GSniff < Gulli

r5 - 14 Apr 2005 - 06:23:41 - JuanChansonYou are here: TWiki >

gsniff

gsniff is part of the gullibloon framework (http://gullibloon.org). as the name implies, gsniff is a (libpcap based) packetsniffer whose primary output channel is OSC.

as gsniff replaces tcpdump2OSC.pl it is made to be compatible with tcpdump2OSC.

requirements

libpcap - packet capture library - http://www.tcpdump.org
liblo - lightweight OSC libary - http://plugin.org.uk/liblo/

build / install

a simple makefile is supplied, autoconf later.

to build, adjust makefile and run: make

build and / or install libpcap and liblo beforehand (debian: apt-get install liblo0-dev libpcap0.8-dev).

usage

sudo ./gsniff
	-f	"pcap filter string"
	-s	the OSC sendport
	-l	the OSC listenport
	-h	the OSC sendhost
	-o	enable outgoing OSC messages
	-t	enable text pinting to console
	-p	enable sending header info for every packet
	-i	the network device used for sniffing

gsniff listens (until now) for filter update messages on the OSC port given with the -l switch.

messages

in
	msg	argument types	description
	/filter	s	filter string in pcap syntax (man tcpdump)
	/enable_osc_out	NULL	toggle outgoing OSC msgs
	/enable_txt_out	NULL	toggle console output
	/enable_packets	NULL	toggle sending packet header info


msg	argument types	description
/new/host	si	IP-adress localflag
/new/connection	sisiiiiii	sourcehost sourcport desthost destport protocol timestamp packetcount bytecount subtype
		protocol: 1: IPPROTO_ICMP, 6: IPPROTO_TCP, 17: IPPROTO_UDP
		subtype: subtype of simpler protocols live icmp, arp
/host	si	update status of this host already known
/connection	sisiiiiii	update status of this connection already known: new byte-count, new packet-count
/delete/host	si	remove host from network: host, localflag, timestamp
/delete/connection	sisiiiiii	remove connection: shost, sport, dhost, dport, protocol, time, pkt_cnt, byte_cnt
/tcpdump	iiiiiiiiiiiisiiii	proto sip1 sip2 sip3 sip4 sport dip1 dip2 dip3 dip4 dport len ymd h m s us

tcpdump2OSC outgoing*

/new/host IP-adress localflag
new host has appeared on the ethernet. is it local to our subnet?.
/new/connection sourcehost sourcport desthost destport protocol timestamp packet-count byte-count *subtype*

protocol
protocol-id, 0 = ICMP, 1 = TCP, 2 = UDP, 3 = ARP (missing: IPX, SMB, ...)

subtype
subtype of simpler protocols live icmp, arp
/host update status of this host already known
/connection update status of this connection already known: new byte-count, new packet-count
/delete/host remove host from network: host, localflag, timestamp
/delete/connection remove connection: shost, sport, dhost, dport, protocol, time, pkt_cnt, byte_cnt
/tcpdump proto sip1 sip2 sip3 sip4 sport dip1 dip2 dip3 dip4 dport len ymd h m s us

download

from XdvCVS: README
gsniff.tar.gz: gsniff source tar (20050414)

references:

http://www.cet.nau.edu/~mc8/Socket/Tutorials/section1.html
rfcs:
- RFC 791 (IP)
- RFC 793 (TCPv4)
- RFC 768 (UDP)
- RFC 826 (ARP)
- RFC 792 (ICMPv4)
tcpdump
etherape
tcpdump2OSC

Topic attachments
I	Attachment	Action	Size	Date	Who	Comment
gz	gsniff.tar.gz	manage	22.8 K	14 Apr 2005 - 06:32	JuanChanson	gsniff source tar

Gulli.GSniff moved from Gulli.Gniff on 15 Mar 2005 - 21:18 by JuanChanson - put it back

Gulli

TWiki.org

Welcome
Register

TWiki Webs
- Eastopia
- Gulli
- Main
- Pinklight
- Sandbox
- TWiki
- Xdv

Create personal sidebar

Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback