mirror of
https://github.com/archlinuxarm/PKGBUILDs.git
synced 2024-12-08 23:03:46 +00:00
937 lines
36 KiB
Diff
937 lines
36 KiB
Diff
--- sniffit.0.3.7.beta.orig/sniffit.5
|
|
+++ sniffit.0.3.7.beta/sniffit.5
|
|
@@ -122,7 +122,6 @@
|
|
a) Send by hosts '100.100.12.*'
|
|
b) Send from/to 100.100.12.2 (useless line)
|
|
c) deselecting all WWW packets on the subnet
|
|
-.ni
|
|
|
|
.SH AUTHOR
|
|
Brecht Claerhout <coder@reptile.rug.ac.be>
|
|
--- sniffit.0.3.7.beta.orig/sn_structs.h
|
|
+++ sniffit.0.3.7.beta/sn_structs.h
|
|
@@ -67,7 +67,7 @@
|
|
struct snif_mask /* struct for mask */
|
|
{
|
|
_32_bit source_ip, destination_ip;
|
|
- _32_bit short source_port, destination_port;
|
|
+ _16_bit source_port, destination_port;
|
|
};
|
|
|
|
/* (packet generation) */
|
|
--- sniffit.0.3.7.beta.orig/sniffit.0.3.7.c
|
|
+++ sniffit.0.3.7.beta/sniffit.0.3.7.c
|
|
@@ -48,15 +48,15 @@
|
|
{
|
|
printf (
|
|
"usage: %s [-xdabvnN] [-P proto] [-A char] [-p port] [(-r|-R) recordfile]\n"
|
|
- " [-l sniflen] [-L logparam] [-F snifdevice] [-M plugin]\n"
|
|
+ " [-l sniflen] [-L logparam] [-F snifdevice] [-M plugin]\n",
|
|
+ prog_name);
|
|
#ifdef INCLUDE_INTERFACE
|
|
- " [-D tty]"
|
|
+ printf ( " [-D tty]"
|
|
" (-t<Target IP> | -s<Source IP>)"
|
|
- " | (-i|-I) | -c<config file>]\n",
|
|
+ " | (-i|-I) | -c<config file>]\n");
|
|
#else
|
|
- " (-t<Target IP> | -s<Source IP>) | -c<config file>]\n",
|
|
+ printf ( " (-t<Target IP> | -s<Source IP>) | -c<config file>]\n");
|
|
#endif
|
|
- prog_name);
|
|
printf ("Plugins Available:\n");
|
|
#ifdef PLUGIN0_NAME
|
|
printf (" 0 -- %s\n", PLUGIN0_NAME);
|
|
--- sniffit.0.3.7.beta.orig/sn_analyse.c
|
|
+++ sniffit.0.3.7.beta/sn_analyse.c
|
|
@@ -151,16 +151,18 @@
|
|
{
|
|
char workbuf1[MTU];
|
|
char *wb_dummy;
|
|
+ char *p;
|
|
+ size_t len = info.DATA_len <= MTU-1 ? info.DATA_len : MTU-1;
|
|
|
|
- strncpy(workbuf1,data,info.DATA_len);
|
|
- workbuf1[info.DATA_len]=0;
|
|
+ strncpy(workbuf1,data,len);
|
|
+ workbuf1[len]=0;
|
|
strlower(workbuf1);
|
|
|
|
- if(strstr(workbuf1,"mail from")!=NULL)
|
|
+ if((p=strstr(workbuf1,"mail from"))!=NULL)
|
|
{
|
|
char workbuf2[MTU];
|
|
|
|
- strcpy(workbuf2, strstr(workbuf1,"mail from"));
|
|
+ strcpy(workbuf2, p);
|
|
if(strchr(workbuf2,13)!=NULL) /* remove trailing enter */
|
|
{wb_dummy=strchr(workbuf2,13); *wb_dummy=0;}
|
|
if(strchr(workbuf2,10)!=NULL)
|
|
@@ -168,11 +170,11 @@
|
|
print_mail(filename,workbuf2);
|
|
}
|
|
|
|
- if(strstr(workbuf1,"rcpt to")!=NULL)
|
|
+ if((p=strstr(workbuf1,"rcpt to"))!=NULL)
|
|
{
|
|
char workbuf2[MTU];
|
|
|
|
- strcpy(workbuf2, strstr(workbuf1,"rcpt to"));
|
|
+ strcpy(workbuf2, p);
|
|
if(strchr(workbuf2,13)!=NULL) /* remove trailing enter */
|
|
{wb_dummy=strchr(workbuf2,13); *wb_dummy=0;}
|
|
if(strchr(workbuf2,10)!=NULL)
|
|
--- sniffit.0.3.7.beta.orig/README.FIRST
|
|
+++ sniffit.0.3.7.beta/README.FIRST
|
|
@@ -6,7 +6,7 @@
|
|
* No illegal activities are encouraged! *
|
|
# Please read the LICENSE file #
|
|
* *
|
|
-# Sniffit grew a little upon it's original intentions and is now #
|
|
+# Sniffit grew a little upon its original intentions and is now #
|
|
* extended for network debugging (UDP, ICMP, netload, etc.) *
|
|
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#
|
|
* Libpcap library *
|
|
@@ -45,19 +45,19 @@
|
|
|
|
I hope you enjoy this beta version. Like always, I removed some bugs. There
|
|
is a new 'logging' feature. It is now possible to record traffic with
|
|
-Sniffit and process it later! (it is completely different from te logging
|
|
+Sniffit and process it later! (it is completely different from the logging
|
|
done in the 0.3.6 version, that is known to some hardcore Sniffit users)
|
|
Please take a minute to skim through the text and read the passages marked
|
|
with a '*', these are the new features.
|
|
(Please read BETA-TESTING)
|
|
|
|
-I use the libpcap library developped at Berkeley Laboratory, for easy
|
|
+I use the libpcap library developed at Berkeley Laboratory, for easy
|
|
porting (Read the licence).
