=0; 130 | for(i=0;i= 20){ 149 | fprintf(stderr, "Error: String too long [%s]\n", string); 150 | exit(-1); 151 | } 152 | 153 | j=0; 154 | for(i=0;is_port);} 197 | else 198 | {ret = atoi(buf);} 199 | 200 | free(buf); 201 | 202 | if (ret <= 0) 203 | { 204 | printf("Invalid port no or service name in config file: %s\n", servname); 205 | exit(1); 206 | } 207 | 208 | return ret; 209 | } 210 | 211 | static void interprete_line (char *line) 212 | { 213 | struct cfg_file_contense *help, *helpp; 214 | char *field; 215 | size_t i; 216 | 217 | field=strtok(line," "); 218 | if(field!=NULL) 219 | { 220 | /* comment line */ 221 | if(*field == '#') return; 222 | if(*field == ';') return; 223 | 224 | strlower(field); 225 | if(strcmp(strlower(field),"logfile")==0) 226 | { 227 | field=clean_filename(strtok(NULL," ")); 228 | if(field != NULL) strcpy(Logfile,field); 229 | } 230 | else if(strcmp(strlower(field),"select")==0) 231 | { 232 | field=strtok(NULL," "); 233 | if(strcmp(strlower(field),"from")==0) 234 | { 235 | field=strtok(NULL," "); 236 | if(strcmp(strlower(field),"host")==0) /* select from host */ 237 | { 238 | help=adjust_select_from_list(); 239 | make_nr_dot(strtok(NULL," ")); 240 | strcpy(help->host,dot_notation); 241 | if( (field=strtok(NULL," "))!=NULL) 242 | help->port=make_portno(field); 243 | help->priority=Priority; 244 | return; 245 | } 246 | if(strcmp(strlower(field),"port")==0) /* select from port */ 247 | { 248 | help=adjust_select_from_list(); 249 | help->port=make_portno( strtok(NULL," ") ); 250 | help->priority=Priority; 251 | return; 252 | } 253 | if(strcmp(strlower(field),"mhosts")==0) /* select from mhosts */ 254 | { 255 | help=adjust_select_from_list(); 256 | strcpy(help->host, clean_string(strtok(NULL," "))); 257 | if( (field=strtok(NULL," "))!=NULL) 258 | help->port=make_portno(field); 259 | help->priority=Priority; 260 | help->wildcard=1; 261 | return; 262 | } 263 | } 264 | if(strcmp(strlower(field),"to")==0) 265 | { 266 | field=strtok(NULL," "); 267 | if(strcmp(strlower(field),"host")==0) /* select to host */ 268 | { 269 | help=adjust_select_to_list(); 270 | make_nr_dot(strtok(NULL," ")); 271 | strcpy(help->host,dot_notation); 272 | if( (field=strtok(NULL," "))!=NULL) 273 | help->port=make_portno(field); 274 | help->priority=Priority; 275 | return; 276 | } 277 | if(strcmp(strlower(field),"port")==0) /* select to port */ 278 | { 279 | help=adjust_select_to_list(); 280 | help->port=make_portno( strtok(NULL," ") ); 281 | help->priority=Priority; 282 | return; 283 | } 284 | if(strcmp(strlower(field),"mhosts")==0) /* select to mhosts */ 285 | { 286 | help=adjust_select_to_list(); 287 | strcpy(help->host, clean_string(strtok(NULL," "))); 288 | if( (field=strtok(NULL," "))!=NULL) 289 | help->port=make_portno(field); 290 | help->priority=Priority; 291 | help->wildcard=1; 292 | return; 293 | } 294 | } 295 | if(strcmp(strlower(field),"both")==0) 296 | { 297 | field=strtok(NULL," "); 298 | if(strcmp(strlower(field),"host")==0) /* select both host */ 299 | { 300 | help=adjust_select_from_list(); 301 | helpp=adjust_select_to_list(); 302 | make_nr_dot(strtok(NULL," ")); 303 | strcpy(help->host,dot_notation); 304 | strcpy(helpp->host,dot_notation); 305 | if( (field=strtok(NULL," "))!=NULL) 306 | {help->port=make_portno(field); helpp->port=make_portno(field);} 307 | help->priority=Priority; 308 | helpp->priority=Priority; 309 | return; 310 | } 311 | if(strcmp(strlower(field),"port")==0) /* select both port */ 312 | { 313 | help=adjust_select_from_list(); 314 | helpp=adjust_select_to_list(); 315 | field=strtok(NULL," "); 316 | help->port=make_portno(field); 317 | helpp->port=make_portno(field); 318 | help->priority=Priority; 319 | helpp->priority=Priority; 320 | return; 321 | } 322 | if(strcmp(strlower(field),"mhosts")==0) /* select both mhosts */ 323 | { 324 | help=adjust_select_from_list(); 325 | helpp=adjust_select_to_list(); 326 | field=clean_string(strtok(NULL," ")); 327 | strcpy(help->host, field); 328 | strcpy(helpp->host, field); 329 | if( (field=strtok(NULL," "))!=NULL) 330 | {help->port=make_portno(field); helpp->port=make_portno(field);} 331 | help->priority=Priority; 332 | helpp->priority=Priority; 333 | help->wildcard=1; 334 | helpp->wildcard=1; 335 | return; 336 | } 337 | } 338 | } 339 | if(strcmp(strlower(field),"deselect")==0) 340 | { 341 | field=strtok(NULL," "); 342 | if(strcmp(strlower(field),"from")==0) 343 | { 344 | field=strtok(NULL," "); 345 | if(strcmp(strlower(field),"host")==0) /* select from host */ 346 | { 347 | help=adjust_deselect_from_list(); 348 | make_nr_dot(strtok(NULL," ")); 349 | strcpy(help->host,dot_notation); 350 | if( (field=strtok(NULL," "))!=NULL) 351 | help->port=make_portno(field); 352 | help->priority=Priority; 353 | return; 354 | } 355 | if(strcmp(strlower(field),"port")==0) /* select from port */ 356 | { 357 | help=adjust_deselect_from_list(); 358 | help->port=make_portno(strtok(NULL," ")); 359 | help->priority=Priority; 360 | return; 361 | } 362 | if(strcmp(strlower(field),"mhosts")==0) /* select from mhosts */ 363 | { 364 | help=adjust_deselect_from_list(); 365 | strcpy(help->host, clean_string(strtok(NULL," "))); 366 | if( (field=strtok(NULL," "))!=NULL) 367 | help->port=make_portno(field); 368 | help->priority=Priority; 369 | help->wildcard=1; 370 | return; 371 | } 372 | } 373 | if(strcmp(strlower(field),"to")==0) 374 | { 375 | field=strtok(NULL," "); 376 | if(strcmp(strlower(field),"host")==0) /* deselect to host */ 377 | { 378 | help=adjust_deselect_to_list(); 379 | make_nr_dot(strtok(NULL," ")); 380 | strcpy(help->host,dot_notation); 381 | if( (field=strtok(NULL," "))!=NULL) 382 | help->port=make_portno(field); 383 | help->priority=Priority; 384 | return; 385 | } 386 | if(strcmp(strlower(field),"port")==0) /* deselect to port */ 387 | { 388 | help=adjust_deselect_to_list(); 389 | help->port=make_portno(strtok(NULL," ")); 390 | help->priority=Priority; 391 | return; 392 | } 393 | if(strcmp(strlower(field),"mhosts")==0) /* deselect to mhosts */ 394 | { 395 | help=adjust_deselect_to_list(); 396 | strcpy(help->host, clean_string(strtok(NULL," "))); 397 | if( (field=strtok(NULL," "))!=NULL) 398 | help->port=make_portno(field); 399 | help->priority=Priority; 400 | help->wildcard=1; 401 | return; 402 | } 403 | } 404 | if(strcmp(strlower(field),"both")==0) 405 | { 406 | field=strtok(NULL," "); 407 | if(strcmp(strlower(field),"host")==0) /* deselect both host */ 408 | { 409 | help=adjust_deselect_from_list(); 410 | helpp=adjust_deselect_to_list(); 411 | make_nr_dot(strtok(NULL," ")); 412 | strcpy(help->host,dot_notation); 413 | strcpy(helpp->host,dot_notation); 414 | if( (field=strtok(NULL," "))!=NULL) 415 | {helpp->port = help->port = make_portno(field);} 416 | help->priority=Priority; 417 | helpp->priority=Priority; 418 | return; 419 | } 420 | if(strcmp(strlower(field),"port")==0) /* deselect both port */ 421 | { 422 | help=adjust_deselect_from_list(); 423 | helpp=adjust_deselect_to_list(); 424 | field=strtok(NULL," "); 425 | helpp->port = help->port = make_portno(field); 426 | help->priority=Priority; 427 | helpp->priority=Priority; 428 | return; 429 | } 430 | if(strcmp(strlower(field),"mhosts")==0) /* deselect both mhosts */ 431 | { 432 | help=adjust_deselect_from_list(); 433 | helpp=adjust_deselect_to_list(); 434 | field=clean_string(strtok(NULL," ")); 435 | strcpy(help->host, field); 436 | strcpy(helpp->host, field); 437 | if( (field=strtok(NULL," "))!=NULL) 438 | {help->port=make_portno(field); helpp->port=make_portno(field);} 439 | help->priority=Priority; 440 | helpp->priority=Priority; 441 | help->wildcard=1; 442 | helpp->wildcard=1; 443 | return; 444 | } 445 | } 446 | } 447 | } 448 | } 449 | 450 | void read_cfg_file (char *file) 451 | { 452 | FILE *cfgfile; 453 | size_t line_length; 454 | char lineptr[260]; 455 | 456 | select_from_list=NULL; select_to_list=NULL; 457 | deselect_from_list=NULL; deselect_to_list=NULL; 458 | Priority=0; 459 | 460 | if((cfgfile = fopen(file,"r"))==NULL) 461 | {fprintf(stderr,"Couldn't find config file... giving up.\n"); exit(1);} 462 | while(feof(cfgfile)==0) 463 | { 464 | fgets(lineptr,259,cfgfile); 465 | if(feof(cfgfile)==0) 466 | { 467 | interprete_line(lineptr);} 468 | } 469 | fclose(cfgfile); 470 | }; 471 | -------------------------------------------------------------------------------- /src/sn_cfgfile.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Config File include */ 2 | 3 | extern void read_cfg_file (char *); 4 | -------------------------------------------------------------------------------- /src/sn_config.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Config File */ 2 | /* - By: Brecht Claerhout */ 3 | 4 | /* Because of the use of GNU autoconfig, this file manages pretty much */ 5 | /* itself, you could however still add your personal touch in some parts */ 6 | 7 | #include 8 | 9 | #define INCLUDE_INTERFACE /* By default */ 10 | 11 | #ifndef HAVE_SHMGET /* No Shared memory */ 12 | #undef INCLUDE_INTERFACE 13 | #endif 14 | #ifndef HAVE_LIBNCURSES /* ncurses not found */ 15 | #undef INCLUDE_INTERFACE 16 | #endif 17 | #ifndef HAVE_NCURSES_H /* ncurses not found */ 18 | #undef INCLUDE_INTERFACE 19 | #endif 20 | #ifdef IRIX /* No interface on IRIX */ 21 | #undef INCLUDE_INTERFACE 22 | #endif 23 | 24 | /* Not supported yet */ 25 | #ifdef BSDI 26 | #undef INCLUDE_INTERFACE 27 | #endif 28 | 29 | #ifdef HAVE_ATEXIT 30 | #define exit_func(x) atexit(x) 31 | #else 32 | #define exit_func(x) on_exit (x,0) 33 | #endif 34 | 35 | /***************************************************************************/ 36 | /* If you want to allow the program to be used 'set user id' */ 37 | 38 | /* #define ALLOW_SUID */ 39 | #undef ALLOW_SUID 40 | 41 | /***************************************************************************/ 42 | /* Following parameters describe the connections that can be handled at */ 43 | /* once, MAXCOUNT stands for connections handled in normal mode. As */ 44 | /* memory in normal mode is now handled dynamically, you can pump this */ 45 | /* number up without having to much trouble (Watch it, the machine */ 46 | /* could be slowed down a lot, and packets could get missed) */ 47 | /* CONNECTION_CAPACITY is the same, except in interactive mode, this is */ 48 | /* more dangerous to change, if you machine goes to slow (when sniffing */ 49 | /* in interactive mode), lower this