官方的文件通俗易懂,相信有需要的朋友们一看就能明白。
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
* Sniffit V.0.3.7 Beta *
# By Brecht Claerhout #
* *
# This program is intended to demonstrate the unsafeness of TCP (currently) #
* No illegal activities are encouraged! *
# Please read the LICENSE file #
* *
# Sniffit grew a little upon its original intentions and is now #
* extended for network debugging (UDP, ICMP, netload, etc.) *
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
* Libpcap library *
# This product includes software developed by the Computer Systems #
* Engineering Group at Lawrence Berkeley Laboratory. *
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
0. Introduction, and some stuff you should know.
0.1 Credits and contact
0.2 Compiling
0.3 License
1. Programmers notes
excuses for my incompetence
2. Use of the program
flags and examples
3. Extra info on use
3.1 Running interactive mode
3.2 Forcing network devices (*READ*)
3.3 Format of the config file
3.4 Loglevels
4. The output
4.1 Normal
4.2 Logfile
5. IMPORTANT NOTES, READ!
this also!
——————————————————————————
0. Introduction, and some stuff you should know.
————————————————
0.3.7 (Beta). It has been a while I know. But this year has been a hell, last
year of uni, projects, thesis, …. it didn’t stop. Well that is behind us
now, the most important thing, is that I’m back working on the program again,
and intend to keep on doing it.
I hope you enjoy this beta version. Like always, I removed some bugs. There
is a new ‘logging’ feature. It is now possible to record traffic with
Sniffit and process it later! (it is completely different from the logging
done in the 0.3.6 version, that is known to some hardcore Sniffit users)
Please take a minute to skim through the text and read the passages marked
with a ‘*’, these are the new features.
(Please read BETA-TESTING)
I use the libpcap library developed at Berkeley Laboratory, for easy
porting (Read the licence).
0.1 Credits and contact
———————–
Credits go to (in order of appearance on the Sniffit scene):
Wim Vandeputte <wvdputte@reptile.rug.ac.be>,
best friend and UNIX guru, for support, testing and
providing me with a WWW site.
Godmar Back, for fixing that kernel 1.2.X bug (Sniffit 0.1.X).
Peter Kooiman, of Paradigm Systems Technology for providing the
facilities to port Sniffit, and for the endless testing
(although he laughs this away with “no big deal, I
don’t need no credits”).
Without him, there would have been no ports at all.
Brooke Paul, for providing me with an SGI account.
Qing Long, for the bash/zsh libpcap/configure script.
Guy Gustavson, for giving me a FreeBSD account.
Woju <woju@freebsd.ee.ntu.edu.tw>, for the ncurses SunOS/FreeBSD fixing,
and for his other efforts.
Amlan Saha <eng40607@nus.sg>, for adding Packet Generation to
Sniffit, and adding other features (not implemented yet).
I’m sure that in the near future you will see more of his
work in Sniffit.
Shudoh Kazuyuki, for changing getaddrbyname() and improving the
config-file interpreting.
Fyodor <fyodor@dhp.com>, for pointing out the hideous small
fragments problem.
David O’Brien <obrien@nuxi.com>, for netbsd information.
everybody, who ever mailed me with suggestions help, etc…
Also a big thanks to my Beta testers (alphabetically, I hope)…
Charles G Stuart <charles.stuart@juno.com> IRIX / RedHat LINUX
Patrick Schoppenhorst <pschoppe@thumper.indianapolis.sgi.com> IRIX
Shahid Mahmood <smahmood@hns.com> Slackware LINUX / SunOS
Stephen Hillier <shillier@tuns.ca> RedHat LINUX
And many others who wish to be anonymous….
Suggestions and comments can be sent to:
coder@reptile.rug.ac.be
Brecht Claerhout
Meulebeeksestw. 51
8700 Tielt
Belgium
The original distribution program can be obtained from (my site):
http://sniffit.rug.ac.be/sniffit/sniffit.html
MIND YOU: this program is run as root, and thus could easily contain
dangerous trojans. If you get it from the above site you can
safely compile and use it.