|
|
|
|
0.1 Credits and contact
|
|
-----------------------
|
|
|
|
-Credits go to (in order of apperance on the Sniffit scene):
|
|
+Credits go to (in order of appearance on the Sniffit scene):
|
|
Wim Vandeputte <wvdputte@reptile.rug.ac.be>,
|
|
best friend and UNIX guru, for support, testing and
|
|
providing me with a WWW site.
|
|
@@ -71,17 +71,17 @@
|
|
Qing Long, for the bash/zsh libpcap/configure script.
|
|
Guy Gustavson, for giving me a FreeBSD account.
|
|
Woju <woju@freebsd.ee.ntu.edu.tw>, for the ncurses SunOS/FreeBSD fixing,
|
|
- and for his other effords.
|
|
+ and for his other efforts.
|
|
Amlan Saha <eng40607@nus.sg>, for adding Packet Generation to
|
|
Sniffit, and adding other features (not implemented yet).
|
|
I'm sure that in the near future you will see more of his
|
|
work in Sniffit.
|
|
Shudoh Kazuyuki, for changing getaddrbyname() and improving the
|
|
config-file interpreting.
|
|
- Fyodor <fyodor@dhp.com>, for pointing out the hidious small
|
|
+ Fyodor <fyodor@dhp.com>, for pointing out the hideous small
|
|
fragments problem.
|
|
David O'Brien <obrien@nuxi.com>, for netbsd information.
|
|
- everybody, who ever mailed me with sugestions help, etc...
|
|
+ everybody, who ever mailed me with suggestions help, etc...
|
|
|
|
Also a big thanks to my Beta testers (alphabetically, I hope)...
|
|
Charles G Stuart <charles.stuart@juno.com> IRIX / RedHat LINUX
|
|
@@ -91,7 +91,7 @@
|
|
|
|
And many others who wish to be anonymous....
|
|
|
|
-Sugestions and comments can be sent to:
|
|
+Suggestions and comments can be sent to:
|
|
coder@reptile.rug.ac.be
|
|
|
|
Brecht Claerhout
|
|
@@ -99,10 +99,10 @@
|
|
8700 Tielt
|
|
Belgium
|
|
|
|
-The original distribution program can be optained from (my site):
|
|
+The original distribution program can be obtained from (my site):
|
|
http://sniffit.rug.ac.be/sniffit/sniffit.html
|
|
|
|
-MIND YOU: this program is ran as root, and thus could easily contain
|
|
+MIND YOU: this program is run as root, and thus could easily contain
|
|
dangerous trojans. If you get it from the above site you can
|
|
safely compile and use it.
|
|
(no trojan versions are discovered yet.. it's just a warning)
|
|
@@ -178,7 +178,7 @@
|
|
-v Show version and exit (just added because it's such a
|
|
wide spread option)
|
|
-t <IP nr/name> tells the sniffer to check out packets GOING TO <IP>
|
|
- -s <IP nr/name> tells the sniffer to check out packets COMMING FROM <IP>
|
|
+ -s <IP nr/name> tells the sniffer to check out packets COMING FROM <IP>
|
|
You can use the '@' wildcard (only IP NUMBERS of course).
|
|
e.g. -t 199.145.@
|
|
-t 199.14@
|
|
@@ -197,15 +197,15 @@
|
|
Parameters for all modes:
|
|
-F <device> force sniffit to use a network device
|
|
(READ 3.2 ON THIS SUBJECT, IMPORTANT)
|
|
- -n Turn of IP checksum checking. This can show you
|
|
+ -n Turn off IP checksum checking. This can show you
|
|
bogus packets. (mind you ARP, RARP, other non-IP
|
|
packets will show up bogus too) (compatible with
|
|
ALL options)
|
|
- -N Disables all functions that Sniffit has build in, usefull
|
|
+ -N Disables all functions that Sniffit has build in, useful
|
|
for wanting to run ONLY a plugin
|
|
|
|
Parameters for not running in -i:
|
|
- -b does both -t and -s, doesn't mather what function you used
|
|
+ -b does both -t and -s, doesn't matter what function you used
|
|
(-t or -s)
|
|
-d Dump mode, shows the packets on the screen in bytes (not
|
|
like tcpdump). For test purposes. (numbers are hex)
|
|
@@ -231,7 +231,7 @@
|
|
They can be combined.
|
|
-p <port> Logs connections on port <port>, 0 means all ports, default
|
|
is 0 (all), look out with that on loaded nets!
|
|
- -l <length> Ammount of information to log (default 300 bytes).
|
|
+ -l <length> Amount of information to log (default 300 bytes).
|
|
Length 0 logs everything. (look out with diskspace when
|
|
logging everything!)
|
|
-M <Plugin> Activate Plugin nr. <Plugin>, for a list on all plugins
|
|
@@ -260,7 +260,7 @@
|
|
|
|
Some examples:
|
|
Imagine the following setup: 2 hosts on a subnet, one is running the
|
|
- sniffer (sniffit.com), the otherone is 66.66.66.7 (target.com).
|
|
+ sniffer (sniffit.com), the other one is 66.66.66.7 (target.com).
|
|
1. You want to test if the sniffer is working:
|
|
sniffit:~/# sniffit -d -p 7 -t 66.66.66.7
|
|
and in another window:
|
|
@@ -272,7 +272,7 @@
|
|
3. Root of target.com tells me he gets strange ftp connections and
|
|
wants to find out the commands typed:
|
|
sniffit:~/# sniffit -p 21 -l 0 -t 66.66.66.7
|
|
- 4. You want to read all incomming and outgoing mail on target.com:
|
|
+ 4. You want to read all incoming and outgoing mail on target.com:
|
|
sniffit:~/# sniffit -p 25 -l 0 -b -t 66.66.66.7 &
|
|
or
|
|
sniffit:~/# sniffit -p 25 -l 0 -b -s 66.66.66.7 &
|
|
@@ -314,9 +314,9 @@
|
|
F5 or '5' : Start a program 'sniffit_key5' with arguments
|
|
<from IP> <from port> <to IP> <to port>
|
|
If the program doesn't exist, nothing is done. Sniffit should
|
|
- be in the same path as sniffit was STARTED FROM (not necessarely
|
|
+ be in the same path as sniffit was STARTED FROM (not necessarily
|
|
the path sniffit is stored in)
|
|
- This is usefull for interactive connection killing or extra
|
|
+ This is useful for interactive connection killing or extra
|
|
monitoring. A little shell script can always transform the
|
|
arguments given and pass them on to other programs.
|
|
F6 or '6' : Same as F5 or '5', but with program 'sniffit_key6'
|
|
@@ -330,12 +330,12 @@
|
|
the config.h file to change this (could be needed if y'r
|
|
computer is slow).
|
|
'g' : Generate Packets!
|
|
- Sniffit is now able to generate some trafic load. Currently
|
|
- this is a 'underdevelloped' feature with very few options,
|
|
+ Sniffit is now able to generate some traffic load. Currently
|
|
+ this is a 'underdeveloped' feature with very few options,
|
|
but it will be expanded a lot...
|
|
Currently only UDP packets are generated. When pressing 'G'
|
|
- you will be asked the source/dest IP/port and how much packets
|
|
- are needed to be transmitted.
|
|
+ you will be asked the source/dest IP/port and how many packets
|
|
+ are to be transmitted.
|
|
Packets contain the line: "This Packet was fired with Sniffit!"
|
|
'r' : Reset.. clears all current connections from memory and restarts.
|
|
|
|
@@ -348,14 +348,14 @@
|
|
|
|
When forcing network devices, sniffit tries to find out what device it is.
|
|
If sniffit recognises the name, everything is okay.
|
|
-If it does not recognise the name it will set the variable
|
|
-FORCED_HEAD_LENGHTH to the ethernet headlength. The ethernet headlength
|
|
-is the length in bytes of an ethernet packet hearder.
|
|
-So if you have to force a non-ethernet device, that is not recognised by
|
|
+If it does not recognise the name it will set the ethernet headlength
|
|
+according to the compiled-in value FORCED_HEAD_LENGTH. The ethernet
|
|
+headlength is the length in bytes of an ethernet packet header.
|
|
+So if you have to force a non-ethernet device that is not recognised by
|
|
sniffit, make sure you change that headlength correctly in the 'sn_config.h'
|
|
file.
|
|
|
|
-The -F option was added, because I noticed devicenames can differ from
|
|
+The -F option was added, because I noticed device names can differ from
|
|
system to system, and because some ppl have multiple devices present.
|
|
When having problems with this option, please think twice before you mail me.
|
|
|
|
@@ -370,7 +370,7 @@
|
|
|
|
The configfile should have lines with the following format:
|
|
<field1> <field2> <field3> <field4> [<field5>]
|
|
-(seperators are spaces (any number of), NO TABS!!!)
|
|
+(separators are spaces (any number of), NO TABS!!!)
|
|
|
|
Lines that don't match this pattern are discarded, so standard unix
|
|
comments '#' can be used in this file... (this also means that if you
|
|
@@ -399,10 +399,10 @@
|
|
host : The (de)selection criteria involves a hostname.
|
|
port : similar, ... a portnumber
|
|
mhosts : The (de)selection criteria involves multiple-hosts, like
|
|
- with the wildcars in 0.3.0, but without the 'x'
|
|
+ with the wildcards in 0.3.0, but without the 'x'
|
|
|
|
<field4> can be:
|
|
-* either a hostname, a portnumber, a service name or a numbet-dot partial
|
|
+* either a hostname, a portnumber, a service name or a number-dot partial
|
|
* notation indicating multiple hosts depending on <field3>
|
|
* (service names like 'ftp' are resolved as the services available
|
|
* present on the host that runs Sniffit, and translated into a port nr)
|
|
@@ -411,7 +411,7 @@
|
|
a portnumber or service name, if <field3> was 'host' or 'mhosts'
|
|
|
|
|
|
- Maybe it would have been wise to mention explicitely, that the config-file
|
|
+ Maybe it would have been wise to mention explicitly, that the config-file
|
|
currently only works with TCP packets.
|
|
|
|
examples:
|
|
@@ -425,7 +425,7 @@
|
|
a) Send by host 100.100.12.2
|
|
b) Send by host 100.100.12.3 from port 1400
|
|
c) Send to coder.sniffit.com
|
|
- d) All packets on our subnet going to or comming from a telnet port.
|
|
+ d) All packets on our subnet going to or coming from a telnet port.
|
|
|
|
2. another example:
|
|
select both mhosts 100.100.12.
|
|
@@ -436,7 +436,7 @@
|
|
b) EXCEPT the WWW packets
|
|
c) BUT showing the WWW packets concerning enemy.sniffit.com
|
|
|
|
- The config file in interpreted SEQUENTIAL, so mixing up those lines
|
|
+ The config file is interpreted SEQUENTIALLY, so mixing up those lines
|
|
could have unwanted results e.g.:
|
|
select both mhosts 100.100.12.
|
|
select both host enemy.sniffit.org
|
|
@@ -455,7 +455,7 @@
|
|
select both mhosts 2
|
|
deselect both mhosts 1 80
|
|
deselect both mhosts 2 80
|
|
- This would show you all subnet trafic excluding WWW trafic
|
|
+ This would show you all subnet traffic excluding WWW traffic
|
|
(concerning port 80.)
|
|
|
|
4. example:
|
|
@@ -476,12 +476,12 @@
|
|
* you will like it more this way.
|
|
*
|
|
* Loglevels are now activated by '-L <logparam>'.
|
|
-* The folowing <logparam>'s are valid (concatenation is alowed):
|
|
+* The following <logparam>'s are valid (concatenation is allowed):
|
|
*
|
|
* 'raw':
|
|
* Log all SYN, FIN, RST packets. This will give you an overview of
|
|
-* all network (TCP) trafic in a 'RAW' way (a connection starting could
|
|
-* gives you at least 2 SYN packets, etc...).
|
|
+* all network (TCP) traffic in a 'RAW' way (a connection starting could
|
|
+* give you at least 2 SYN packets, etc...).
|
|
* This is a great way to waste diskspace...
|
|
* Messages are:
|
|
* Connection initiated. (SYN)
|
|
@@ -507,7 +507,7 @@
|
|
* A '~' in the login and passwords fields can be a nonprintable
|
|
* character (if in the beginning of a field, probably due to an early
|
|
* start of registration) or a '~'.
|
|
-* This all makes it sound a little messy, but I 'testdrived' a lot and
|
|
+* This all makes it sound a little messy, but I 'test-drove' a lot and
|
|
* was pleased with the results after adding some funky shit (if y'r
|
|
* interested have a look at in function 'packethandler' in
|
|
* sniffit.*.c)
|
|
@@ -521,7 +521,7 @@
|
|
*
|
|
* 'mail':
|
|
* Interested in who writes mail to who? Well you get all senders and
|
|
-* recepients nicely logged with this feature (port 25 mail).
|
|
+* recipients nicely logged with this feature (port 25 mail).
|
|
|
|
|
|
4. The output
|
|
@@ -563,7 +563,7 @@
|
|
connections, you will need to use 'joe' or something else that can
|
|
support control chars (look for '-A <char>' below).
|
|
Telnet 'negotiates' (binary) in the beginning of every connection, and
|
|
- 'catting' a output file, will most of the time show nothing (due to
|
|
+ 'catting' an output file, will most of the time show nothing (due to
|
|
control chars).
|
|
Of course when logging mail, there are no problems.
|
|
The new '-A <char>' takes care of the control characters, that way you
|
|
@@ -612,14 +612,14 @@
|
|
|
|
- UDP Packets (not logged, displayed)
|
|
|
|
- You get the package id. When using -d, -a you get the contence of the
|
|
+ You get the package id. When using -d, -a you get the contents of the
|
|
package. (pretty basic)
|
|
|
|
|
|
4.2 Logfile
|
|
-----------
|
|
|
|
-If you use a configfile (-c) and enable the Logging option a logfile is
|
|
+If you use a configfile (-c) and enable the Logging option, a logfile is
|
|
created. Unless you set 'logfile' in the config file, that file will be
|
|
named 'sniffit.log'.
|
|
It will contain lines with the following FIXED format:
|
|
@@ -635,7 +635,7 @@
|
|
|
|
3) Lines containing other data (future versions), will NOT begin with '['
|
|
and will have also easily interpretable formats.
|
|
- Other data is e.g. packet contence
|
|
+ Other data is e.g. packet contents
|
|
|
|
I do this because I can imagine (when this is more expanded) that people
|
|
will use their own parsers for these logfiles. Well, if you respect those 3
|
|
@@ -651,13 +651,13 @@
|
|
Some other notes:
|
|
|
|
- Sniffers can only be run by ROOT
|
|
- - Sniffers can only log packets that 'travel' on THEIR ethernetcable.
|
|
+ - Sniffers can only log packets that 'travel' on THEIR ethernet cable.
|
|
So there has to be some host on your subnet involved (either as
|
|
sender or receiver).
|
|
- - Working with '-d' or '-a' give you raw packets, they are still
|
|
- packed in IP, when logging to files, only send data is logged,
|
|
+ - Working with '-d' or '-a' gives you raw packets, they are still
|
|
+ packed in IP, when logging to files, only sent data is logged,
|
|
the packets are 'unwrapped'.
|
|
- - Sniffers can NORMALY not be detected by outsiders (or outsiders
|
|
+ - Sniffers can NORMALLY not be detected by outsiders (or outsiders
|
|
SHOULD not be able to...).
|
|
Unfortunately some systems contain bugs that will allow outsiders to
|
|
probe your network device for PROMISC mode (which is a good indication
|
|
--- sniffit.0.3.7.beta.orig/sniffit.8
|
|
+++ sniffit.0.3.7.beta/sniffit.8
|
|
@@ -39,7 +39,7 @@
|
|
is a packet sniffer for TCP/UDP/ICMP packets.
|
|
.B sniffit
|
|
is able to give you very detailed technical info on these
|
|
-packets (SEQ, ACK, TTL, Window, ...) but also packet contence in
|
|
+packets (SEQ, ACK, TTL, Window, ...) but also packet contents in
|
|
different formats (hex or plain text, ...).
|
|
.LP
|
|
.B sniffit
|
|
@@ -76,7 +76,7 @@
|
|
|
|
.IP "-t Target-IP"
|
|
Only process packets TO Target-IP. If Target-IP is in dot-nr notation,
|
|
-'x' is allowed as wildcard. (e.g. '-t 157.193.x', '-t x', ...)
|
|
+\'x' is allowed as wildcard. (e.g. '-t 157.193.x', '-t x', ...)
|
|
.I "(NOT compatible with: '-s' '-i' '-I' '-c' '-v' '-L')"
|
|
|
|
.IP "-s Source-IP"
|
|
@@ -84,7 +84,7 @@
|
|
.I "(NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')"
|
|
|
|
.IP -b
|
|
-'both' mode, together with '-s' or '-t', only process FROM/TO the IP
|
|
+\'both' mode, together with '-s' or '-t', only process FROM/TO the IP
|
|
specified by '-s' or '-t'
|
|
.I "(NOT compatible with: '-t' '-i' '-I' '-c' '-v' '-L')"
|
|
|
|
@@ -115,7 +115,7 @@
|
|
.IP "-R <file>"
|
|
Record all traffic in
|
|
.I <file>
|
|
-.This file can then be fed to Sniffit with the '-r' option.
|
|
+This file can then be fed to Sniffit with the '-r' option.