number. */ 50 | 51 | #define MAXCOUNT 500 52 | #ifdef INCLUDE_INTERFACE 53 | #define CONNECTION_CAPACITY 100 54 | #endif 55 | 56 | /* This is the interval time for the netstatistics */ 57 | 58 | #define INFO_TIMER 3 /* In seconds */ 59 | 60 | /***************************************************************************/ 61 | /* Enable/Disable Packet generation function */ 62 | 63 | #undef GENERATION 64 | #ifdef INCLUDE_INTERFACE 65 | #define GENERATION 66 | /* #undef GENERATION */ 67 | #endif 68 | 69 | /***************************************************************************/ 70 | /* Read about forcing the sniff device in the README.FIRST file */ 71 | 72 | #define FORCED_HEAD_LENGTH 14 /* default */ 73 | 74 | /* MTU: this could need a change on interfaces different from ethernet or on non-standard */ 75 | /* configured systems. Get the info out of 'ifconfig'. */ 76 | /* But 1500 is a standard. */ 77 | 78 | #define MTU 5000 79 | 80 | /*************** Don't change anything below this line *********************/ 81 | 82 | #undef DEBUG /* Debugging (to tty) - sigh */ 83 | /* #define DEBUG */ 84 | #define DEBUG_DEVICE "/dev/ttyp6" 85 | 86 | #undef DEBUG_ONSCREEN /* Debugging (to screen) - sigh */ 87 | /* #define DEBUG_ONSCREEN */ 88 | 89 | #ifdef DEBUG 90 | extern void close_debug_device (void); 91 | extern void debug_msg(char *); 92 | #endif 93 | 94 | -------------------------------------------------------------------------------- /src/sn_conn_desc.c: -------------------------------------------------------------------------------- 1 | /* Connection description detection file */ 2 | /* - by: Brecht Claerhout */ 3 | 4 | 5 | /* Simple PORT BASED detection */ 6 | 7 | /*** FTP sessions ********************************************************/ 8 | if( 9 | (ntohs(tcphead.source)==FTP_DATA_1)||(ntohs(tcphead.destination)==FTP_DATA_1) ) 10 | {strcpy(desc_string, "FTP DATA");} 11 | 12 | if( (ntohs(tcphead.source)==FTP_1)||(ntohs(tcphead.destination)==FTP_1) ) 13 | { 14 | if(info->DATA_len==0) 15 | strcpy(desc_string, "FTP"); 16 | if(info->DATA_len>5) 17 | { 18 | const unsigned char *data= sp+PROTO_HEAD+info->IP_len+info->TCP_len; 19 | 20 | strcpy(desc_string,"FTP: "); 21 | j=5; /* 5 = "FTP: " */ 22 | for(i=0;iDATA_len;i++) 23 | { 24 | if( (isalnum(data[i]) || ispunct(data[i]) || data[i]==' ')&&(j<(*DESC_LEN)-1) ) 25 | {desc_string[j]=data[i]; desc_string[j+1]=0; j++; } 26 | else 27 | {if( (isspace(data[i]) && data[i]!=' ')&&(j<(*DESC_LEN)-1) ) 28 | {desc_string[j]=' '; desc_string[j+1]=0; j++; } 29 | } 30 | } 31 | } 32 | } 33 | 34 | /*** TELNET sessions *****************************************************/ 35 | if( (ntohs(tcphead.source)==TELNET_1)||(ntohs(tcphead.destination)==TELNET_1) ) 36 | {strcpy(desc_string, "TELNET");} 37 | 38 | /*** SSH sessions ********************************************************/ 39 | if( (ntohs(tcphead.source)==SSH_1)||(ntohs(tcphead.destination)==SSH_1) ) 40 | {strcpy(desc_string, "Secure Shell");} 41 | 42 | /*** MAIL sessions *****************************************************/ 43 | if( (ntohs(tcphead.source)==MAIL_1)||(ntohs(tcphead.destination)==MAIL_1) ) 44 | {strcpy(desc_string, "MAIL");} 45 | 46 | /*** IDENT **************************************************************/ 47 | if( (ntohs(tcphead.source)==IDENT_1)||(ntohs(tcphead.destination)==IDENT_1) ) 48 | {strcpy(desc_string, "IDENT");} 49 | 50 | /*** IRC ***************************************************************/ 51 | if( (ntohs(tcphead.source)==IRC_1)||(ntohs(tcphead.destination)==IRC_1) ) 52 | {strcpy(desc_string, "IRC");} 53 | 54 | /*** X11 sessions *******************************************************/ 55 | if( (ntohs(tcphead.source)==X11_1)||(ntohs(tcphead.destination)==X11_1) ) 56 | {strcpy(desc_string, "X-Windows");} 57 | 58 | /*** HTTP ***************************************************************/ 59 | if( (ntohs(tcphead.source)==HTTP_1)||(ntohs(tcphead.source)==HTTP_2)|| 60 | (ntohs(tcphead.source)==HTTP_3)||(ntohs(tcphead.source)==HTTP_4) 61 | ) 62 | { 63 | strcpy(desc_string, "HTTP"); 64 | } 65 | 66 | if( (ntohs(tcphead.destination)==HTTP_1)||(ntohs(tcphead.destination)==HTTP_2) || 67 | (ntohs(tcphead.destination)==HTTP_3)||(ntohs(tcphead.destination)==HTTP_4) 68 | ) 69 | { 70 | if(info->DATA_len==0) 71 | strcpy(desc_string, "HTTP"); 72 | if(info->DATA_len>5) 73 | { 74 | const unsigned char *data= sp+PROTO_HEAD+info->IP_len+info->TCP_len; 75 | 76 | strcpy(desc_string,"HTTP: "); 77 | j=6; /* 5 = "HTTP: " */ 78 | for(i=0;iDATA_len;i++) 79 | if( (isalnum(data[i]) || ispunct(data[i]) || data[i]==' ')&&(j<(*DESC_LEN)-1) ) 80 | {desc_string[j]=data[i]; desc_string[j+1]=0; j++; } 81 | else 82 | {if( (isspace(data[i]) && data[i]!=' ')&&(j<(*DESC_LEN)-1) ) 83 | {desc_string[j]=' '; desc_string[j+1]=0; j++; } 84 | } 85 | } 86 | } 87 | 88 | 89 | -------------------------------------------------------------------------------- /src/sn_curses.h: -------------------------------------------------------------------------------- 1 | #include 2 | -------------------------------------------------------------------------------- /src/sn_data.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Data File */ 2 | 3 | /**** Network Devices *******************************************************/ 4 | 5 | 6 | /* Older configuration system of Sniffit */ 7 | /* ether: 14 */ 8 | /* ppp : 4 */ 9 | /* slip : 16 */ 10 | /* lo : 4 */ 11 | 12 | #ifdef __linux__ 13 | /* 14 | #define NETDEV_NR 3 15 | char *NETDEV[]={"lo","ppp","eth"}; 16 | int HEADSIZE []={4 ,0 ,14}; 17 | */ 18 | #define NETDEV_NR 3 19 | char *NETDEV[]={"ppp","slip","eth"}; /* echo on loopback */ 20 | int HEADSIZE []={0 ,0 ,14}; /* slip needs testing */ 21 | #endif 22 | 23 | #ifdef SUNOS 24 | #define NETDEV_NR 2 25 | char *NETDEV[]={"le","hme"}; 26 | int HEADSIZE[]={14 ,14}; /* ppp: 4 or 0 or nothing? */ 27 | #endif 28 | 29 | #ifdef IRIX 30 | #define NETDEV_NR 2 31 | char *NETDEV[]={"ppp","et"}; 32 | int HEADSIZE[]={0 ,14}; /* ppp: 4 or 0 or nothing */ 33 | #endif 34 | 35 | #ifdef FREEBSD /* ppp: 4 or 0 ? */ 36 | /* 37 | #define NETDEV_NR 2 38 | char *NETDEV[]={"ppp","ed"}; 39 | int HEADSIZE[]={4 ,14}; 40 | */ 41 | #define NETDEV_NR 1 42 | char *NETDEV[]={"ed"}; 43 | int HEADSIZE[]={14}; 44 | #endif 45 | 46 | #ifdef BSDI /* ppp: 4 or 0 ? */ 47 | /* 48 | #define NETDEV_NR 2 49 | char *NETDEV[]={"ppp","ef"}; 50 | int HEADSIZE[]={4 ,14}; 51 | */ 52 | #define NETDEV_NR 1 53 | char *NETDEV[]={"ef"}; 54 | int HEADSIZE[]={14}; 55 | #endif 56 | 57 | #ifdef DEC_OSF 58 | #define NETDEV_NR 1 59 | char *NETDEV[]={"ln"}; 60 | int HEADSIZE[]={14}; 61 | #endif 62 | 63 | #ifdef __NetBSD__ 64 | #if defined(i386) || defined(__amd64__) 65 | #define NETDEV_NR 21 66 | char *NETDEV[]={"ppp","ai","de","ec","ef","eg","el","en","ep","fe","fea","fpa","fxp","ix","iy","lc","le","ne","sm","tl","we"}; 67 | int HEADSIZE[]={4 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 ,14 }; 68 | #elif defined(__sparc__) 69 | #define NETDEV_NR 3 70 | char *NETDEV[]={"ppp","le","ie"}; 71 | int HEADSIZE[]={4 ,14 ,14}; 72 | #elif defined(__m68k__) 73 | #define NETDEV_NR 6 74 | char *NETDEV[]={"ppp","bah","ed","es","le","qn"}; 75 | int HEADSIZE[]={4 ,14 ,14 ,14 ,14 ,14}; 76 | #elif defined(__mips64) && defined(__MIPSEB__) 77 | /* Assume Octeon. */ 78 | #define NETDEV_NR 1 79 | char *NETDEV[]={"cnmac"}; 80 | int HEADSIZE[]={14}; 81 | #else 82 | #error Unknown network devices for this NetBSD architecture. 83 | #endif 84 | #endif 85 | 86 | #ifdef AIX /* only for the AIX powerpack ;) */ 87 | #define NETDEV_NR 4 /* not usefull without it */ 88 | char *NETDEV[]={"en","et","tr","fi"}; 89 | int HEADSIZE[]={14 ,22 ,22 ,24}; 90 | #endif 91 | 92 | #ifdef HPUX /* only for the HPUX powerpack ;) */ 93 | #define NETDEV_NR 2 /* not usefull without it */ 94 | char *NETDEV[]={"le","sam"}; 95 | int HEADSIZE[]={14 ,14 }; 96 | #endif 97 | 98 | #ifdef __HAIKU__ 99 | #define NETDEV_NR 4 100 | char *NETDEV[]={"loop","tun","tap","/dev/net/"}; 101 | int HEADSIZE[]={0, 0, 14, 14}; 102 | #endif 103 | 104 | #ifndef NETDEV_NR 105 | #error "Missing network device data for the current OS, please fix!" 106 | #endif 107 | /**** Global data **********************************************************/ 108 | pcap_t *dev_desc; 109 | pcap_dumper_t *dev_dump; 110 | void *start_dynam; 111 | int dynam_len; 112 | char Logfile[250]; /* name of logfile */ 113 | FILE *LogFILE; /* logfile stream */ 114 | /* char *IP; *//* was with older '-p' */ 115 | char IP[256]; 116 | unsigned long SNIFLEN; /* bytes we need to snif */ 117 | short DEST_PORT, SRC_PORT; /* destination port */ 118 | char non_printable, *logging_device; 119 | 120 | /**** Global data (packets) *************************************************/ 121 | int PROTO_HEAD; /* Base Protocol head length (ethernet, PPP ,....) */ 122 | 123 | char *IP_TYPE_precedence[8]= 124 | {"Routine", "Priority", "Immediate", "Flash", "Flash override", 125 | "Critical", "Internetwork control", "Network control"}; 126 | 127 | char *IP_PROTOCOL_number[34]= 128 | 129 | {"Reserved","ICMP","IGMP","GGP","Unassigned","ST","TCP","UCL","EGP","IGP", 130 | "BBN-MON","NVP-II","PUP","ARGUS","EMCOM","XNET","CHAOS","UDP","MUX", 131 | "DCN-MEAS","HMP","PRM","XNS-IDP","TRUNK-1","TRUNK-2","LEAF-1","LEAF-2", 132 | "RDP","IRTP","ISO-TP4","NETBLT","MFE-NSP","MERIT-INP","SEP"}; 133 | 134 | 135 | char *ICMP_type_3_code[6]= 136 | {"Net unreachable", "Host unreachable", "Protocol unreachable", 137 | "Port unreachable", "Fragmentation needed and DF set", 138 | "Source route failed"}; 139 | char *ICMP_type_5_code[4]= 140 | {"Redirect datagrams for the network", 141 | "Redirect datagrams for the host", 142 | "Redirect datagrams for the \'type of service\' and the network", 143 | "Redirect datagrams for the \'type of service\' and the host"}; 144 | char *ICMP_type_11_code[2]= 145 | {"Time-to-live exceeded in transmit", 146 | "Fragment reassembly time exceeded"}; 147 | 148 | /**** Global data (config) **************************************************/ 149 | struct cfg_file_contense *select_from_list; /* pointers for cfg lists */ 150 | struct cfg_file_contense *select_to_list; 151 | struct cfg_file_contense *deselect_from_list; 152 | struct cfg_file_contense *deselect_to_list; 153 | 154 | int select_from_length=0; /* length of cfg lists */ 155 | int select_to_length=0; 156 | int deselect_from_length=0; 157 | int deselect_to_length=0; 