Brief Introduction to sniffit installation and usage (linux)

Sniffit is developed by Lawrence Berkeley Laboratory and can run network listening software on Linux, Solaris, SGI, and other platforms, it monitors the machines running the protocol for the insecure TCP/IP protocol. Of course, packets must be listened to only the machines running sniffit, therefore, it can only listen to machines on the same network segment. In addition, some plug-ins can be freely added for it to implement additional functions.
1. Installing software is simple:
1. Use tar zvfx sniffit. *. tgz to decompress the downloaded sniffit. *. tgz to the target folder, as shown in figure
If the version is 0.3.7, it should be the latest version. I am not sure ......), You will see
Sniffit.0.3.7 directory.
2. cd sniffit.0.3.7
3../configure & make, as long as there is no unexpected error message on the terminal during this process, you can compile it successfully-
-A binary sniffit file can be obtained.
4. make clean: sweep away unwanted garbage ......
Ii. Usage
1. Parameters
This item has the following command options:
-V: display version information
-T <ip nr/name> allows the program to listen to packets destined for an IP address
-S <ip nr/name> allows the program to listen to IP data packets flowing from an IP address. You can use the @ wildcard, such as-t 199. 145 .@
-I: The window is displayed. You can view the machines connected to your network.
-I extended interaction mode, ignoring all other options, much more powerful than-I ......
-C <file> use scripts to run programs
-F <device> forces the program to use the network Hard Disk
-N: false data packets are displayed. Packets that use ARP, RARP, or other IP addresses are also displayed.
-N indicates the option when only plugin is run to invalidate other options.
Parameters that cannot work in-I mode:
-B is working on both-t and-s ......
-D: display the listening content on the current terminal in hexadecimal format.
-A displays the contents of the listener on the current terminal, which is represented by ASCII characters.
-X prints the extended information (SEQ, ACK, Flags) of the TCP packet, which can be associated with '-A','-d', '-S','-t ', '-B' works together. Note that-
-It is output in the standard output. If only-t,-s,-B are used, and no other parameters are used together, the file will not be written.
-R <file> records all communications in the file.
-R <file> This option sends the record file to sniffit. It requires the-F parameter to specify the device. Suppose you use 'eth0' (the first network
Card) to record files, you must add '-F eth0' or'-F eth '-A in the command line.
Use the specified character instead.
-P <protocol> defines the listening protocol. The DEFAULT value is TCP. You can also select IP, ICMP, UDP ......
-P <prot> defines the listening port. The default value is all.
-L <length> sets the packet size. default is 300 bytes.
-M <plugin> activates the plug-in
-I,-I Parameters
-D <device> all records are sent to this disk.
Parameters in-c mode
-L <logparam>
Logparam can be the following content:
Raw: mild
Norm: General
Telnet: Record password port 23)
Ftp: Record password port 21)
Mail: record the mail content port 25)
For example, "ftpmailnorm" is a valid logparam
2. Graphic Simulation Interface
The-I option is described above. If we enter sniffit-I, a window will appear, from which we can see that the network in which we are located
Which machines are connected and which port number are used. The available commands are as follows:
Q: exit the window and end the program.
R refresh the screen and re-display the connected Machine
N generates a small window, including TCP, IP, ICMP, UDP, and other protocols.
G is used to generate data packets. Normally, only UDP is used to generate data packets. to execute this command, you need to answer some questions about data packets.
F1 changes the IP address of the source domain. The default value is all.
F2 changes the IP address of the target domain. The default value is all.
F3 changes the port number of the source machine. The default value is all.
F4 changes the port number of the target machine. The default value is all.
3. Examples
Suppose there are the following settings: one subnet has two hosts, one is running sniffer, we call it sniffit.com, and the other is
It is 66.66.66.7, which we call target.com.
1. You want to check whether sniffer can run
Sniffit :~ /# Sniffit-d-p 7-t 66.66.66.7
And open another window:
Sniffit :~ /$ Telnet target.com 7
Sniffer captures the echo service package from telnet to port 7 of the other party.
2. You want to intercept the user password on target.com
Sniffit :~ /# Sniffit-p 23-t 66.66.66.7
3. the root user of the target.com host claims to have a strange FTP connection and wants to find their keys
Sniffit :~ /# Sniffit-p 21-l 0-t 66.66.66.7
4. You want to read all emails from and out of target.com
Sniffit :~ /# Sniffit-p 25-l 0-B-t 66.66.66.7 &
Or
Sniffit :~ /# Sniffit-p 25-l 0-B-s 66.66.66.7 &
5. You want to use the user interaction interface
Sniffit :~ /# Sniffit-I
6. An error occurs and you want to intercept control information.
Sniffit :~ /# Sniffit-P icmp-B-s 66.66.66.7
7. Go wild on scrolling the screen.
Sniffit :~ /# Sniffit-P ip-P icmp-P tcp-p 0-B-a-d-x-s 66.66.66.7
Which is equivalent
Sniffit :~ /# Sniffit-P ipicmptcp-p 0-B-a-d-x-s 66.66.66.7
8. You can use 'more 66 * 'to read the password recorded in the following method:
Sniffit :~ /# Sniffit-p 23-A.-t 66.66.66.7
Or
Sniffit :~ /# Sniffit-p 23-A ^-t dummy.net

3. Advanced Applications
1. Run the script
This works with option-c, and the execution method is very simple. For example, you can edit a file named sh as follows:
Select from host 180.180.180.1
Select to host 180.180.180.10
Select both port 21
Then execute: sniffit-c sh
Note: The port for listening to packets sent from 180.180.180.1 to 180.180.10 is the FTP port. You can
Read the README file.
2. Plug-ins
To obtain a plug-in, you can put it in the sniffit directory and edit the sn_plugin.h file as follows:
# Define PLUGIN1_NAME "My plugin"
# Define PLUGIN1 (x) main_plugin_function (x)
# Include "my_plugin.plug"
Note:
A) You can set plugin from 0-9, so from PLUGIN0_NAME to PLUGIN1_NAME ...... Not necessarily continuous
D) # include "my_plugin.plug", where the source code of my plug-in is stored. For more information, see
Plugin. howto.
3. Introduction to todd
This plug-in is the most famous sniffit plug-in. Why is it called Todd -- touch of death, which can easily cut off
The principle of TCP connection is to send a disconnected IP packet to a host in a TCP connection. The RST position of this IP packet is 1.
.
Copy the downloaded tod.tar.gz file to the directory where sniffit is located. decompress the package and install it.
Ln-s Todd sniffit_key5
You can connect the program to the F5 key. to cut down the machine, you just need to point the cursor to the machine that needs to be disconnected in the window.
Press F5. You can freely define other F function keys-F1 ~ F4 doesn't work. They have already been defined ......
I wrote so much. Okay, class ......