|
|
.I "(Needs a selection parameter like '-c' '-t' '-s')"
|
|
.I "(NOT compatible with '-i' '-I' '-v' '-L' '-r')"
|
|
|
|
@@ -149,12 +149,12 @@
|
|
.I "(NOT compatible with: '-i' 'I' '-v')"
|
|
|
|
.IP -d
|
|
-'dump mode', shows the packets on the screen (stdout) instead of logging
|
|
+\'dump mode', shows the packets on the screen (stdout) instead of logging
|
|
into files (default). Data is printed in bytes (hex).
|
|
.I "(NOT compatible with: '-i' 'I' '-v' '-L')"
|
|
|
|
.IP -a
|
|
-'dump mode', same of '-d' but outputs ASCII. Non printable chars are
|
|
+\'dump mode', same of '-d' but outputs ASCII. Non printable chars are
|
|
replaced by '.'.
|
|
('-d' and '-a' mix without any problem)
|
|
.I "(NOT compatible with: '-i' '-I' '-v' '-L')"
|
|
@@ -193,8 +193,7 @@
|
|
can be found with
|
|
.I ifconfig
|
|
(see
|
|
-.BR ifconfig (8)
|
|
-).
|
|
+.BR ifconfig (8)).
|
|
.B sniffit
|
|
supports ethernet and PPP by default. Read
|
|
.B README.FIRST
|
|
@@ -210,7 +209,7 @@
|
|
.B Plugin
|
|
, for a list on all plugins compiled in your version, just type '
|
|
.B sniffit
|
|
-'. Read all about Plugins in the PLUGIN-HOWTO (READ IT!)
|
|
+\'. Read all about Plugins in the PLUGIN-HOWTO (READ IT!)
|
|
.I "(NOT compatible with: '-i' '-I' '-v')"
|
|
|
|
.IP "-L logparam"
|
|
@@ -235,7 +234,7 @@
|
|
receiving host (port 'o').
|
|
|
|
.SH "DUMP MODE ('-d' and/or '-a')"
|
|
-Output is dumped to stdout, the packet contence is shown in it's
|
|
+Output is dumped to stdout, the packet contents is shown in it's
|
|
unwrapped form (the complete IP packet).
|
|
|
|
.SH "INTERACTIVE MODE ('-i' or '-I')"
|
|
@@ -320,7 +319,7 @@
|
|
.SH "IP ICMP UDP LOGGING"
|
|
Information on these packets is dumped to stdout. Packet
|
|
Filtering options only refer to TCP and UDP packets.
|
|
-The contence of UDP packets is only shown when enabling '-a' or '-d'.
|
|
+The contents of UDP packets is only shown when enabling '-a' or '-d'.
|
|
|
|
.SH AUTHOR
|
|
Brecht Claerhout <coder@reptile.rug.ac.be>
|
|
--- sniffit.0.3.7.beta.orig/sn_interface.c
|
|
+++ sniffit.0.3.7.beta/sn_interface.c
|
|
@@ -5,6 +5,7 @@
|
|
|
|
#ifdef INCLUDE_INTERFACE
|
|
#include <signal.h>
|
|
+#include <termios.h>
|
|
#include <unistd.h>
|
|
#include <sys/ipc.h>
|
|
#include <sys/shm.h>
|
|
@@ -513,8 +514,11 @@
|
|
|
|
void screen_exit (void)
|
|
{
|
|
-clear();
|
|
endwin();
|
|
+/* next line added by Edward Betts <edward@debian.org>, should not be needed
|
|
+ * because endwin should be calling it, without this the console has no echo
|
|
+ * after exiting in an xterm */
|
|
+reset_shell_mode();
|
|
};
|
|
|
|
void mem_exit (void)
|
|
--- sniffit.0.3.7.beta.orig/sn_logfile.c
|
|
+++ sniffit.0.3.7.beta/sn_logfile.c
|
|
@@ -44,42 +44,42 @@
|
|
void print_ftp_user (char *conn, char *user)
|
|
{
|
|
char line[250];
|
|
-sprintf(line,"%s: USER [%s]",conn,user);
|
|
+snprintf(line,sizeof(line),"%s: USER [%s]",conn,user);
|
|
print_logline (line);
|
|
}
|
|
|
|
void print_ftp_pass(char *conn, char *pass)
|
|
{
|
|
char line[250];
|
|
-sprintf(line,"%s: PASS [%s]",conn,pass);
|
|
+snprintf(line,sizeof(line),"%s: PASS [%s]",conn,pass);
|
|
print_logline (line);
|
|
}
|
|
|
|
void print_login (char *conn, char *login)
|
|
{
|
|
char line[250];
|
|
-sprintf(line,"%s: login [%s]",conn,login);
|
|
+snprintf(line,sizeof(line),"%s: login [%s]",conn,login);
|
|
print_logline (line);
|
|
}
|
|
|
|
void print_mail (char *conn, char *msg)
|
|
{
|
|
char line[250];
|
|
-sprintf(line,"%s: mail [%s]",conn,msg);
|
|
+snprintf(line,sizeof(line),"%s: mail [%s]",conn,msg);
|
|
print_logline (line);
|
|
}
|
|
|
|
void print_pwd (char *conn, char *pwd)
|
|
{
|
|
char line[250];
|
|
-sprintf(line,"%s: password [%s]",conn,pwd);
|
|
+snprintf(line,sizeof(line),"%s: password [%s]",conn,pwd);
|
|
print_logline (line);
|
|
}
|
|
|
|
void print_conn (char *conn, char *msg)
|
|
{
|
|
char line[250];
|
|
-sprintf(line,"%s: %s",conn,msg);
|
|
+snprintf(line,sizeof(line),"%s: %s",conn,msg);
|
|
print_logline (line);
|
|
}
|
|
|
|
--- sniffit.0.3.7.beta.orig/Makefile.in
|
|
+++ sniffit.0.3.7.beta/Makefile.in
|
|
@@ -26,9 +26,8 @@
|
|
@echo "Succesfull compilation..."
|
|
|
|
sniffit: $(SNIFFIT) $(DEP_FILES)
|
|
- cd libpcap; make; cd ..