158 | int Priority=0; /* The higher the priority, the more important */ 159 | char dot_notation[20]; /* for easy working, Q&D */ 160 | 161 | /**** Global data (plugins) *************************************************/ 162 | char Plugin_Active[10]; 163 | 164 | /**** Global data (interactive) *********************************************/ 165 | #ifdef INCLUDE_INTERFACE 166 | 167 | /**** shared memory pointers ************************************************/ 168 | char *SHARED, *connection_data, *logged_connections; 169 | struct shared_conn_data *running_connections; 170 | int *LISTlength, *DATAlength, memory_id; 171 | unsigned int *TCP_nr_of_packets, *ICMP_nr_of_packets, *UDP_nr_of_packets; 172 | unsigned int *IP_nr_of_packets; 173 | unsigned long *TCP_bytes_in_packets, *UDP_bytes_in_packets; 174 | int *DESC_LEN; 175 | 176 | /**** data structures *******************************************************/ 177 | struct snif_mask *mask; 178 | struct shared_logged_conn *log_conn; 179 | FILE *log_dev_stream; 180 | struct stat log_dev_stat; 181 | 182 | volatile int LOGGING=0, screen_busy=0; 183 | char PACKET_INFO; 184 | int POINTpos=0, LISTpos=0; 185 | unsigned char COLOR_AVAIL=0; 186 | 187 | /**** screen **************************************************************/ 188 | int MASK_WINDOW_ROWS, MASK_WINDOW_COLS; 189 | int MAIN_WINDOW_ROWS, MAIN_WINDOW_COLS; 190 | int INFO_WINDOW_ROWS, INFO_WINDOW_COLS; 191 | int DATA_WINDOW_ROWS, DATA_WINDOW_COLS; 192 | int INFO_WINDOW_X, INFO_WINDOW_Y; 193 | int MASK_WINDOW_X, MASK_WINDOW_Y; 194 | int DATA_WINDOW_X, DATA_WINDOW_Y; 195 | 196 | WINDOW *menu_window; 197 | struct box_window data_box, main_box, mask_box, packets_box; 198 | int Pid=0; 199 | #endif 200 | 201 | /* DEBUG section */ 202 | #ifdef DEBUG 203 | FILE *debug_dev; 204 | unsigned int debug_cnt=0; 205 | #endif 206 | 207 | 208 | -------------------------------------------------------------------------------- /src/sn_defines.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Defines File */ 2 | 3 | #include "sn_config.h" 4 | 5 | /*** typedefs ******************/ 6 | 7 | #ifdef USE_32_LONG_INT 8 | typedef unsigned long int _32_bit; 9 | #endif 10 | #ifdef USE_32_INT 11 | typedef unsigned int _32_bit; 12 | #endif 13 | typedef unsigned short _16_bit; 14 | 15 | /*** Normal Sniffit operations */ 16 | 17 | #define VERSION "0.6" /* Program Version */ 18 | #define SNAPLEN MTU /* Ethernet Packet Length */ 19 | #define MSDELAY 1000 /* pcap timeout */ 20 | #define PACKETS 1 /* pcap dispatch */ 21 | #define CNT -1 /* pcap loop count */ 22 | #define LENGTH_OF_INTERPROC_DATA 5*SNAPLEN /* buffer capacity */ 23 | #define SCBUF 30 /* scroll buffer length */ 24 | #define LOG_PASS_BUF 20+1 /* login/pwd buffer length */ 25 | #define TELNET_ENTER 0x0d /* Enter in telnet login session */ 26 | #define FTP_ENTER 0x0d /* first char of Enter in FTP login session */ 27 | 28 | #define DEST 0 29 | #define SOURCE 1 30 | #define BOTH 2 31 | #define INTERACTIVE 99 32 | 33 | /* Packet examining defines (finish) */ 34 | /* 0-9 : TCP */ 35 | /* 10-19: ICMP */ 36 | /* 20-29: UDP */ 37 | #define DROP_PACKET -2 /* Skip Packet completely */ 38 | #define DONT_EXAMINE -1 /* Skip Packet */ 39 | #define TCP_EXAMINE 0 /* TCP - 'for us' */ 40 | #define TCP_FINISH 1 /* TCP - end connection */ 41 | #define TCP_EX_FRAG_HEAD 2 /* defined lower */ 42 | #define TCP_EX_FRAG_NF 3 43 | #define ICMP_EXAMINE 10 /* ICMP - examine */ 44 | #define UDP_EXAMINE 20 /* UDP - examine */ 45 | 46 | #define F_TCP 1 /* Flags for PROTOCOLS */ 47 | #define F_ICMP 2 48 | #define F_UDP 4 49 | #define F_IP 8 50 | 51 | /*** Logparam defines */ 52 | 53 | #define LOGPARAM_LOG_ON 1 54 | #define LOGPARAM_RAW 2 55 | #define LOGPARAM_NORM 4 56 | #define LOGPARAM_TELNET 8 57 | #define LOGPARAM_FTP 16 58 | #define LOGPARAM_MAIL 32 59 | 60 | /*** Interface defines */ 61 | 62 | #ifdef INCLUDE_INTERFACE 63 | #define ENTER 13 64 | 65 | #define WIN_COLOR_NORMAL 1 /* Color pairs for various functions */ 66 | #define WIN_COLOR_POINT 2 67 | #define WIN_COLOR_DATA 3 68 | #define WIN_COLOR_INPUT 4 69 | #define WIN_COLOR_MENU 5 70 | #define WIN_COLOR_PACKET_INFO 6 71 | #define WIN_COLOR_PKTCNT 7 72 | 73 | #define CONN_NAMELEN 56 /* length of string */ 74 | #define DESC_BYTES 60 /* length of description */ 75 | 76 | #define MENU " Masks: F1-Source IP F2-Dest. IP F3-Source Port F4-Dest. Port" 77 | #endif 78 | 79 | /* First undefine all Plugins, just to be sure */ 80 | 81 | #undef PLUGIN0_NAME 82 | #undef PLUGIN1_NAME 83 | #undef PLUGIN2_NAME 84 | #undef PLUGIN3_NAME 85 | #undef PLUGIN4_NAME 86 | #undef PLUGIN5_NAME 87 | #undef PLUGIN6_NAME 88 | #undef PLUGIN7_NAME 89 | #undef PLUGIN8_NAME 90 | #undef PLUGIN9_NAME 91 | 92 | 93 | #define IP_VERSION 4 94 | 95 | #define URG 32 /*TCP-flags */ 96 | #define ACK 16 97 | #define PSH 8 98 | #define RST 4 99 | #define SYN 2 100 | #define FIN 1 101 | 102 | /* unwrap packet */ 103 | #define NOT_SUPPORTED -1 104 | #define NO_IP 0 105 | #define NO_IP_4 1000 106 | #define CORRUPT_IP 1001 107 | #define TCP_FRAG_HEAD 1002 108 | #define UDP_FRAG_HEAD 1003 109 | #define ICMP_FRAG_HEAD 1004 110 | #define ICMP 1 /* Protocol Numbers */ 111 | #define TCP 6 112 | #define UDP 17 113 | 114 | #define ICMP_HEADLENGTH 4 /* fixed ICMP header length */ 115 | #define UDP_HEADLENGTH 8 /* fixed UDP header length */ 116 | 117 | #define IP_DELAY 32 118 | #define IP_THROUGHPUT 16 119 | #define IP_RELIABILITY 8 120 | 121 | #define IP_DF 2 122 | #define IP_MF 1 123 | 124 | /*** ICMP types ********************************************************/ 125 | #define ICMP_TYPE_0 "Echo reply" 126 | #define ICMP_TYPE_3 "Destination unreachable" 127 | #define ICMP_TYPE_4 "Source quench" 128 | #define ICMP_TYPE_5 "Redirect" 129 | #define ICMP_TYPE_8 "Echo" 130 | #define ICMP_TYPE_11 "Time exceeded" 131 | #define ICMP_TYPE_12 "Parameter problem" 132 | #define ICMP_TYPE_13 "Timestamp" 133 | #define ICMP_TYPE_14 "Timestamp reply" 134 | #define ICMP_TYPE_15 "Information request" 135 | #define ICMP_TYPE_16 "Information reply" 136 | #define ICMP_TYPE_17 "Address mask request" 137 | #define ICMP_TYPE_18 "Address mask reply" 138 | 139 | /*** Services (standardised) *******************************************/ 140 | #define FTP_DATA_1 20 141 | #define FTP_1 21 142 | #define SSH_1 22 143 | #define TELNET_1 23 144 | #define MAIL_1 25 145 | #define IDENT_1 113 146 | #define HTTP_1 80 147 | #define HTTP_2 80 148 | #define HTTP_3 80 149 | #define HTTP_4 80 150 | #define IRC_1 6667 151 | #define X11_1 6000 152 | 153 | -------------------------------------------------------------------------------- /src/sn_generation.c: -------------------------------------------------------------------------------- 1 | /* Sniffit Packet Generation File */ 2 | /* - Idea/development/code:Amlan Saha */ 3 | /* - Packet code/debugging: Brecht Claerhout */ 4 | 5 | #include "sn_config.h" 6 | #ifdef INCLUDE_INTERFACE 7 | #ifdef GENERATION 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include "sn_curses.h" 14 | #include "sn_defines.h" 15 | #include "sn_structs.h" 16 | #include "sn_packets.h" 17 | #include "sn_generation.h" 18 | #include "sn_interface.h" 19 | 20 | extern volatile int screen_busy; 21 | 22 | /*** forward declarations ***/ 23 | static void transmit_UDP (int, char *, 24 | int, int, 25 | _32_bit, unsigned short, 26 | _32_bit, unsigned short); 27 | static int open_sending (void); 28 | 29 | void exec_generate(struct generate_mask *generate) 30 | { 31 | WINDOW *Msg_dsp; 32 | int count=0, count_ptr, fd; 33 | char msg[80]; 34 | char dummy_data[]="This Packet was fired with Sniffit!"; 35 | 36 | #ifdef DEBUG 37 | debug_msg("Gener: Start of execution"); 38 | #endif 39 | 40 | count_ptr=(generate->pkt_no); 41 | 42 | Msg_dsp=newwin(1,COLS,LINES-1,0); 43 | wattrset(Msg_dsp,A_BOLD); 44 | wattrset(Msg_dsp,COLOR_PAIR(WIN_COLOR_PKTCNT)); 45 | 46 | fd=open_sending(); 47 | while(countsource_ip, generate->source_port, 55 | generate->dest_ip, generate->dest_port); 56 | 57 | #ifdef DEBUG 58 | debug_msg("Gener: End"); 59 | #endif 60 | if(count==count_ptr-1) 61 | { 62 | sprintf(msg,"DISPATCH COMPLETE - Press ENTER"); 63 | } 64 | else { 65 | sprintf(msg,"Packet No: %d dispatched.",count+1); 66 | } 67 | mvwaddstr(Msg_dsp,0,27,msg); 68 | while(screen_busy!=0) {}; 69 | wnoutrefresh(Msg_dsp); 70 | doupdate(); 71 | count++; 72 | } 73 | delwin(Msg_dsp); 74 | close(fd); 75 | input_field(msg,NULL,0); 76 | forced_refresh(); 77 | } 78 | 79 | /**************************************************************************/ 80 | /* Actual packet generation functions below */ 81 | /* code stolen from Spoofit (my own ;) */ 82 | /* */ 83 | /* int open_sending (void) */ 84 | /* Returns a filedescriptor to the sending socket. */ 85 | /* close it with close (int filedesc) */ 86 | /* */ 87 | /* void transmit_TCP (int sp_fd, char *sp_data, */ 88 | /* int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, */ 89 | /* char *sp_source, unsigned short sp_source_port, */ 90 | /* char *sp_dest,unsigned short sp_dest_port, */ 91 | /* _32_bit sp_seq, _32_bit sp_ack, */ 92 | /* unsigned short sp_flags) */ 93 | /* fire data away in a TCP packet */ 94 | /* sp_fd : raw socket filedesc. */ 95 | /* sp_data : IP options (you should do the padding) */ 96 | /* TCP options (you should do the padding) */ 97 | /* data to be transmitted */ 98 | /* (NULL is nothing) */ 99 | /* note that all is optional, and IP en TCP options are*/ 100 | /* not often used. */ 101 | /* All data is put after eachother in one buffer. */ 102 | /* sp_ipoptlen : length of IP options (in bytes) */ 103 | /* sp_tcpoptlen : length of TCP options (in bytes) */ 104 | /* sp_datalen : amount of data to be transmitted (bytes) */ 105 | /* sp_source : spoofed host that"sends packet" */ 106 | /* sp_source_port: spoofed port that "sends packet" */ 107 | /* sp_dest : host that should receive packet */ 108 | /* sp_dest_port : port that should receive packet */ 109 | /* sp_seq : sequence number of packet */ 110 | /* sp_ack : ACK of packet */ 111 | /* sp_flags : flags of packet (URG,ACK,PSH,RST,SYN,FIN) */ 112 | /* */ 113 | /* void transmit_UDP (int sp_fd, char *sp_data, */ 114 | /* int sp_ipoptlen, int sp_datalen, */ 115 | /* char *sp_source, unsigned short sp_source_port, */ 116 | /* char *sp_dest, unsigned short sp_dest_port) */ 117 | /* fire data away in an UDP packet */ 118 | /* sp_fd : raw socket