Patrick J. Edwards <edwards@cambridgenet.sk.ca>, Mon, 17 Mar 1997 17:46:24 -0600
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
*                            Sniffit V.0.3.5                                  *
*                          By Brecht Claerhout                                *
#  This program is intended to demonstrate the unsafeness of TCP (currently)  #
*                No illegal activities are encouraged!                        *
#      Anyway, I'm not responsible for anything you do with it.               #
*                                                                             *
#  Sniffit grew a little upon it's original intentions and is now             #
*  extended for network debugging (UDP, ICMP, netload, etc.)                  *
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
*                          Libpcap library                                    *
#      This product includes software developed by the Computer Systems       #
*           Engineering Group at Lawrence Berkeley Laboratory.                *
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#


2. Use of the program
---------------------

(The man pages have detailed info on what parameters you can mix)
(* indicates New Features)

Options:
ONE of these is required!
  -v             Show version and exit (just added because it's such a
                 wide spread option)

  -t <IP nr/name>   tells the sniffer to check out packets GOING TO <IP>
* -s <IP nr/name>   tells the sniffer to check out packets COMMING FROM <IP>
*                   You can use the '@' wildcard (only IP NUMBERS of course).
*                   e.g. -t 199.145.@
*                        -t 199.14@
*                   mind you -t @ is also a valid option.
  -i                Interactive mode, overrides all other options
  -c <file>         Use <file> as a config file for Sniffit
                    See 3.3 for format of the config file.

* NOTE: -t or -s only apply to TCP and UDP  packages, ICMP, IP packages 
*       are ALL interpreted.
*       Also, any selection on ports, -p only applies to TCP, UDP packages.

Parameters for all modes:
  -F <device> force sniffit to use a network device 
	      (READ 3.2 ON THIS SUBJECT, IMPORTANT)
  -n          Turn  of  IP  checksum  checking. This can show you
              bogus packets.  (mind you ARP, RARP,  other  non-IP
              packets  will  show  up bogus too) (compatible with
              ALL options)
* -N	      Disables all functions that Sniffit has build in, usefull 
*             for wanting to run ONLY a plugin

Parameters for not running in -i:
  -b           does both -t and -s, doesn't mather what function you used 
               (-t or -s)
  -d           Dump mode, shows the packets on the screen in bytes (not 
               like tcpdump). For test purposes. (numbers are hex)
  -a           same of '-d' but outputs ASCII. 
  -x           Prints extended info on TCP packets (SEQ numbers, ACK, Flags)
	       Like SEQ, ACK, the flags, etc... (works wit '-a', '-d', '-s', 
	       '-t', '-b' or on its own.)
               (Mind you it is always shown on stdout, so not logged when 
               using '-t', '-s', '-b' without another parameter)
  -A <char>    When in logging mode, all non-printable chars will be 
               replaced by <char>. (see note below 4.The output)
  -P protocol  specify the protocols examined (default TCP)
	       possible options currently are: IP, TCP, ICMP, UDP
	       They can be combined.
  -p <port>    Logs connections on port <port>, 0 means all ports, default 
               is 0 (all), look out with that on loaded nets!
  -l <length>  Ammount of information to log (default 300 bytes). 
               Length 0 logs everything. (look out with diskspace when 
               logging everything!)
* -M <Plugin>  Activate Plugin nr. <Plugin>, for a list on all plugins 
*              compiled in your version, just type 'sniffit'.
*              Read all about Plugins in the PLUGIN-HOWTO (READ IT!)

Parameters with -i:
  -D <device>  All logging output will be send to that device.
               It's cool to get the same IRC screen as the guy y'r 
               sniffing upon ;-)

Parameters with -c:
  -L <loglevel> enable logging with <loglevel> as loglevel
                currenly the following loglevels are supported:
                1     : Raw level
                10,12 : Normal level
                (see '2. The Output' for more info)
 

Some examples:
  Imagine the following setup: 2 hosts on a subnet, one is running the 
  sniffer (sniffit.com), the otherone is 66.66.66.7 (target.com).
    1. You want to test if the sniffer is working:
       sniffit:~/# sniffit -d -p 7 -t 66.66.66.7
       and in another window:
       sniffit:~/$ telnet target.com 7
       you should see the sniffer giving you packets as you telnet to 
       the 'echo' service. 
    2. I want to log some passwords from people on 66.66.66.7:
       sniffit:~/# sniffit -p 23 -t 66.66.66.7
    3. Root of target.com tells me he gets strange ftp connections and 
       wants to find out the commands typed:
       sniffit:~/# sniffit -p 21 -l 0 -t 66.66.66.7
    4. You want to read all incomming and outgoing mail on target.com:
       sniffit:~/# sniffit -p 25 -l 0 -b -t 66.66.66.7 &
       or
       sniffit:~/# sniffit -p 25 -l 0 -b -s 66.66.66.7 &
    5. You want to use the menu based interface.
       sniffit:~/# sniffit -i
    6. Something is really wrong and you want to see the Control Messages
       with error codes.
       sniffit:~/# sniffit -P icmp -b -s 66.66.66.7
    7. Go wild on scrolling the screen.
       sniffit:~/# sniffit -P ip -P icmp -P tcp -p 0 -b -a -d -x -s 
                   66.66.66.7
       witch is the same as
       sniffit:~/# sniffit -P ipicmptcp -p 0 -b -a -d -x -s 66.66.66.7
    8. Log passwords in that way you can read them with 'more 66*'
       sniffit:~/# sniffit -p 23 -A . -t 66.66.66.7
       or
       sniffit:~/# sniffit -p 23 -A ^ -t dummy.net
    9. This could go on for ever..............


3.2 Forcing network devices   (*READ*)
--------------------------------------

NOTE: the correct name (for sniffit) of a device can be found by running 
      'ifconfig'

When forcing network devices, sniffit tries to find out what device it is. 
If sniffit recognises the name, everything is okay. 
If it does not recognise the name it will set the variable 
FORCED_HEAD_LENGHTH to the ethernet headlength. The ethernet headlength 
is the length in bytes of an ethernet packet hearder. 
So if you have to force a non-ethernet device, that is not recognised by 
sniffit, make sure you change that headlength correctly in the 'config.h' file.

The -F option was added, because I noticed devicenames can differ from 
system to system, and because some ppl have multiple devices present.
When having problems with this option, please think twice before you mail me.

* e.g: sniffit -F eth1 -t foobar.com -dx
*
* Notice you don't have to add /dev/ (some ppl mentioned me this was not 
* completely clear).

5. IMPORTANT NOTES, READ!
-------------------------

First of all, some stuff people who use this program should already know, 
if you don't, well here ya got it:

Some other notes:
 
  - Sniffers can only be run by ROOT
  - Sniffers can only log packets that 'travel' on THEIR ethernetcable.
    So there has to be some host on your subnet involved (either as 
    sender or receiver).
  - Working with '-d' or '-a' give you raw packets, they are still 
    packed in IP, when logging to files, only send data is logged, 
    the packets are 'unwrapped'.
  - Sniffers can not be detected from the outside (look below for note on 
    harddisk).
    Some people pretend that tcp wrappers and stuff can detect sniffers, 
    well that's bullshit. Sniffers are just 'sitting' on the line and 
    reading what is passing anyway, they don't DO anything, they just watch.
    They can be detected:
      - In the processlist (ps -augwx)
      - When the harddisklight flashes a lot, people can suspect something
        Also harddisks can make a lot of noice, but these sympthomes are 
        only payed attention to in hostile environments.
   - (LINUX) Your KERNEL should support System V IPC. If you will use '-i'