|
|
+# cd libpcap; make; cd ..
|
|
$(CC) $(EXE_FLAG) $(SNIFFIT) $(EXE_OBJ) $(EXE_OPT) $(LIBS) $(DEFS) $(OS_OPT)
|
|
- strip sniffit
|
|
|
|
sn_cfgfile.o: sn_cfgfile.h sn_cfgfile.c sn_defines.h sn_structs.h sn_config.h
|
|
$(CC) $(OBJ_FLAG) sn_cfgfile.c $(OBJ_OPT) $(DEFS)
|
|
@@ -52,12 +51,12 @@
|
|
|
|
#Clean up everthing...
|
|
clean:
|
|
- cd libpcap; make clean; rm -f config.cache; cd ..
|
|
+# cd libpcap; make clean; rm -f config.cache; cd ..
|
|
rm -f Makefile
|
|
rm -f config.cache
|
|
rm -f config.status
|
|
rm -f config.log
|
|
- rm -f ./libpcap/config.cache
|
|
- rm -f ./libpcap/config.status
|
|
- rm -f ./libpcap/config.log
|
|
+# rm -f ./libpcap/config.cache
|
|
+# rm -f ./libpcap/config.status
|
|
+# rm -f ./libpcap/config.log
|
|
rm -f *.o sniffit
|
|
--- sniffit.0.3.7.beta.orig/debian/rules
|
|
+++ sniffit.0.3.7.beta/debian/rules
|
|
@@ -0,0 +1,28 @@
|
|
+#!/usr/bin/make -f
|
|
+
|
|
+build:
|
|
+ dh build --before configure
|
|
+ cp /usr/share/misc/config.guess .
|
|
+ cp /usr/share/misc/config.sub .
|
|
+ ./configure --prefix=/usr --no-recursion
|
|
+ $(MAKE) OBJ_OPT="" EXE_OPT="-lpcap"
|
|
+ dh build --after build
|
|
+
|
|
+clean:
|
|
+ dh clean
|
|
+ rm -f config.sub config.guess
|
|
+
|
|
+install: build
|
|
+ dh install --before dh_auto_install
|
|
+ dh_install sniffit usr/sbin
|
|
+ dh_installman sniffit.5 sniffit.8
|
|
+ dh_installchangelogs HISTORY
|
|
+ dh install --after dh_auto_install
|
|
+
|
|
+binary-arch: install
|
|
+ dh binary-arch
|
|
+
|
|
+binary-indep: install
|
|
+ dh binary-indep
|
|
+
|
|
+binary: binary-arch binary-indep
|
|
--- sniffit.0.3.7.beta.orig/debian/README
|
|
+++ sniffit.0.3.7.beta/debian/README
|
|
@@ -0,0 +1,48 @@
|
|
+sniffit for Debian
|
|
+----------------------
|
|
+
|
|
+What follows are one of the previous maintainers, Patrick J. Edwards
|
|
+<edwards@cambridgenet.sk.ca>, thoughts on this package, and its security
|
|
+implications.
|
|
+
|
|
+Notes on Security
|
|
+-----------------
|
|
+ This program is highly dangerous, with this program hackers no
|
|
+longer need qcrack or crack for your system. Instead, they can just wait
|
|
+till a user logs in and *BAM* they have a new password. So the point is,
|
|
+this program should be promptly removed in any of the following situations:
|
|
+
|
|
+ 1. You are in doubt of the security of your system. Granted that
|
|
+ some one who has already creatively aquired (meaning hacked) root
|
|
+ can install this program his/her self there is no point in
|
|
+ pre-installing this program for them.
|
|
+
|
|
+ 2. You have a tendency to act unethically and snoop on you users for
|
|
+ no apparent reason. "Good" system admins won't do this.
|
|
+
|
|
+ 3. You don't actively search for security holes in your system. If
|
|
+ your not doing this and you box is on the Internet 24/7 perhaps you
|
|
+ should.
|
|
+
|
|
+Notes on Usage
|
|
+--------------
|
|
+ 1. Don't use this program unless you have to, and once you're done
|
|
+with it uninstall it.
|
|
+ 2. Don't scan all ports and all addresses in the hoping of catching
|
|
+a hacker cause you won't, you'll just have vast quantities of logs to search
|
|
+through and very little disk space. Instead wait till you recognize that you
|
|
+have a program user/hacker and then find out what the person is doing (how
|
|
+the hacker is trying to penetrate the system) then start using sniffit to
|
|
+collect your evidence against the offender. [I know this is flying in the
|
|
+face of traditional anti-system-terrorism policies but it leads into my next
|
|
+point]
|
|
+ 3. If you persist in using sniffit as a security net for your system
|
|
+DON'T. Plain and simple. Instead of trying to catch the hacker who has
|
|
+already hacked into your system spend your efforts security proofing your
|
|
+system (up to date versions on cron, sendmail, libraries, etc -- almost
|
|
+anything that runs as root or sudo).
|
|
+
|
|
+ The overall point is:
|
|
+ "Practice preventive medicine not reactive."
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Sun, 12 Sep 1999 11:04:08 +0100
|
|
--- sniffit.0.3.7.beta.orig/debian/sniffit.docs
|
|
+++ sniffit.0.3.7.beta/debian/sniffit.docs
|
|
@@ -0,0 +1,4 @@
|
|
+BETA-TESTING
|
|
+PLUGIN-HOWTO
|
|
+README.FIRST
|
|
+sniffit-FAQ
|
|
--- sniffit.0.3.7.beta.orig/debian/compat
|
|
+++ sniffit.0.3.7.beta/debian/compat
|
|
@@ -0,0 +1 @@
|
|
+7
|
|
--- sniffit.0.3.7.beta.orig/debian/control
|
|
+++ sniffit.0.3.7.beta/debian/control
|
|
@@ -0,0 +1,16 @@
|
|
+Source: sniffit
|
|
+Section: net
|
|
+Priority: optional
|
|
+Maintainer: William Vera <billy@billy.com.mx>
|
|
+Standards-Version: 3.8.0
|
|
+Build-Depends: debhelper (>= 7), libpcap-dev, libncurses5-dev, autotools-dev
|
|
+
|
|
+Package: sniffit
|
|
+Architecture: any
|
|
+Depends: ${shlibs:Depends}
|
|
+Description: packet sniffer and monitoring tool
|
|
+ sniffit is a packet sniffer for TCP/UDP/ICMP packets.