filedesc. */ 119 | /* sp_data : IP options */ 120 | /* data to be transmitted */ 121 | /* (NULL if none) */ 122 | /* sp_ipoptlen : length of IP options (in bytes) */ 123 | /* sp_datalen : amount of data to be transmitted */ 124 | /* sp_source : spoofed host that"sends packet" */ 125 | /* sp_source_port: spoofed port that "sends packet" */ 126 | /* sp_dest : host that should receive packet */ 127 | /* sp_dest_port : port that should receive packet */ 128 | /* */ 129 | /**************************************************************************/ 130 | 131 | #define SP_IP_HEAD_BASE 20 /* using fixed lengths to send */ 132 | #define SP_TCP_HEAD_BASE 20 /* no options etc... */ 133 | #define SP_UDP_HEAD_BASE 8 /* Always fixed */ 134 | 135 | 136 | static int open_sending (void) 137 | { 138 | struct protoent *sp_proto; 139 | int sp_fd; 140 | int dummy=1; 141 | 142 | /* they don't come rawer */ 143 | if ((sp_fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))==-1) 144 | perror("Couldn't open Socket."), exit(1); 145 | 146 | #ifdef DEBUG 147 | printf("Raw socket ready\n"); 148 | #endif 149 | return sp_fd; 150 | } 151 | 152 | static void sp_send_packet (struct sp_data_exchange *sp, unsigned char proto) 153 | { 154 | int sp_status; 155 | struct sockaddr_in sp_server; 156 | struct hostent *sp_help; 157 | int HEAD_BASE; 158 | 159 | /* Construction of destination */ 160 | bzero((char *)&sp_server, sizeof(struct sockaddr)); 161 | sp_server.sin_family = AF_INET; 162 | sp_server.sin_addr.s_addr = sp->dest; 163 | 164 | /* 165 | if (sp_server.sin_addr.s_addr == (unsigned int)-1) 166 | { 167 | if (!(sp_help=gethostbyname(sp->dest))) 168 | fprintf(stderr,"unknown host %s\n", sp->dest), exit(1); 169 | bcopy(sp_help->h_addr, (caddr_t)&sp_server.sin_addr, sp_help->h_length); 170 | }; 171 | */ 172 | switch(proto) 173 | { 174 | case 6: HEAD_BASE = SP_TCP_HEAD_BASE; break; /* TCP */ 175 | case 17: HEAD_BASE = SP_UDP_HEAD_BASE; break; /* UDP */ 176 | default: exit(1); break; 177 | }; 178 | sp_status = sendto(sp->fd, (char *)(sp->buffer), sp->datalen+HEAD_BASE+SP_IP_HEAD_BASE+sp->IP_optlen, 0, 179 | (struct sockaddr *)&sp_server,sizeof(struct sockaddr)); 180 | if (sp_status < 0 || sp_status != sp->datalen+HEAD_BASE+SP_IP_HEAD_BASE+sp->IP_optlen) 181 | { 182 | if (sp_status < 0) 183 | perror("Sendto"), exit(1); 184 | printf("hmm... Only transmitted %d of %d bytes.\n", sp_status, 185 | sp->datalen+HEAD_BASE); 186 | }; 187 | #ifdef DEBUG 188 | printf("Packet transmitted...\n"); 189 | #endif 190 | } 191 | 192 | static void sp_fix_IP_packet (struct sp_data_exchange *sp, unsigned char proto) 193 | { 194 | struct IP_header *sp_help_ip; 195 | int HEAD_BASE; 196 | 197 | switch(proto) 198 | { 199 | case 6: HEAD_BASE = SP_TCP_HEAD_BASE; break; /* TCP */ 200 | case 17: HEAD_BASE = SP_UDP_HEAD_BASE; break; /* UDP */ 201 | default: exit(1); break; 202 | }; 203 | 204 | sp_help_ip = (struct IP_header *) (sp->buffer); 205 | sp_help_ip->verlen = (IP_VERSION << 4) | ((SP_IP_HEAD_BASE+sp->IP_optlen)/4); 206 | sp_help_ip->type = 0; 207 | sp_help_ip->length = htons(SP_IP_HEAD_BASE+HEAD_BASE+sp->datalen+sp->IP_optlen+sp->TCP_optlen); 208 | sp_help_ip->ID = htons(12545); /* TEST */ 209 | sp_help_ip->flag_offset = 0; 210 | sp_help_ip->TTL = 69; 211 | sp_help_ip->protocol = proto; 212 | sp_help_ip->source = sp->source; 213 | sp_help_ip->destination = sp->dest; 214 | sp_help_ip->checksum=in_cksum(sp->buffer, 215 | SP_IP_HEAD_BASE+sp->IP_optlen); 216 | #ifdef DEBUG 217 | printf("IP header fixed...\n"); 218 | #endif 219 | } 220 | 221 | static void sp_fix_TCP_packet (struct sp_data_exchange *sp) 222 | { 223 | unsigned char sp_pseudo_ip_construct[MTU]; 224 | struct TCP_header *sp_help_tcp; 225 | struct pseudo_IP_header *sp_help_pseudo; 226 | int i; 227 | 228 | for(i=0;ibuffer+SP_IP_HEAD_BASE+sp->IP_optlen); 232 | sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; 233 | 234 | sp_help_tcp->offset_flag = htons( (((SP_TCP_HEAD_BASE+sp->TCP_optlen)/4)<<12) | sp->flags); 235 | sp_help_tcp->seq_nr = htonl(sp->seq); 236 | sp_help_tcp->ACK_nr = htonl(sp->ack); 237 | sp_help_tcp->source = htons(sp->source_port); 238 | sp_help_tcp->destination = htons(sp->dest_port); 239 | sp_help_tcp->window = htons(0x7c00); /* dummy for now 'wujx' */ 240 | 241 | sp_help_pseudo->source = sp->source; 242 | sp_help_pseudo->destination = sp->dest; 243 | sp_help_pseudo->zero_byte = 0; 244 | sp_help_pseudo->protocol = 6; 245 | sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+SP_TCP_HEAD_BASE+sp->TCP_optlen); 246 | 247 | memcpy(sp_pseudo_ip_construct+12, sp_help_tcp, sp->TCP_optlen+sp->datalen+SP_TCP_HEAD_BASE); 248 | sp_help_tcp->checksum=in_cksum(sp_pseudo_ip_construct, 249 | sp->datalen+12+SP_TCP_HEAD_BASE+sp->TCP_optlen); 250 | #ifdef DEBUG 251 | printf("TCP header fixed...\n"); 252 | #endif 253 | } 254 | 255 | /* FIXME: dead code */ 256 | static void transmit_TCP (int sp_fd, char *sp_data, 257 | int sp_ipoptlen, int sp_tcpoptlen, int sp_datalen, 258 | _32_bit sp_source, unsigned short sp_source_port, 259 | _32_bit sp_dest, unsigned short sp_dest_port, 260 | _32_bit sp_seq, _32_bit sp_ack, 261 | unsigned short sp_flags) 262 | { 263 | unsigned char sp_buffer[1500]; 264 | struct sp_data_exchange sp_struct; 265 | 266 | bzero(sp_buffer,1500); 267 | if (sp_ipoptlen!=0) 268 | memcpy(sp_buffer+SP_IP_HEAD_BASE,sp_data,sp_ipoptlen); 269 | 270 | if (sp_tcpoptlen!=0) 271 | memcpy(sp_buffer+SP_IP_HEAD_BASE+SP_TCP_HEAD_BASE+sp_ipoptlen, 272 | sp_data+sp_ipoptlen,sp_tcpoptlen); 273 | if (sp_datalen!=0) 274 | memcpy(sp_buffer+SP_IP_HEAD_BASE+SP_TCP_HEAD_BASE+sp_ipoptlen+sp_tcpoptlen, 275 | sp_data+sp_ipoptlen+sp_tcpoptlen,sp_datalen); 276 | 277 | sp_struct.fd = sp_fd; 278 | sp_struct.data = sp_data; 279 | sp_struct.datalen = sp_datalen; 280 | sp_struct.source = sp_source; 281 | sp_struct.source_port = sp_source_port; 282 | sp_struct.dest = sp_dest; 283 | sp_struct.dest_port = sp_dest_port; 284 | sp_struct.seq = sp_seq; 285 | sp_struct.ack = sp_ack; 286 | sp_struct.flags = sp_flags; 287 | sp_struct.buffer = sp_buffer; 288 | sp_struct.IP_optlen = sp_ipoptlen; 289 | sp_struct.TCP_optlen = sp_tcpoptlen; 290 | 291 | sp_fix_TCP_packet(&sp_struct); 292 | sp_fix_IP_packet(&sp_struct, 6); 293 | sp_send_packet(&sp_struct, 6); 294 | } 295 | 296 | static void sp_fix_UDP_packet (struct sp_data_exchange *sp) 297 | { 298 | unsigned char sp_pseudo_ip_construct[MTU]; 299 | struct UDP_header *sp_help_udp; 300 | struct pseudo_IP_header *sp_help_pseudo; 301 | int i; 302 | 303 | for(i=0;ibuffer+SP_IP_HEAD_BASE+sp->IP_optlen); 307 | sp_help_pseudo = (struct pseudo_IP_header *) sp_pseudo_ip_construct; 308 | 309 | sp_help_udp->source = htons(sp->source_port); 310 | sp_help_udp->destination = htons(sp->dest_port); 311 | sp_help_udp->length = htons(sp->datalen+SP_UDP_HEAD_BASE); 312 | 313 | sp_help_pseudo->source = sp->source; 314 | sp_help_pseudo->destination = sp->dest; 315 | sp_help_pseudo->zero_byte = 0; 316 | sp_help_pseudo->protocol = 17; 317 | sp_help_pseudo->TCP_UDP_len = htons(sp->datalen+SP_UDP_HEAD_BASE); 318 | 319 | memcpy(sp_pseudo_ip_construct+12, sp_help_udp, sp->datalen+SP_UDP_HEAD_BASE); 320 | sp_help_udp->checksum=in_cksum(sp_pseudo_ip_construct, 321 | sp->datalen+12+SP_UDP_HEAD_BASE); 322 | #ifdef DEBUG 323 | printf("UDP header fixed...\n"); 324 | #endif 325 | } 326 | 327 | static void transmit_UDP (int sp_fd, char *sp_data, 328 | int sp_ipoptlen, int sp_datalen, 329 | _32_bit sp_source, unsigned short sp_source_port, 330 | _32_bit sp_dest, unsigned short sp_dest_port) 331 | { 332 | unsigned char sp_buffer[1500]; 333 | struct sp_data_exchange sp_struct; 334 | bzero(sp_buffer,1500); 335 | 336 | 337 | if (sp_ipoptlen!=0) 338 | memcpy(sp_buffer+SP_IP_HEAD_BASE,sp_data,sp_ipoptlen); 339 | if (sp_data!=NULL) 340 | memcpy(sp_buffer+SP_IP_HEAD_BASE+SP_UDP_HEAD_BASE+sp_ipoptlen, 341 | sp_data+sp_ipoptlen,sp_datalen); 342 | 343 | sp_struct.fd = sp_fd; 344 | sp_struct.data = sp_data; 345 | sp_struct.datalen = sp_datalen; 346 | sp_struct.source = sp_source; 347 | sp_struct.source_port = sp_source_port; 348 | sp_struct.dest = sp_dest; 349 | sp_struct.dest_port = sp_dest_port; 350 | sp_struct.buffer = sp_buffer; 351 | sp_struct.IP_optlen = sp_ipoptlen; 352 | sp_struct.TCP_optlen = 0; 353 | 354 | sp_fix_UDP_packet(&sp_struct); 355 | sp_fix_IP_packet(&sp_struct, 17); 356 | sp_send_packet(&sp_struct, 17); 357 | } 358 | 359 | #endif 360 | #endif 361 | -------------------------------------------------------------------------------- /src/sn_generation.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Packet Generation File */ 2 | 3 | extern void exec_generate(struct generate_mask *); 4 | -------------------------------------------------------------------------------- /src/sn_global.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Global File */ 2 | 3 | /* some things that are better defined before all the rest */ 4 | /* currently some option data */ 5 | 6 | char SNIFMODE, DUMPMODE, PROTOCOLS, ASC, WILDCARD, CFG_FILE, NO_CHKSUM; 7 | char INTERACTIVE_EXTEND; 8 | int LOGPARAM; 9 | /* All option shit */ 10 | 11 | -------------------------------------------------------------------------------- /src/sn_interface.c: -------------------------------------------------------------------------------- 1 | /* Sniffit Interface source File */ 2 | /* - by: Brecht Claerhout */ 3 | 4 | #include "sn_config.h" 5 | 6 | #ifdef INCLUDE_INTERFACE 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include "sn_curses.h" 16 | #include "sn_defines.h" 17 | #include "sn_structs.h" 18 | #include "sn_interface.h" 19 | #include "sn_generation.h" 20 | #include "sn_resolv.h" 21 | 22 | /*** extern stuff ********/ 23 | extern char *SHARED, *connection_data, *logged_connections; 24 | extern struct shared_conn_data *running_connections; 25 | extern int *LISTlength, *DATAlength, memory_id; 26 | extern unsigned int *TCP_nr_of_packets, *ICMP_nr_of_packets, *UDP_nr_of_packets; 27 | extern unsigned int *IP_nr_of_packets; 28 | extern unsigned long *TCP_bytes_in_packets, *UDP_bytes_in_packets; 29 | extern int *DESC_LEN; /* For the connection desciption */ 30 | 31 | extern char INTERACTIVE_EXTEND; 32 | 33 | extern struct snif_mask *mask; 34 | extern struct shared_logged_conn *log_conn; 35 | extern FILE *log_dev_stream; 36 | extern struct stat log_dev_stat; 37 | 38 | extern volatile int LOGGING, screen_busy; 39 | extern char