(no trojan versions are discovered yet.. it’s just a warning)
0.2 Compiling
————-
Just type ‘configure’ and then ‘make’ (if configure made it without errors).
Mind you, you can still modify some things in the ’sn_config.h’ file, but
by default all sections that can be added on your system are added.
IMPORTANT NOTES:
1. This source code has only been tested with GNU versions of make/C
compiler. (i.e. don’t come complaining to me if your ‘native’ system
compiler screws up, use GNU!)
2. curses IS NOT equal to ncurses.
(ncurses is available at your local sunsite mirror.)
3. READ THE FAQ when experiencing problems.
Other stuff….
make clean : cleans all directories for a compiling from scratch
0.3 License (this is a copy of the LICENSE file)
———–
Sniffit 0.3.7 Copyright (c) 1996-1998 Brecht Claerhout
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
4. Redistribution of source code must be conform with the ‘libpcap’
copyright conditions, if that library is included.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR “AS IS” AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1. Programmers notes
——————–
I wasn’t educated to be a programmer, so I write lousy code. Please forgive
me.
Still I note the use of shared memory, with Linux you should take extra
care when recompiling your kernel! Answer YES to ‘System V IPC
(CONFIG_SYSVIPC) [y]‘.
2. Use of the program
———————
(The man pages have detailed info on what parameters you can mix)
(* indicates New Features)
Options:
ONE of these is required!
-v Show version and exit (just added because it’s such a
wide spread option)
-t <IP nr/name> tells the sniffer to check out packets GOING TO <IP>
-s <IP nr/name> tells the sniffer to check out packets COMING FROM <IP>
You can use the ‘@’ wildcard (only IP NUMBERS of course).
e.g. -t 199.145.@
-t 199.14@
mind you -t @ is also a valid option.
-i Interactive mode, overrides all other options
* -I Extended Interactive mode, overrides all other options
* Much more fun then -i, watch and enjoy…
* (best viewed in a xterm that is stretched wide…)
-c <file> Use <file> as a config file for Sniffit
See 3.3 for format of the config file.
NOTE: -t or -s only apply to TCP and UDP packages, ICMP, IP packages
are ALL interpreted.
Also, any selection on ports, -p only applies to TCP, UDP packages.
Parameters for all modes:
-F <device> force sniffit to use a network device
(READ 3.2 ON THIS SUBJECT, IMPORTANT)
-n Turn off IP checksum checking. This can show you
bogus packets. (mind you ARP, RARP, other non-IP
packets will show up bogus too) (compatible with
ALL options)
-N Disables all functions that Sniffit has build in, useful
for wanting to run ONLY a plugin
Parameters for not running in -i:
-b does both -t and -s, doesn’t matter what function you used
(-t or -s)
-d Dump mode, shows the packets on the screen in bytes (not
like tcpdump). For test purposes. (numbers are hex)
-a same of ‘-d’ but outputs ASCII.
-x Prints extended info on TCP packets (SEQ numbers, ACK, Flags)
Like SEQ, ACK, the flags, etc… (works wit ‘-a’, ‘-d’, ‘-s’,
‘-t’, ‘-b’ or on its own.)
(Mind you it is always shown on stdout, so not logged when
using ‘-t’, ‘-s’, ‘-b’ without another parameter)
* -R <file> Record all traffic in <file>
* This file can then be fed to Sniffit with the ‘-r’ option.
* -r <file> This option feeds the recorded <file> to Sniffit. This
* option requires the ‘-F’ option with the correct device.
* Suppose you log a file on a machine with ‘eth0′. When
* feeding the logged file to sniffit, you will need to add ‘-F eth0′
* or ‘-F eth’ to the command line.
* It doesn’t need much explanation that using ‘-i’ or ‘-I’
* in combination with ‘-r’ makes no sense (at this moment).
-A <char> When in logging mode, all non-printable chars will be
replaced by <char>. (see note below 4.The output)
-P protocol specify the protocols examined (default TCP)
possible options currently are: IP, TCP, ICMP, UDP
They can be combined.
-p <port> Logs connections on …