|
|
+ sniffit is able to give you very detailed technical info
|
|
+ on these packets (SEC, ACK, TTL, Window, ...) but also
|
|
+ packet contents in different formats (hex or plain text,
|
|
+ etc. ).
|
|
--- sniffit.0.3.7.beta.orig/debian/copyright
|
|
+++ sniffit.0.3.7.beta/debian/copyright
|
|
@@ -0,0 +1,40 @@
|
|
+This package was debianized by Damjan Marion <dmarion@debian.org> on
|
|
+Tue, 7 Apr 1998 22:57:01 +0200.
|
|
+
|
|
+It was taken over by Edward Betts <edward@debian.org> on
|
|
+Fri, 12 Nov 1999 23:20:20 +0000
|
|
+
|
|
+It was downloaded from
|
|
+http://reptile.rug.ac.be/~coder/sniffit/files/sniffit.0.3.7.beta.tar.gz
|
|
+
|
|
+Upstream Author: Brecht Claerhout
|
|
+
|
|
+Copyright:
|
|
+
|
|
+Sniffit 0.3.7 Copyright (c) 1996-1998 Brecht Claerhout
|
|
+All rights reserved.
|
|
+
|
|
+Redistribution and use in source and binary forms, with or without
|
|
+modification, are permitted provided that the following conditions
|
|
+are met:
|
|
+1. Redistributions of source code must retain the above copyright
|
|
+ notice, this list of conditions and the following disclaimer.
|
|
+2. Redistributions in binary form must reproduce the above copyright
|
|
+ notice, this list of conditions and the following disclaimer in the
|
|
+ documentation and/or other materials provided with the distribution.
|
|
+3. The name of the author may not be used to endorse or promote products
|
|
+ derived from this software without specific prior written permission.
|
|
+4. Redistribution of source code must be conform with the 'libpcap'
|
|
+ copyright conditions, if that library is included.
|
|
+
|
|
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
+
|
|
--- sniffit.0.3.7.beta.orig/debian/changelog
|
|
+++ sniffit.0.3.7.beta/debian/changelog
|
|
@@ -0,0 +1,165 @@
|
|
+sniffit (0.3.7.beta-13) unstable; urgency=low
|
|
+
|
|
+ * New maintainer. (Closes: #465931).
|
|
+ * Some format corrections on the man pages (sniffit(5) sniffit(8)).
|
|
+ * Don't include config.{sub,guess} in .diff.gz
|
|
+
|
|
+ -- William Vera <billy@billy.com.mx> Sat, 07 Jun 2008 12:56:48 -0500
|
|
+
|
|
+sniffit (0.3.7.beta-12) unstable; urgency=low
|
|
+
|
|
+ * Use debhelper v7, rules file minimisation.
|
|
+ * Makefile.in: don't strip binary Closes: #438032
|
|
+ * debian/control: Updated to Standards-Version: 3.7.3, no changes needed
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Wed, 30 Apr 2008 11:00:19 +0100
|
|
+
|
|
+sniffit (0.3.7.beta-11) unstable; urgency=low
|
|
+
|
|
+ * Acknowledge NMU
|
|
+ * sn_structs.h: Sitting at Debcamp, fixing FTBFS bugs, and Alberto Gonzalez
|
|
+ Iniesta <agi@debian.org> sitting next to me points out there is one in
|
|
+ this package. Thanks to Joshua Kwan <joshk@triplehelix.org> for the patch
|
|
+ to fix it. (closes: #195548)
|
|
+ * config.{guess,sub}: updated
|
|
+ * debian/control: Updated to Standards-Version: 3.6.0, no changes needed
|
|
+ * sn_interface.c: sniffit was leaving echo turned off when exiting from the
|
|
+ interactive mode in an xterm, added reset_shell_mode() to screen_exit()
|
|
+ and it works. This should not be needed because endwin should be calling
|
|
+ it.
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Mon, 14 Jul 2003 10:50:24 +0200
|
|
+
|
|
+sniffit (0.3.7.beta-10.1) unstable; urgency=low
|
|
+
|
|
+ * Non maintainer upload
|
|
+ * Rebuilt with new libpcap to remove dependency on libpcap0, which I
|
|
+ got removed from unstable by accident. Sorry about this...
|
|
+
|
|
+ -- Torsten Landschoff <torsten@debian.org> Sat, 10 Aug 2002 11:37:33 +0200
|
|
+
|
|
+sniffit (0.3.7.beta-10) unstable; urgency=low
|
|
+
|
|
+ * README.FIRST: apply patch "James R. Van Zandt" <jrv@mitre.org> to correct
|
|
+ spelling and other mistakes in README.FIRST
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Thu, 13 Dec 2001 17:35:25 +0000
|
|
+
|
|
+sniffit (0.3.7.beta-9) unstable; urgency=low
|
|
+
|
|
+ * debian/control: Standards-Version: 3.5.5
|
|
+ * debian/rules: Support DEB_BUILD_OPTIONS
|
|
+ * config.{guess,sub}: updated files to version from libtool package
|
|
+ (Closes: Bug#103633)
|
|
+ * sniffit.c: applied patch from Bug#103633
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Thu, 5 Jul 2001 10:44:23 +0200
|
|
+
|
|
+sniffit (0.3.7.beta-8) unstable; urgency=low
|
|
+
|
|
+ * debian/control: Standards-Version: 3.5.2
|
|
+ * debian/rules: Changed to debhelper 3
|
|
+ * debian/rules: Removed dh_suidregister
|
|
+ * debian/rules: Removed dh_testversion
|
|
+ * debian/rules: Changed dh_installman to dh_installmanpages
|
|
+ * debian/rules: Support DEB_BUILD_OPTIONS
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Sun, 25 Mar 2001 04:41:39 -0700
|
|
+
|
|
+sniffit (0.3.7.beta-7) frozen unstable; urgency=high
|
|
+
|
|
+ * debian/rules: do not install pcap.3 (closes: Bug#77769).
|
|
+ * debian/control: updated Standards-Version to 3.2.1
|
|
+ * debian/control: added version to build-depends on debhelper for lintian:
|
|
+ E: sniffit: package-uses-dh_testversion-but-lacks-versioned-build-depends
|
|
+ * Package now lintian clean.