PACKET_INFO; 40 | extern int POINTpos, LISTpos; 41 | extern unsigned char COLOR_AVAIL; 42 | 43 | extern WINDOW *menu_window; 44 | extern struct box_window data_box, main_box, mask_box, packets_box; 45 | extern int Pid; 46 | extern char *logging_device; 47 | 48 | 49 | /*** Screen Parameters ***/ 50 | extern int MASK_WINDOW_ROWS, MASK_WINDOW_COLS, MAIN_WINDOW_ROWS, MAIN_WINDOW_COLS; 51 | extern int INFO_WINDOW_ROWS, INFO_WINDOW_COLS, DATA_WINDOW_ROWS, DATA_WINDOW_COLS; 52 | extern int INFO_WINDOW_X, INFO_WINDOW_Y, MASK_WINDOW_X, MASK_WINDOW_Y; 53 | extern int DATA_WINDOW_X, DATA_WINDOW_Y; 54 | 55 | 56 | /*** forward declarations ***/ 57 | static void stop_logging (void); 58 | static void screen_exit (void); 59 | 60 | 61 | /*** Sreen operations ***/ 62 | static void init_screen (void) 63 | { 64 | initscr(); 65 | cbreak(); 66 | noecho(); 67 | nonl(); 68 | clear(); 69 | if(has_colors()==TRUE) 70 | { 71 | COLOR_AVAIL=1; 72 | start_color(); 73 | init_pair(WIN_COLOR_NORMAL,COLOR_WHITE,COLOR_BLUE); 74 | init_pair(WIN_COLOR_POINT,COLOR_BLUE,COLOR_CYAN); 75 | init_pair(WIN_COLOR_DATA,COLOR_BLUE,COLOR_CYAN); 76 | init_pair(WIN_COLOR_INPUT,COLOR_BLUE,COLOR_CYAN); 77 | init_pair(WIN_COLOR_MENU,COLOR_BLUE,COLOR_CYAN); 78 | init_pair(WIN_COLOR_PACKET_INFO,COLOR_BLUE,COLOR_CYAN); 79 | } 80 | else 81 | { 82 | COLOR_AVAIL=0; 83 | } 84 | MAIN_WINDOW_ROWS = LINES-5; MAIN_WINDOW_COLS = COLS; 85 | 86 | MASK_WINDOW_ROWS = 4; MASK_WINDOW_COLS = COLS; 87 | MASK_WINDOW_X = 0; MASK_WINDOW_Y = LINES-5; 88 | 89 | INFO_WINDOW_ROWS = 8; INFO_WINDOW_COLS = 35; 90 | INFO_WINDOW_X = 3; INFO_WINDOW_Y = MAIN_WINDOW_ROWS-INFO_WINDOW_ROWS-2; 91 | 92 | DATA_WINDOW_ROWS = (MAIN_WINDOW_ROWS/3)*2; DATA_WINDOW_COLS = (MAIN_WINDOW_COLS/3)*2; 93 | DATA_WINDOW_X = COLS-DATA_WINDOW_COLS-2; DATA_WINDOW_Y = 3; 94 | exit_func(screen_exit); 95 | if( (COLS<80)||(LINES<18) ) 96 | exit(0); 97 | }; 98 | 99 | static void f_box_window (struct box_window *Win, 100 | int num_lines, int num_cols, int begy,int begx, int col_mode) 101 | /* col_mode : color selection */ 102 | { 103 | int i; 104 | 105 | Win->main_window=newwin(num_lines,num_cols,begy,begx); 106 | Win->work_window=subwin(Win->main_window,num_lines-2,num_cols-2,begy+1,begx+1); 107 | if(COLOR_AVAIL) 108 | { 109 | switch(col_mode) 110 | { 111 | case 0: 112 | wattrset(Win->main_window,COLOR_PAIR(WIN_COLOR_NORMAL)); 113 | wattrset(Win->work_window,COLOR_PAIR(WIN_COLOR_NORMAL)); 114 | break; 115 | case 1: 116 | wattrset(Win->main_window,COLOR_PAIR(WIN_COLOR_PACKET_INFO)); 117 | wattrset(Win->work_window,COLOR_PAIR(WIN_COLOR_PACKET_INFO)); 118 | break; 119 | default:break; 120 | } 121 | for(i=0;i<=(num_lines-2);i++) 122 | { 123 | wmove(Win->work_window,i,0); 124 | whline(Win->work_window,' ',num_cols-2); 125 | } 126 | } 127 | keypad(Win->work_window,1); 128 | box(Win->main_window,ACS_VLINE,ACS_HLINE); 129 | mvwprintw(Win->main_window,0,3,"Sniffit %s",VERSION); 130 | wmove(Win->work_window,0,0); 131 | wnoutrefresh(Win->main_window);wnoutrefresh(Win->work_window); 132 | doupdate(); 133 | } 134 | 135 | static void data_window (struct box_window *Win, struct box_window *P_Win, 136 | int num_lines, int num_cols, int begy,int begx, 137 | struct shared_conn_data *conn, int listitem) 138 | { 139 | int i=0, j=0; 140 | 141 | while((j=CONNECTION_CAPACITY+1) return; 150 | j=0; 151 | 152 | Win->main_window=newwin(num_lines,num_cols,begy,begx); 153 | Win->work_window=subwin(Win->main_window,num_lines-5,num_cols-2,begy+1,begx+1); 154 | scrollok(Win->work_window,1); 155 | if(COLOR_AVAIL) 156 | wattrset(Win->main_window,COLOR_PAIR(WIN_COLOR_DATA)); 157 | 158 | box(Win->main_window,ACS_VLINE,ACS_HLINE); 159 | wmove(Win->main_window,num_lines-3,1); 160 | whline(Win->main_window,ACS_HLINE,num_cols-2); 161 | wmove(Win->main_window,num_lines-2,1); 162 | whline(Win->main_window,' ',num_cols-2); 163 | wmove(Win->main_window,num_lines-2,2); 164 | waddstr(Win->main_window, conn[i].connection); 165 | strcpy(log_conn->log_enter,conn[i].connection); 166 | wmove(Win->work_window,0,0); 167 | wnoutrefresh(Win->main_window);wnoutrefresh(Win->work_window); 168 | doupdate(); 169 | } 170 | 171 | static void data_device (struct shared_conn_data *conn, int listitem) 172 | { 173 | int i=0, j=0; 174 | 175 | while((j=CONNECTION_CAPACITY+1) return; 184 | strcpy(log_conn->log_enter, conn[i].connection); 185 | } 186 | 187 | static void mask_status (struct box_window *Work_win) 188 | { 189 | const char *ad; 190 | int i; 191 | char ipv4_buf[sizeof("000.000.000.000")]; 192 | 193 | wmove(Work_win->work_window,0,1); 194 | for(i=0;i<2;i++) 195 | {wmove(Work_win->work_window,i,0); 196 | whline(Work_win->work_window,' ',COLS-2);} 197 | wmove(Work_win->work_window,0,1); 198 | wprintw(Work_win->work_window,"Source IP : "); 199 | /* Both source_ip and destination_ip are in network byte order. */ 200 | ad = mask->source_ip ? 201 | inet_ntop(AF_INET,&mask->source_ip,ipv4_buf,sizeof(ipv4_buf)) : 202 | "All"; 203 | if(!ad) 204 | { 205 | perror("inet_ntop"); 206 | exit(1); 207 | } 208 | wprintw(Work_win->work_window,"%s",ad); 209 | wmove(Work_win->work_window,1,1); 210 | wprintw(Work_win->work_window,"Destination IP: "); 211 | ad = mask->source_ip ? 212 | inet_ntop(AF_INET,&mask->destination_ip,ipv4_buf,sizeof(ipv4_buf)) : 213 | "All"; 214 | if(!ad) 215 | { 216 | perror("inet_ntop"); 217 | exit(1); 218 | } 219 | wprintw(Work_win->work_window,"%s",ad); 220 | wmove(Work_win->work_window,0,35); 221 | wprintw(Work_win->work_window,"Source PORT : "); 222 | if(mask->source_port==0) 223 | wprintw(Work_win->work_window,"All"); 224 | else wprintw(Work_win->work_window,"%u",mask->source_port); 225 | wmove(Work_win->work_window,1,35); 226 | wprintw(Work_win->work_window,"Destination PORT: "); 227 | if(mask->destination_port==0) 228 | wprintw(Work_win->work_window,"All"); 229 | else wprintw(Work_win->work_window,"%u",mask->destination_port); 230 | wnoutrefresh(Work_win->main_window); 231 | wnoutrefresh(Work_win->work_window); 232 | doupdate(); 233 | } 234 | 235 | static void fill_box_window (struct box_window *Work_win, struct shared_conn_data *conn, 236 | int begin_item, int boxlen, int rowlen) 237 | /* 0 is the first item */ 238 | { 239 | int i=0, j=0, line=0; 240 | 241 | while((j=CONNECTION_CAPACITY+1) return; 248 | j=0; 249 | 250 | while((linework_window,line,0); 255 | whline(Work_win->work_window,' ',rowlen); 256 | if(strcmp(log_conn->log_enter,conn[i+j].connection) != 0) 257 | { 258 | if(INTERACTIVE_EXTEND==1) 259 | wprintw(Work_win->work_window," %s : %s",conn[i+j].connection,conn[i+j].desc); 260 | else 261 | wprintw(Work_win->work_window," %s",conn[i+j].connection); 262 | } 263 | else 264 | { 265 | if(INTERACTIVE_EXTEND==1) 266 | wprintw(Work_win->work_window," %s : [LOGGED]", 267 | conn[i+j].connection); 268 | else 269 | wprintw(Work_win->work_window," %s [LOGGED]", 270 | conn[i+j].connection); 271 | } 272 | line++; 273 | } 274 | j++; 275 | } 276 | for(i=line;iwork_window,i,0); 279 | whline(Work_win->work_window,' ',rowlen); 280 | }; 281 | wnoutrefresh(Work_win->work_window); 282 | } 283 | 284 | static void point_item (struct box_window *Work_win, struct shared_conn_data *conn, 285 | int item, int begin_item, int boxlen, int rowlen) 286 | { 287 | int i=0, j=0; 288 | 289 | if(item<0) return; /* POINTpos 0 = first item -1 = no items */ 290 | /* LISTlength 0 = 1 -1 = no items */ 291 | /* DANGER - there should always be >= */ 292 | /* connections than 'item' */ 293 | while((j=CONNECTION_CAPACITY+1) return; 302 | j=0; 303 | 304 | #ifdef DEBUG 305 | debug_msg(conn[i].connection); 306 | #endif 307 | 308 | if(COLOR_AVAIL!=0) 309 | wattrset(Work_win->work_window,COLOR_PAIR(WIN_COLOR_POINT)); 310 | else wattron(Work_win->work_window,A_REVERSE); 311 | 312 | wmove(Work_win->work_window,item-begin_item,0); 313 | whline(Work_win->work_window,' ',rowlen); 314 | 315 | if(strcmp(log_conn->log_enter,conn[i].connection)!=0) 316 | { 317 | if(INTERACTIVE_EXTEND==1) 318 | mvwprintw(Work_win->work_window,item-begin_item,0, 319 | " %s : %s", conn[i].connection, conn[i].desc); 320 | else 321 | mvwprintw(Work_win->work_window,item-begin_item,0," %s", conn[i].connection); 322 | } 323 | else 324 | { 325 | if(INTERACTIVE_EXTEND==1) 326 | mvwprintw(Work_win->work_window,item-begin_item,0, 327 | " %s : [LOGGED]",conn[i].connection); 328 | else 329 | mvwprintw(Work_win->work_window,item-begin_item,0, 330 | " %s [LOGGED]",conn[i].connection); 331 | } 332 | 333 | wnoutrefresh(Work_win->work_window); 334 | if(COLOR_AVAIL!=0) 335 | wattrset(Work_win->work_window,COLOR_PAIR(WIN_COLOR_NORMAL)); 336 | else wattroff(Work_win->work_window,A_REVERSE); 337 | } 338 | 339 | void forced_refresh (void) 340 | { 341 | #ifdef DEBUG 342 | char debug_line[200]; 343 | #endif 344 | 345 | if((POINTpos<0)&&(*LISTlength>=0)) POINTpos=0; 346 | if((POINTpos>*LISTlength)&&(*LISTlength>=0)) POINTpos=*LISTlength; 347 | if((POINTpos>*LISTlength)&&(*LISTlength<0)) POINTpos=-1; 348 | 349 | while(screen_busy!=0) {}; /* wait till screen operations stop */ 350 | #ifdef DEBUG 351 | sprintf(debug_line,"FIX: POINTpos: %d LISTlength: %d LISTpos: %d\n",POINTpos,*LISTlength,LISTpos); 352 | debug_msg(debug_line); 353 | #endif 354 | 355 | fill_box_window(&main_box, running_connections,LISTpos, 356 | MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); 357 | point_item(&main_box, running_connections, POINTpos,LISTpos, 358 | MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); 359 | if((LOGGING==1)&&(logging_device==NULL)) 360 | { 361 | touchwin(data_box.main_window);touchwin(data_box.work_window); 362 | wnoutrefresh(data_box.main_window);wnoutrefresh(data_box.work_window); 363 | } 364 | if(PACKET_INFO==1) 365 | { 366 | touchwin(packets_box.main_window);touchwin(packets_box.work_window); 367 | wnoutrefresh(packets_box.main_window); 368 | wnoutrefresh(packets_box.work_window); 369 | } 370 | doupdate(); 371 | } 372 | 373 | static void menu_line (void) 374 | { 375 | int i; 376 | 377 | if(menu_window==NULL) 378 | menu_window=newwin (1,COLS,LINES-1,0); 379 | if(COLOR_AVAIL!=0) 380 | wattrset(menu_window,COLOR_PAIR(WIN_COLOR_MENU)); 381 | else wattron(menu_window,A_REVERSE); 382 | 383 | wmove(menu_window,0,0); 384 | whline(menu_window,' ',COLS); 385 | mvwaddstr(menu_window,0,0,MENU); 386 | wnoutrefresh(menu_window); 387 | } 388 | 389 | char *input_field(char *string, char *input, int flag) 390 | { 391 | int i; 392 | char dummy[500]; 393 | WINDOW *Work_txt, *Work_inp; 394 | 395 | #ifdef DEBUG 396 | debug_msg("IntAct: Input Field activated"); 397 | #endif 398 | Work_txt=newwin(1,COLS,LINES-1,0); 399 | Work_inp=newwin(1,50,LINES-1,strlen(string)); 400 | 401 | if(COLOR_AVAIL!=0) 402 | { 403 | wattrset(Work_inp,COLOR_PAIR(WIN_COLOR_INPUT)); 404 | wattrset(Work_txt,COLOR_PAIR(WIN_COLOR_NORMAL)); 405 | } 406 | whline(Work_txt,' ',COLS); 407 | whline(Work_inp,' ',50); 408 | mvwaddstr(Work_txt,0,0,string); 409 | while(screen_busy!=0) {}; 410 | wnoutrefresh(Work_txt);wnoutrefresh(Work_inp); 411 | doupdate(); 412 | echo();mvwgetstr(Work_inp,0,0,dummy);noecho(); 413 | if(input!=NULL) 414 | {strcpy(input,dummy);} 415 | delwin(Work_inp);delwin(Work_txt); 416 | menu_line(); 417 | forced_refresh(); 418 | #ifdef DEBUG 419 | debug_msg("IntAct: Input Field Ended"); 420 | #endif 421 | return input; 422 | } 423 | 424 | static void exec_mask (void) 425 | { 426 | LISTpos=0; 427 | POINTpos=-1; /* otherwise we get never ending loop */ 428 | clear_shared_mem(1); 429 | mask_status(&mask_box); 430 | if(LOGGING==1) stop_logging(); 431 | forced_refresh(); 432 | } 433 | 434 | /* signaling */ 435 | 436 | static void sig_blocking(char on_off, int sig) 437 | { 438 | sigset_t set; 439 | 440 | sigemptyset(&set);sigaddset(&set,sig); 441 | if(on_off==1) 442 | {sigprocmask(SIG_BLOCK,&set,NULL);} 443 | else {sigprocmask(SIG_UNBLOCK,&set,NULL);} 444 | } 445 | 446 | static void set_signal (int signum, sig_hand new_action) 447 | { 448 | struct sigaction new_sigusr; 449 | sigset_t sig_mask; 450 | 451 | sigemptyset(&sig_mask); 452 | sigaddset(&sig_mask,SIGUSR1); 453 | sigaddset(&sig_mask,SIGALRM); 454 | new_sigusr.sa_handler=new_action; 455 | new_sigusr.sa_mask=sig_mask; 456 | new_sigusr.sa_flags=0; 457 | sigaction(signum,&new_sigusr,NULL); 458 | } 459 | 460 | static void interaction (int sig) /* invoked when data arrives */ 461 | { 462 | int i; 463 | struct shared_conn_data *conn = running_connections; 464 | 465 | 466 | /* timeout increase */ 467 | for(i=0;ilog_enter[0]==0)) stop_logging(); 472 | screen_busy=1; 473 | if((LOGGING==1)&&(*DATAlength!=0)) 474 | { 475 | if(logging_device==NULL) 476 | { 477 | for(i=0;i<*DATAlength;i++) 478 | waddch(data_box.work_window, 479 | isprint(*(connection_data+i))? 480 | *(connection_data+i):'.'); 481 | } 482 | else { 483 | for(i=0;i<*DATAlength;i++) 484 | fputc(*(connection_data+i),log_dev_stream); 485 | fflush(log_dev_stream); 486 | } 487 | *DATAlength=0; 488 | } 489 | screen_busy=0; 490 | forced_refresh(); 491 | set_signal(SIGUSR1,interaction); 492 | } 493 | 494 | static void packet_info_handler (int signum) 495 | { 496 | #ifdef DEBUG 497 | debug_msg("ALARM RANG"); 498 | #endif 499 | screen_busy=1; 500 | mvwprintw(packets_box.work_window,0,1,"IP packets/sec. : %12u",(*IP_nr_of_packets)/INFO_TIMER); 501 | mvwprintw(packets_box.work_window,1,1,"TCP packets/sec. : %12u",(*TCP_nr_of_packets)/INFO_TIMER); 502 | mvwprintw(packets_box.work_window,2,1,"ICMP packets/sec.: %12u",(*ICMP_nr_of_packets)/INFO_TIMER); 503 | mvwprintw(packets_box.work_window,3,1,"UDP packets/sec. : %12u",(*UDP_nr_of_packets)/INFO_TIMER); 504 | mvwprintw(packets_box.work_window,4,1,"bytes/sec. (TCP) : % 12ld",(*TCP_bytes_in_packets)/INFO_TIMER); 505 | mvwprintw(packets_box.work_window,5,1,"bytes/sec. (UDP) : % 12ld",(*UDP_bytes_in_packets)/INFO_TIMER); 506 | screen_busy=0; 507 | 508 | forced_refresh(); 509 | /* reinstall handler, reset alarm */ 510 | *IP_nr_of_packets=0; 511 | *TCP_nr_of_packets=*TCP_bytes_in_packets=0; 512 | *ICMP_nr_of_packets=0; 513 | *UDP_nr_of_packets=*UDP_bytes_in_packets=0; 514 | set_signal(SIGALRM, packet_info_handler); 515 | alarm(INFO_TIMER); 516 | } 517 | 518 | 519 | /* at/on_exit's */ 520 | 521 | void child_exit (void) 522 | { 523 | kill(Pid,SIGKILL); 524 | }; 525 | 526 | static void screen_exit (void) 527 | { 528 | endwin(); 529 | /* next line added by Edward Betts , should not be needed 530 | * because endwin should be calling it, without this the console has no echo 531 | * after exiting in an xterm */ 532 | reset_shell_mode(); 533 | }; 534 | 535 | void mem_exit (void) 536 | { 537 | if(shmctl(memory_id,IPC_RMID,0)<0) 538 | {perror("Sniffer Hartattack (you are fucked!) ");exit(0);}; 539 | } 540 | 541 | /* Some other stuff */ 542 | 543 | static void stop_logging (void) 544 | { 545 | LOGGING=0; 546 | log_conn->log_enter[0]=0; 547 | if(logging_device==NULL) 548 | {delwin(data_box.work_window); delwin(data_box.main_window);} 549 | forced_refresh(); 550 | } 551 | 552 | static void stop_packet_info (void) 553 | { 554 | PACKET_INFO=0; 555 | alarm(0); 556 | delwin(packets_box.work_window), delwin(packets_box.main_window); 557 | forced_refresh(); 558 | } 559 | 560 | int add_itemlist(struct shared_conn_data *conn, char *string, char *desc) 561 | { 562 | int i, to_help, to_item; 563 | 564 | /*invoked every time a packet comes in */ 565 | 566 | for(i=0;ito_help) 587 | if(strcmp(conn[i].connection,log_conn->log_enter)!=0) 588 | { 589 | to_help=conn[i].timeout; 590 | to_item=i; 591 | } 592 | strcpy(conn[to_item].connection, string); 593 | strcpy(conn[to_item].desc, desc); /* For description of connect */ 594 | conn[to_item].timeout=0; 595 | return to_item; 596 | } 597 | 598 | int del_itemlist(struct shared_conn_data *conn, char *string) 599 | { 600 | int i; 601 | 602 | for(i=0;ilog_enter, string)==0) 610 | {log_conn->log_enter[0]=0;} 611 | return i; 612 | } 613 | return -1; 614 | } 615 | 616 | void clear_shared_mem(char mode) 617 | /* mode = 0 all */ 618 | /* mode = 1 keep mask */ 619 | /* keep packet count */ 620 | { 621 | int i; 622 | struct shared_conn_data *conn = running_connections; 623 | 624 | *DATAlength=0; 625 | *LISTlength=-1; 626 | if(mode==0) 627 | { 628 | mask->source_ip=mask->destination_ip=mask->source_port=mask->destination_port=0; 629 | *IP_nr_of_packets=0; 630 | *TCP_nr_of_packets=*TCP_bytes_in_packets=0; 631 | *ICMP_nr_of_packets=0; 632 | *UDP_nr_of_packets=*UDP_bytes_in_packets=0; 633 | } 634 | 635 | log_conn->log_enter[0]=0; 636 | for(i=0;i=CONNECTION_CAPACITY+1) return; 660 | j=0; 661 | 662 | strcpy(e_dummy,conn[i].connection); 663 | /* OLD STUFF -- Previous line format */ 664 | /* 665 | strtok(e_dummy," "); 666 | strcpy(esource,strtok(NULL," ")); 667 | strcpy(es_port,strtok(NULL," ")); 668 | strtok(NULL," "); 669 | strcpy(edest,strtok(NULL," ")); 670 | strcpy(ed_port,strtok(NULL," ")); 671 | */ 672 | 673 | strcpy(esource,strtok(e_dummy," ")); 674 | strcpy(es_port,strtok(NULL," ")); 675 | strtok(NULL," "); 676 | strcpy(edest,strtok(NULL," ")); 677 | strcpy(ed_port,strtok(NULL," ")); 678 | #ifdef DEBUG 679 | debug_msg(esource); 680 | debug_msg(es_port); 681 | debug_msg(edest); 682 | debug_msg(ed_port); 683 | #endif 684 | } 685 | 686 | /*** Main interface program */ 687 | 688 | void run_interface(void) 689 | { 690 | int i,key_hit; 691 | char dummy[100]; 692 | char exec_s[20],exec_sp[20],exec_d[20],exec_dp[20]; 693 | struct generate_mask generate; 694 | 695 | POINTpos=-1; 696 | *LISTlength=-1; 697 | LISTpos=0; 698 | LOGGING=0; 699 | PACKET_INFO=0; 700 | screen_busy=0; 701 | 702 | 703 | set_signal (SIGCHLD, SIG_IGN); 704 | set_signal(SIGUSR1,interaction); 705 | 706 | init_screen(); /* The whole screen setup */ 707 | if( MAIN_WINDOW_COLS-2-CONN_NAMELEN-1 < DESC_BYTES) 708 | *DESC_LEN=MAIN_WINDOW_COLS-2-CONN_NAMELEN-1; 709 | else 710 | *DESC_LEN=DESC_BYTES; 711 | 712 | f_box_window(&mask_box,MASK_WINDOW_ROWS,MASK_WINDOW_COLS,MASK_WINDOW_Y,MASK_WINDOW_X,0); 713 | mask_status(&mask_box); 714 | f_box_window(&main_box,MAIN_WINDOW_ROWS,MAIN_WINDOW_COLS,0,0,0); 715 | fill_box_window(&main_box, running_connections,LISTpos, 716 | MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); 717 | point_item(&main_box, running_connections,POINTpos,LISTpos, 718 | MAIN_WINDOW_ROWS-2,MAIN_WINDOW_COLS-2); 719 | menu_window=NULL; 720 | menu_line(); 721 | doupdate(); /* And..... draw it! */ 722 | 723 | while(1) 724 | { 725 | key_hit=wgetch(main_box.work_window); 726 | #ifdef DEBUG 727 | debug_msg("IntAct: Key Hit Received"); 728 | #endif 729 | sig_blocking(1, SIGALRM); 730 | sig_blocking(1, SIGUSR1); 731 | switch(key_hit) 732 | { 733 | case KEY_DOWN: 734 | case 'J': 735 | case 'j': 736 | if(POINTpos>=*LISTlength) break; 737 | if( POINTpos<(LISTpos+(MAIN_WINDOW_ROWS-3)) ) 738 | POINTpos++; 739 | else 740 | {if(LISTpos>=*LISTlength) break; 741 | LISTpos++; POINTpos++;}; 742 | forced_refresh(); 743 | break; 744 | case KEY_UP: 745 | case 'K': 746 | case 'k': 747 | if(POINTpos==0) break; 748 | if(POINTpos>LISTpos) 749 | POINTpos--; 750 | else 751 | {if(LISTpos==0) break; 752 | LISTpos--; POINTpos--;}; 753 | forced_refresh(); 754 | break; 755 | case ENTER: 756 | if(*LISTlength<0) break; 757 | if(LOGGING==0) 758 | { 759 | if(logging_device==NULL) 760 | data_window(&data_box,&main_box,DATA_WINDOW_ROWS, 761 | DATA_WINDOW_COLS,DATA_WINDOW_Y, DATA_WINDOW_X, 762 | running_connections,POINTpos); 763 | else 764 | data_device(running_connections,POINTpos); 765 | 766 | LOGGING=1; 767 | } 768 | else 769 | { 770 | stop_logging(); 771 | if(logging_device==NULL) 772 | data_window(&data_box,&main_box,DATA_WINDOW_ROWS, 773 | DATA_WINDOW_COLS,DATA_WINDOW_Y, DATA_WINDOW_X, 774 | running_connections,POINTpos); 775 | else 776 | data_device(running_connections,POINTpos); 777 | LOGGING=1; 778 | }; 779 | break; 780 | case 'N': 781 | case 'n': 782 | if(PACKET_INFO==0) 783 | { 784 | f_box_window(&packets_box,INFO_WINDOW_ROWS,INFO_WINDOW_COLS, 785 | INFO_WINDOW_Y, INFO_WINDOW_X ,1); 786 | PACKET_INFO=1; 787 | *IP_nr_of_packets=0; 788 | *TCP_nr_of_packets=*TCP_bytes_in_packets=0; 789 | *ICMP_nr_of_packets=0; 790 | *UDP_nr_of_packets=*UDP_bytes_in_packets=0; 791 | packet_info_handler(SIGALRM); 792 | } 793 | else 794 | {stop_packet_info();} 795 | break; 796 | #ifdef GENERATION 797 | case 'g': 798 | case 'G': 799 | input_field("Source IP for PKT Generation: ",dummy,1); 800 | generate.source_ip=getaddrbyname(dummy); 801 | input_field("Source Port: ",dummy,1); 802 | generate.source_port=atoi(dummy); 803 | 804 | input_field("Dest IP for PKT Generation: ",dummy,1); 805 | generate.dest_ip=getaddrbyname(dummy); 806 | input_field("Dest Port: ",dummy,1); 807 | generate.dest_port=atoi(dummy); 808 | 809 | input_field("Number of PKTs: ",dummy,1); 810 | generate.pkt_no=atoi(dummy); 811 | exec_generate(&generate); 812 | break; 813 | #endif 814 | case 'q': 815 | case 'Q': 816 | case KEY_F(10): 817 | if(LOGGING==1) 818 | {stop_logging();} 819 | else 820 | {kill(Pid,SIGKILL);exit(0);} 821 | break; 822 | case '1': 823 | case KEY_F(1): 824 | input_field("Source Ip: ",dummy,0); 825 | mask->source_ip=getaddrbyname(dummy); 826 | exec_mask(); 827 | break; 828 | case '2': 829 | case KEY_F(2): 830 | input_field("Destination Ip: ",dummy,0); 831 | mask->destination_ip=getaddrbyname(dummy); 832 | exec_mask(); 833 | break; 834 | case '3': 835 | case KEY_F(3): 836 | input_field("Source Port: ",dummy,0); 837 | mask->source_port=atoi(dummy); 838 | exec_mask(); 839 | break; 840 | case '4': 841 | case KEY_F(4): 842 | input_field("Destination Port: ",dummy,0); 843 | mask->destination_port=atoi(dummy); 844 | exec_mask(); 845 | break; 846 | 847 | case '5': 848 | case KEY_F(5): 849 | if(*LISTlength<0) break; 850 | if(access("./sniffit_key5", X_OK)<0) break; 851 | create_arguments(exec_s,exec_sp,exec_d, 852 | exec_dp,running_connections,POINTpos); 853 | if(fork()==0) /* CHILD */ 854 | { 855 | close(0); close(1); close(2); 856 | sig_blocking(0, SIGALRM); 857 | sig_blocking(0, SIGUSR1); 858 | set_signal(SIGALRM,SIG_DFL); 859 | set_signal(SIGUSR1,SIG_DFL); 860 | execl("./sniffit_key5","sniffit_key5",exec_s,exec_sp,exec_d,exec_dp,NULL); 861 | exit(0); 862 | }; 863 | break; 864 | case '6': 865 | case KEY_F(6): 866 | if(*LISTlength<0) break; 867 | if(access("./sniffit_key6", X_OK)<0) break; 868 | create_arguments(exec_s,exec_sp,exec_d, 869 | exec_dp,running_connections,POINTpos); 870 | if(fork()==0) /* CHILD */ 871 | { 872 | close(0); close(1); close(2); 873 | sig_blocking(0, SIGALRM); 874 | sig_blocking(0, SIGUSR1); 875 | set_signal(SIGALRM,SIG_DFL); 876 | set_signal(SIGUSR1,SIG_DFL); 877 | execl("./sniffit_key6","sniffit_key6",exec_s,exec_sp,exec_d,exec_dp,NULL); 878 | exit(0); 879 | }; 880 | break; 881 | case '7': 882 | case KEY_F(7): 883 | if(*LISTlength<0) break; 884 | if(access("./sniffit_key7", X_OK)<0) break; 885 | create_arguments(exec_s,exec_sp,exec_d, 886 | exec_dp,running_connections,POINTpos); 887 | if(fork()==0) /* CHILD */ 888 | { 889 | sig_blocking(0, SIGALRM); 890 | sig_blocking(0, SIGUSR1); 891 | set_signal(SIGALRM,SIG_DFL); 892 | set_signal(SIGUSR1,SIG_DFL); 893 | close(0); close(1); close(2); 894 | execl("./sniffit_key7","sniffit_key7",exec_s,exec_sp,exec_d,exec_dp,NULL); 895 | exit(0); 896 | }; 897 | break; 898 | case '8': 899 | case KEY_F(8): 900 | if(*LISTlength<0) break; 901 | if(access("./sniffit_key8", X_OK)<0) break; 902 | create_arguments(exec_s,exec_sp,exec_d, 903 | exec_dp,running_connections,POINTpos); 904 | if(fork()==0) /* CHILD */ 905 | { 906 | sig_blocking(0, SIGALRM); 907 | sig_blocking(0, SIGUSR1); 908 | set_signal(SIGALRM,SIG_DFL); 909 | set_signal(SIGUSR1,SIG_DFL); 910 | close(0); close(1); close(2); 911 | execl("./sniffit_key8","sniffit_key8",exec_s,exec_sp,exec_d,exec_dp,NULL); 912 | exit(0); 913 | }; 914 | break; 915 | case 'r': 916 | case 'R': /* mask does an auto reset */ 917 | exec_mask(); 918 | break; 919 | default: break; 920 | } 921 | sig_blocking(0, SIGALRM); 922 | sig_blocking(0, SIGUSR1); 923 | } 924 | }; 925 | #endif 926 | -------------------------------------------------------------------------------- /src/sn_interface.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Data File */ 2 | 3 | #include "pcap.h" 4 | 5 | typedef void (*sig_hand)(int ); /* sighandler_t gave errors, weird */ 6 | 7 | extern int add_itemlist(struct shared_conn_data *, char *, char *); 8 | extern void child_exit (void); 9 | extern void clear_shared_mem(char); 10 | extern int del_itemlist(struct shared_conn_data *, char *); 11 | extern void forced_refresh (void); 12 | extern char *input_field(char *, char *, int); 13 | extern void mem_exit (void); 14 | extern void run_interface (void); 15 | -------------------------------------------------------------------------------- /src/sn_logfile.c: -------------------------------------------------------------------------------- 1 | /* Sniffit Logfile include file */ 2 | /* - by: Brecht Claerhout */ 3 | 4 | #include "sn_config.h" 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include "sn_defines.h" 13 | #include "sn_structs.h" 14 | #include "sn_logfile.h" 15 | 16 | extern char Logfile[250]; /* name of logfile */ 17 | extern FILE *LogFILE; /* logfile stream */ 18 | extern char LOGPARAM; 19 | extern char DUMPMODE; /* recorded or not */ 20 | 21 | /*** forward declarations ***/ 22 | static void print_logline (char *); 23 | 24 | static void logfile_exit (void) /* at/on_exit closing of logfile */ 25 | { 26 | printf("Sniffit Logging session ended.\n"); 27 | print_logline("Sniffit session ended."); 28 | fflush(LogFILE); 29 | fclose(LogFILE); 30 | } 31 | 32 | static char *gettime (void) 33 | { 34 | time_t t; 35 | char *tm; 36 | static char recorded[] = "Recorded"; 37 | 38 | time(&t); 39 | tm=ctime(&t); 40 | tm[24]=0; 41 | return (DUMPMODE&16)?recorded:tm; 42 | } 43 | 44 | static void print_logline (char *logline) 45 | { 46 | fprintf(LogFILE,"[%s] - %s\n",gettime(),logline); 47 | fflush(LogFILE); 48 | } 49 | 50 | void print_ftp_user (char *conn, char *user) 51 | { 52 | char line[250]; 53 | snprintf(line,sizeof(line),"%s: USER [%s]",conn,user); 54 | print_logline (line); 55 | } 56 | 57 | void print_ftp_pass(char *conn, char *pass) 58 | { 59 | char line[250]; 60 | snprintf(line,sizeof(line),"%s: PASS [%s]",conn,pass); 61 | print_logline (line); 62 | } 63 | 64 | void print_login (char *conn, char *login) 65 | { 66 | char line[250]; 67 | snprintf(line,sizeof(line),"%s: login [%s]",conn,login); 68 | print_logline (line); 69 | } 70 | 71 | void print_mail (char *conn, char *msg) 72 | { 73 | char line[250]; 74 | snprintf(line,sizeof(line),"%s: mail [%s]",conn,msg); 75 | print_logline (line); 76 | } 77 | 78 | void print_pwd (char *conn, char *pwd) 79 | { 80 | char line[250]; 81 | snprintf(line,sizeof(line),"%s: password [%s]",conn,pwd); 82 | print_logline (line); 83 | } 84 | 85 | void print_conn (char *conn, char *msg) 86 | { 87 | char line[250]; 88 | snprintf(line,sizeof(line),"%s: %s",conn,msg); 89 | print_logline (line); 90 | } 91 | 92 | void open_logfile (void) 93 | { 94 | if(Logfile[0]==0) strcpy(Logfile,"sniffit.log"); 95 | LogFILE=fopen(Logfile,"a"); 96 | if(LogFILE==NULL) 97 | printf("Sniffit heartattack.. couldn't create/open logfile...\n"), exit(1); 98 | exit_func(logfile_exit); 99 | chmod(Logfile, S_IWUSR|S_IRUSR); 100 | print_logline("Sniffit session started."); 101 | printf("Sniffit Logging started.\n"); 102 | } 103 | 104 | -------------------------------------------------------------------------------- /src/sn_logfile.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Data File */ 2 | 3 | #define LOG_NO_DETECT 99 4 | #define LOG_NO_LOG 0 5 | #define LOG_LOGIN 1 6 | #define LOG_LOGIN_RECORDED 2 7 | #define LOG_PWD 3 8 | #define LOG_PWD_RECORDED 4 9 | 10 | extern void print_ftp_user (char *, char *); 11 | extern void print_ftp_pass(char *, char *); 12 | extern void print_login (char *, char *); 13 | extern void print_pwd (char *, char *); 14 | extern void print_conn (char *, char *); 15 | extern void print_mail (char *, char *); 16 | extern void open_logfile (void); 17 | -------------------------------------------------------------------------------- /src/sn_packets.c: -------------------------------------------------------------------------------- 1 | /* Sniffit Packet Discription File */ 2 | /* - by: Brecht Claerhout */ 3 | 4 | #include "sn_config.h" 5 | #include "sn_defines.h" 6 | #include "sn_structs.h" 7 | #include 8 | #include 9 | 10 | extern int PROTO_HEAD; 11 | extern char NO_CHKSUM; 12 | 13 | /* This routine stolen from ping.c */ 14 | unsigned short in_cksum(const unsigned char *addr,int nleft) 15 | { 16 | int sum = 0; 17 | 18 | while (nleft > 1) 19 | { 20 | sum += *addr++ << 8; 21 | sum += *addr++; 22 | nleft -= 2; 23 | } 24 | if (nleft == 1) 25 | { 26 | sum += *addr++; 27 | } 28 | sum = (sum >> 16) + (sum & 0xffff); 29 | sum += (sum >> 16); 30 | return(~sum); 31 | } 32 | 33 | int unwrap_packet (unsigned char *sp, struct unwrap *unwrapped) 34 | { 35 | struct IP_header IPhead; 36 | struct TCP_header TCPhead; 37 | struct ICMP_header ICMPhead; 38 | struct UDP_header UDPhead; 39 | 40 | int i; 41 | short int dummy; /* 2 bytes, important */ 42 | 43 | /* 44 | printf("\n"); 45 | for(i=0;i<20;i++) printf("%X ",sp[i]); 46 | printf("\n"); 47 | */ 48 | memcpy(&IPhead,(sp+PROTO_HEAD),sizeof(struct IP_header)); 49 | /* IP header Conversion */ 50 | unwrapped->IP_len = (IPhead.verlen & 0xF) << 2; 51 | 52 | unwrapped->TCP_len = 0; /* Reset structure NEEDED!!! */ 53 | unwrapped->UDP_len = 0; 54 | unwrapped->DATA_len= 0; 55 | unwrapped->FRAG_f = 0; 56 | unwrapped->FRAG_nf = 0; 57 | 58 | if(NO_CHKSUM == 0) 59 | { 60 | sp[PROTO_HEAD+10]=0; /* reset checksum to zero, Q&D way*/ 61 | sp[PROTO_HEAD+11]=0; 62 | if(in_cksum((sp+PROTO_HEAD),unwrapped->IP_len) != IPhead.checksum) 63 | { 64 | #ifdef DEBUG_ONSCREEN 65 | printf("Packet dropped... (invalid IP chksum)\n"); 66 | printf("%X %X (len %d)\n",in_cksum((sp+PROTO_HEAD),unwrapped->IP_len),IPhead.checksum,unwrapped->IP_len); 67 | #endif 68 | return NO_IP; 69 | } 70 | if(0) 71 | { 72 | #ifdef DEBUG_ONSCREEN 73 | printf("Packet dropped... (invalid IP version)\n"); 74 | #endif 75 | return NO_IP_4; 76 | } 77 | memcpy((sp+PROTO_HEAD),&IPhead,sizeof(struct IP_header)); 78 | /* restore orig buffer */ 79 | /* general programming rule */ 80 | } 81 | 82 | #ifdef DEBUG_ONSCREEN 83 | printf("IPheadlen: %d total length: %d\n", unwrapped->IP_len, 84 | ntohs(IPhead.length)); 85 | #endif 86 | 87 | dummy=ntohs(IPhead.flag_offset); dummy<<=3; 88 | if( dummy!