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Tue, 28 Nov 2000 07:00:24 -0700
|
|
+
|
|
+sniffit (0.3.7.beta-6.1) frozen unstable; urgency=high
|
|
+
|
|
+ * Non maintainer upload.
|
|
+ * [security] sn_logfile.c: Replaced sprintfs by snprintfs fixing a buffer
|
|
+ overflow (bugtraq).
|
|
+ * [security] sn_analyse.c: Limit length of TCP packets to the buffer
|
|
+ size (buffer overflow with MTU > 5000).
|
|
+
|
|
+ -- Torsten Landschoff <torsten@debian.org> Fri, 26 May 2000 08:40:14 +0200
|
|
+
|
|
+sniffit (0.3.7.beta-6) frozen unstable; urgency=low
|
|
+
|
|
+ * Update config.{guess,sub} to versions from the automake package.
|
|
+ Should now compile better on ARM (closes: Bug#56915).
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Thu, 3 Feb 2000 09:22:16 +0000
|
|
+
|
|
+sniffit (0.3.7.beta-5) unstable; urgency=low
|
|
+
|
|
+ * debian/control: updated Standards-Version to 3.1.1
|
|
+ * debian/control: added Build-Depends.
|
|
+ * debian/rules: rewritten.
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Thu, 6 Jan 2000 23:12:32 +0000
|
|
+
|
|
+sniffit (0.3.7.beta-4) unstable; urgency=low
|
|
+
|
|
+ * Recompile to try and fix bug #49979
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Fri, 12 Nov 1999 23:21:17 +0000
|
|
+
|
|
+sniffit (0.3.7.beta-3) unstable; urgency=low
|
|
+
|
|
+ * Changed to Debhelper 2.0
|
|
+ * Updated to Standards-Version: 3.0.1
|
|
+ * This package includes a copy of libpcap, ensured that it is not built
|
|
+ * Moved config file /etc/sniffit.cfg to
|
|
+ /usr/doc/sniffit/examples/sample_config_file
|
|
+ * Lintain clean
|
|
+
|
|
+ -- Edward Betts <edward@debian.org> Fri, 12 Nov 1999 23:20:20 +0000
|
|
+
|
|
+sniffit (0.3.7.beta-2) unstable; urgency=low
|
|
+
|
|
+ * Updated /usr/doc/sniffit/copyright from README.FIRST (fixes #39765)
|
|
+ * sniffit 0.3.7.beta is free software (BSD-like license)
|
|
+ * Changed section to main/net
|
|
+ * Added conffiles entry for /etc/sniffit.cfg
|
|
+
|
|
+ -- Hamish Moffatt <hamish@debian.org> Fri, 25 Jun 1999 22:30:00 +1000
|
|
+
|
|
+sniffit (0.3.7.beta-1) unstable; urgency=low
|
|
+
|
|
+ * QA group upload
|
|
+ * New upstream release (fixes #28510)
|
|
+ * Fixed spelling error in description (fixes #26859)
|
|
+ * Recompiled with ncurses 4.0 (fixes #37431)
|
|
+
|
|
+ -- Hamish Moffatt <hamish@debian.org> Sun, 23 May 1999 01:03:00 +1000
|
|
+
|
|
+sniffit (0.3.5-3) frozen unstable; urgency=low
|
|
+
|
|
+ * After long waiting for new copyright i must move it to non-free
|
|
+ (fixes bug #21832)
|
|
+
|
|
+ -- Damjan Marion <dmarion@debian.org> Thu, 28 May 1998 15:10:35 +0200
|
|
+
|
|
+sniffit (0.3.5-2) frozen unstable; urgency=low
|
|
+
|
|
+ * Moved to frozen (resurected from orphaned)
|
|
+ * Updated to standards 2.4.1.0
|
|
+
|
|
+ -- Damjan Marion <dmarion@debian.org> Tue, 15 Apr 1998 23:56:11 +0200
|
|
+
|
|
+sniffit (0.3.5-1) unstable; urgency=low
|
|
+
|
|
+ * New maintainer
|
|
+ * New upstream release
|
|
+ * Updated to standards 2.4.0.0
|
|
+
|
|
+ -- Damjan Marion <dmarion@debian.org> Tue, 7 Apr 1998 22:57:01 +0200
|
|
+
|
|
+sniffit (0.3.3-1) unstable; urgency=low
|
|
+
|
|
+ * Initial Release.
|
|
+
|
|
+ -- Patrick J. Edwards <edwards@cambridgenet.sk.ca> Mon, 17 Mar 1997 17:46:24 -0600
|
|
--- sniffit.0.3.7.beta.orig/debian/sniffit.examples
|
|
+++ sniffit.0.3.7.beta/debian/sniffit.examples
|
|
@@ -0,0 +1,3 @@
|
|
+sample_config_file
|
|
+dns_plugin.plug
|
|
+dummy_plugin.plug
|
|
--- sniffit.0.3.7.beta.orig/debian/watch
|
|
+++ sniffit.0.3.7.beta/debian/watch
|
|
@@ -0,0 +1,2 @@
|
|
+version=3
|
|
+http://reptile.rug.ac.be /~coder/sniffit/files/ sniffit.(.*)\.tar\.gz debian uupdate
|