=0 ) /* we have offset */ 89 | { 90 | unwrapped->FRAG_nf = 1; 91 | } 92 | dummy=ntohs(IPhead.flag_offset); dummy>>=13; 93 | if( (dummy&IP_MF)&&(unwrapped->FRAG_nf==0) ) /* first frag */ 94 | { 95 | unwrapped->FRAG_f = 1; 96 | } 97 | 98 | if(IPhead.protocol == TCP ) /* TCP */ 99 | { 100 | if(unwrapped->FRAG_nf == 0) /* packet contains TCP header */ 101 | { 102 | if( (ntohs(IPhead.length)-(unwrapped->IP_len))<20 ) 103 | { 104 | if(unwrapped->FRAG_f==1) 105 | {unwrapped->DATA_len = ntohs(IPhead.length) - 106 | (unwrapped->IP_len); 107 | if(unwrapped->DATA_len<0) 108 | {unwrapped->DATA_len=0; return CORRUPT_IP;} 109 | return TCP_FRAG_HEAD; 110 | } 111 | else 112 | {return CORRUPT_IP;} 113 | } 114 | 115 | memcpy(&TCPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), 116 | sizeof(struct TCP_header)); 117 | unwrapped->TCP_len = ntohs(TCPhead.offset_flag) & 0xF000; 118 | unwrapped->TCP_len >>= 10; 119 | unwrapped->DATA_len = ntohs(IPhead.length) - 120 | (unwrapped->IP_len) - (unwrapped->TCP_len); 121 | 122 | /* IP options can not cause SEGFAULT */ 123 | if(unwrapped->DATA_len<0) /* Fragmented TCP options */ 124 | { 125 | if(unwrapped->FRAG_f==1) 126 | {unwrapped->TCP_len=0; 127 | unwrapped->DATA_len = ntohs(IPhead.length) - 128 | (unwrapped->IP_len); 129 | if(unwrapped->DATA_len<0) 130 | {unwrapped->DATA_len=0; return CORRUPT_IP;} 131 | return TCP_FRAG_HEAD; 132 | } 133 | else 134 | {return CORRUPT_IP;} 135 | } 136 | } 137 | else 138 | { 139 | unwrapped->DATA_len = ntohs(IPhead.length) - (unwrapped->IP_len); 140 | if(unwrapped->DATA_len<0) 141 | {unwrapped->DATA_len=0; return CORRUPT_IP;} 142 | } 143 | return TCP; 144 | } 145 | if(IPhead.protocol == ICMP ) /* ICMP */ 146 | { 147 | if(unwrapped->FRAG_nf == 0) /* Should contain header */ 148 | { 149 | if( (ntohs(IPhead.length)-(unwrapped->IP_len))<4 ) 150 | {return NOT_SUPPORTED;}; /* no handling of frag headers*/ 151 | 152 | memcpy(&ICMPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), 153 | sizeof(struct ICMP_header)); 154 | unwrapped->ICMP_len = ICMP_HEADLENGTH; 155 | unwrapped->DATA_len = ntohs(IPhead.length) - 156 | (unwrapped->IP_len) - (unwrapped->ICMP_len); 157 | 158 | if(unwrapped->DATA_len<0) 159 | { 160 | if(unwrapped->FRAG_f==1) 161 | {unwrapped->TCP_len=0; 162 | unwrapped->DATA_len = ntohs(IPhead.length) - 163 | (unwrapped->IP_len); 164 | if(unwrapped->DATA_len<0) 165 | {unwrapped->DATA_len=0; return CORRUPT_IP;} 166 | return NOT_SUPPORTED; /* don't handle fragmented ICMP */ 167 | } 168 | else 169 | {return CORRUPT_IP;} 170 | } 171 | return ICMP; 172 | } 173 | else 174 | { 175 | return NOT_SUPPORTED; /* don't handle fragmented ICMP */ 176 | } 177 | } 178 | if(IPhead.protocol == UDP ) /* UDP */ 179 | { 180 | if(unwrapped->FRAG_nf == 0) 181 | { 182 | if( ((IPhead.length)-(unwrapped->IP_len))<8 ) 183 | {return NOT_SUPPORTED;}; /* don't handle frag. header */ 184 | 185 | memcpy(&UDPhead,(sp+PROTO_HEAD+(unwrapped->IP_len)), 186 | sizeof(struct UDP_header)); 187 | unwrapped->UDP_len = UDP_HEADLENGTH; 188 | unwrapped->DATA_len = ntohs(IPhead.length) - 189 | (unwrapped->IP_len) - (unwrapped->UDP_len); 190 | 191 | if(unwrapped->DATA_len<0) 192 | { 193 | if(unwrapped->FRAG_f==1) 194 | {unwrapped->UDP_len=0; 195 | unwrapped->DATA_len = ntohs(IPhead.length) - 196 | (unwrapped->IP_len); 197 | if(unwrapped->DATA_len<0) 198 | {unwrapped->DATA_len=0; return CORRUPT_IP;} 199 | return NOT_SUPPORTED; 200 | } /* don't handle fragmented UDP */ 201 | else 202 | {return CORRUPT_IP;} 203 | } 204 | return UDP; 205 | } 206 | else 207 | { 208 | return NOT_SUPPORTED; /* don't handle fragmented UDP */ 209 | } 210 | } 211 | return NOT_SUPPORTED; 212 | } 213 | 214 | 215 | -------------------------------------------------------------------------------- /src/sn_packets.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Packets include file */ 2 | 3 | #ifndef _SN_PACKETS_H_ 4 | #define _SN_PACKETS_H_ 5 | 6 | extern unsigned short in_cksum(const unsigned char *,int); 7 | extern int unwrap_packet (const unsigned char *, struct unwrap *); 8 | 9 | #endif 10 | -------------------------------------------------------------------------------- /src/sn_packetstructs.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Packet Discription File */ 2 | 3 | #ifndef _SN_PACKETSTRUCTS_H_ 4 | #define _SN_PACKETSTRUCTS_H_ 5 | 6 | #include 7 | 8 | struct IP_header /* The IPheader (without options) */ 9 | { 10 | unsigned char verlen, type; 11 | unsigned short length, ID, flag_offset; 12 | unsigned char TTL, protocol; 13 | unsigned short checksum; 14 | _32_bit source, destination; 15 | }; 16 | 17 | struct pseudo_IP_header 18 | { 19 | _32_bit source, destination; 20 | char zero_byte, protocol; 21 | unsigned short TCP_UDP_len; 22 | }; 23 | 24 | struct TCP_header /* The TCP header (without options) */ 25 | { 26 | unsigned short source, destination; 27 | _32_bit seq_nr, ACK_nr; 28 | unsigned short offset_flag, window, checksum, urgent; 29 | }; 30 | 31 | struct ICMP_header /* The ICMP header */ 32 | { 33 | unsigned char type, code; 34 | unsigned short checksum; 35 | }; 36 | 37 | struct UDP_header /* The UDP header */ 38 | { 39 | unsigned short source, destination; 40 | unsigned short length, checksum; 41 | }; 42 | 43 | struct unwrap /* some extra info */ 44 | { 45 | int IP_len, TCP_len, ICMP_len, UDP_len; /* header lengths */ 46 | int DATA_len; /* keep signed! */ 47 | char FRAG_f; /* first fragment */ 48 | char FRAG_nf; /* not the first fragment */ 49 | }; 50 | 51 | 52 | #endif -------------------------------------------------------------------------------- /src/sn_plugins.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Pluginfile include file - Brecht Claerhout */ 2 | 3 | /* You should install the plugins, by adding three lines. */ 4 | /* You should define a Plugin name, an alias for the plugin function, */ 5 | /* and include the source code of it. */ 6 | /* Example: */ 7 | /* #define PLUGIN0_NAME "Dummy Plugin" */ 8 | /* #define PLUGIN0(x) PL_real_function_name(x) */ 9 | /* #define PLUGIN0_INIT() PL_init_real_function_name() (optional) */ 10 | /* #include "plugin_include_filename.plug" */ 11 | /* PLUGIN0_NAME and PLUGIN0 are fixed names, numbers can go from 0 to 9 */ 12 | 13 | /* These to plugins come standard with the Sniffit package as examples. */ 14 | /* the "Dummy Plugin" is quite useless, but the "DNS Plugin" is going */ 15 | /* to be appreciated by some of you. Read the PLUGIN-HOWTO file. */ 16 | 17 | #define PLUGIN0_NAME "Dummy Plugin" 18 | #define PLUGIN0(x) PL_dummy_plugin(x) 19 | #include "dummy_plugin.plug" 20 | 21 | #define PLUGIN1_NAME "DNS Plugin" 22 | #define PLUGIN1(x) PL_DNS_plugin(x) 23 | #include "dns_plugin.plug" 24 | 25 | -------------------------------------------------------------------------------- /src/sn_resolv.c: -------------------------------------------------------------------------------- 1 | /* Sniffit hostname resolving part */ 2 | /* - getaddrbyname: Godmar Back / Shudoh Kazuyuki */ 3 | 4 | #include "sn_defines.h" 5 | #include 6 | #include 7 | 8 | _32_bit getaddrbyname (const char *name) 9 | { 10 | _32_bit ret; 11 | struct hostent *he; 12 | 13 | if ((ret = inet_addr (name)) != INADDR_NONE) 14 | { /* dotted-decimal */ 15 | return ret; 16 | } 17 | else 18 | { 19 | if (!(he = gethostbyname (name))) 20 | { 21 | #ifdef DEBUG 22 | debug_msg ("GetAddr: Couldn't get host."); 23 | #endif 24 | /* perror(name); */ 25 | } 26 | 27 | return he ? *(_32_bit *) *he->h_addr_list : 0; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/sn_resolv.h: -------------------------------------------------------------------------------- 1 | /* Sniffit hostname resolving part include */ 2 | 3 | #ifndef _SN_RESOLV_H_ 4 | #define _SN_RESOLV_H_ 5 | 6 | extern _32_bit getaddrbyname (const char *); 7 | 8 | 9 | #endif -------------------------------------------------------------------------------- /src/sn_structs.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Structs File */ 2 | 3 | #ifndef _SN_STRUCTS_H_ 4 | #define _SN_STRUCTS_H_ 5 | 6 | #include 7 | #include "sn_packetstructs.h" 8 | 9 | /**** Global data **********************************************************/ 10 | struct file_info 11 | { 12 | char proto, filename[50]; 13 | FILE *f; 14 | unsigned long bytes; 15 | _32_bit exp_seq; /* expected seq to avoid double logging */ 16 | int time_out; 17 | char log; /* log=0 : do nothing */ 18 | /* log=1 : log 'login' */ 19 | /* log=2 : 'login' logged */ 20 | /* log=3 : log password */ 21 | /* log=4 : password logged */ 22 | /* log=99 : no more detection */ 23 | char scroll_buf[SCBUF+1]; /* scroll buffer */ 24 | char *buffer; /* pointer to a buffer */ 25 | struct file_info *next; 26 | }; 27 | 28 | /**** Global data (config) **************************************************/ 29 | struct cfg_file_contense 30 | { 31 | char host[16]; 32 | unsigned int priority; 33 | unsigned char wildcard; 34 | unsigned short port; 35 | }; 36 | 37 | /**** Global data (plugins) *************************************************/ 38 | struct Plugin_data { 39 | struct unwrap PL_info; 40 | struct IP_header PL_iphead; 41 | struct TCP_header PL_tcphead; 42 | struct UDP_header PL_udphead; 43 | unsigned char PL_data[MTU]; 44 | unsigned char PL_packet[MTU]; 45 | }; 46 | 47 | /**** Global data (interactive) *********************************************/ 48 | #ifdef INCLUDE_INTERFACE 49 | #include "sn_curses.h" 50 | 51 | struct box_window 52 | { 53 | WINDOW *main_window, *work_window; 54 | }; 55 | 56 | 57 | struct shared_conn_data /* shared memory connection datastructure */ 58 | { 59 | char connection [CONN_NAMELEN]; /* full ID string of conn */ 60 | char desc [DESC_BYTES]; /* connection description */ 61 | int timeout; 62 | }; 63 | struct shared_logged_conn /* shared memory logging datastructure */ 64 | { 65 | char log_enter [CONN_NAMELEN]; /* normal logging */ 66 | }; 67 | struct snif_mask /* struct for mask */ 68 | { 69 | _32_bit source_ip, destination_ip; 70 | _16_bit source_port, destination_port; 71 | }; 72 | 73 | /* (packet generation) */ 74 | struct generate_mask 75 | { 76 | _32_bit dest_ip, source_ip; 77 | _16_bit dest_port, source_port; 78 | _32_bit pkt_no; 79 | }; 80 | 81 | struct sp_data_exchange { 82 | int fd; /* Sh!t from transmit_TCP */ 83 | char *data; 84 | int datalen; 85 | _32_bit source; unsigned short source_port; 86 | _32_bit dest; unsigned short dest_port; 87 | _32_bit seq, ack; 88 | unsigned short flags; 89 | unsigned char *buffer; /* work buffer */ 90 | int IP_optlen; /* IP options length in bytes */ 91 | int TCP_optlen; /* TCP options length in bytes */ 92 | }; 93 | #endif 94 | 95 | #endif 96 | -------------------------------------------------------------------------------- /src/sniffit.h: -------------------------------------------------------------------------------- 1 | /* Sniffit Data File */ 2 | 3 | #ifndef _SNIFFIT_H_ 4 | #define _SNIFFIT_H_ 5 | 6 | #include "pcap.h" 7 | 8 | /**** Sniffit functions *****************************************************/ 9 | extern char *strlower (char *); 10 | #endif 11 | --------------------------------------------------------------------------------