Packet Capture The packet capture directory contains software for collecting, analysing, displaying and logging packetised data captured on a network. o airsnort AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered (between 100MB and 1GB of data). o Analyzer Analyzer is a full configurable network analyzer program for Win32 environment. Analyzer is able to capture packets on all platforms (and link-layer technologies) supported by WinPcap. o angst Angst is an active sniffer, based on libpcap and libnet. It dumps the payload of all the TCP packets received on the specified ports. It also implements two methods for active sniffing. The first monitors ARP requests, and after enabling IP forwarding on the local host, sends ARP replies mapping all IPs to the local MAC address. The second method floods the local network with random MAC addresses (like macof v1.1 by Ian Vitek), causing switches to send packets to all ports. o arp0c ARP0c is a connection interceptor (using ARP spoofing and a bridging engine). ARP requests from various sources in a switched environment get false ARP response packets which point to the host running ARP0c. Packets from these hosts are bridged with an internal engine to the real destination address to allow normal network operation and keep TCP connections alive. Packets to hosts in remote (read: reachable using a router) subnets are forwarded to a gateway using an internal routing table - independent from the hosts routing table. o cold COLD is both a network sniffer and a protocol analyzer. A sniffer is a network monitoring and protocol analyzing tool which allows to study, maintain and troubleshoot networks by extracting flowing data and printing out the contents and structure. o dsniff dsniff is a collection of tools written by dugsong for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI. o ethereal Ethereal is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. o ettercap ettercap is a network sniffer/interceptor/logger for switched LAN. It uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. o hunt The main goal of the HUNT project is to develop tool for exploiting well known weaknesses in the TCP/IP protocol suite. The author has integrated some features not widely seen elsewhere, including connection synchronization after attack, ARP relay etc. o ipdump An IPv4 network traffic sniffer program similar to tcpdump. Runs on Linux and Windows, does not require the pcap library. o ipgrab IPgrab is a verbose packet sniffer for UNIX hosts. o jpcap jpcap is a network packet capture library for applications written in Java. o libpcap libpcap provides a high level interface to packet capture systems. All packets on the network, even those destined for other hosts, are accessible through this mechanism. o NAST Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap. It can sniff and log the packets on a network interface in normal mode or in promiscuous. It dumps the headers of packets and the payload in ASCII or ASCII-HEX format. You can apply a filter. The sniffed data can be saved in a separate file. o netdude Netdude is a GUI tool to visually inspect, display, filter and modify packet capture files output from tcpdump using the -w option. The netdude package also includes libnetdude, so you can integrate similar functionality into your own apps, and libpcapnav, so you can integrate packet capture file navigation functionality into your own apps. o Net::Packet Net::Packet is a Perl module that does basic disassembly of network packets of various Internet protocols. It also contains hooks for packet construction. o Net::Pcap (and Utils) Net::Pcap is a Perl module that implements the LBL pcap packet capture library. o ngrep ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop. o ngrep-lib The ngrep library is a front-end for accessing the Packet Capture Library (libpcap) without going through the hassle of programming the filters, making sure you pick the right size for the header etc. o pcapmerge pcapmerge is a utility that can be used to extract part of a binary packet capture file or to merge several capture files. It provides similar functionality to the tcpslice program. o pdump pdump is a highly configurable packet sniffer and injector/creator written in Perl, that dumps, greps, monitors, creates, and modifies traffic on a network. o sniffit Sniffit is a packet sniffer, developed on LINUX, ported to SunOS/ SOLARIS, IRIX and FreeBSD. It has various functions that aren't offered in any other non-commercial sniffer. o ssldump ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic. o syncapture syncapture is a small wrapper for tcpdump that captures inbound SYN packets for later analysis with the p0f passive fingerprinting tool. o taranis Taranis redirects traffic on switch hardware by sending spoofed ethernet traffic. This is not the same as an ARP poisoning attack as it affects only the switch, and doesn't rely on ARP packets. Plus, it is virtually invisible because the packets it sends aren't seen on any other port on the switch. Evading detection by an IDS that may be listening on a monitoring port is as simple as changing the type of packet that is sent by the packet spoofing thread. o tcpdump tcpdump is a tool for network monitoring and data acquisition. tcpdump uses libpcap, a system-independent interface for user-level packet capture, and prints out the headers of packets on a network interface that match a boolean expression. o tcpdump2ascii tcpdump2ascii is a small perl utility which parses the hex output from 'tcpdump -x -l' and displays this as ASCII. o tcpdpriv Tcpdpriv is program for eliminating confidential information from packets collected on a network interface (or, from trace files created using the -w argument to tcpdump. o tcpflow tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. o tcptrace tcptrace is a tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet-capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and recieved, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis. o ttt ttt is yet another descendant of tcpdump but it is capable of real-time, graphical, and remote traffic-monitoring. ttt won't replace tcpdump, rather, it helps you find out what to look into with tcpdump. ttt monitors the network and automatically picks up the main contributors of the traffic within the time window. The graphs are updated every second by default. o VoIPong VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to seperate wave files. It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP. o windump WinDump is the porting to the Windows platform of tcpdump, the most used network sniffer/analyzer for UNIX. Porting is currently based on version 3.5.2. WinDump is fully compatible with tcpdump and can be used to watch and diagnose network traffic according to various complex rules. It can run under Windows 95/98/ME, Windows NT and Windows 2000. o winpcap WinPcap is an architecture for packet capture and network analysis for the Win32 platforms. It includes a kernel-level packet filter, a low-level dynamic link library (packet.dll), and a high-level and system-independent library (wpcap.dll, based on libpcap version 0.5). The packet filter is a device driver that adds to Windows 95, Windows 98, Windows ME, Windows NT and Windows 2000 the ability to capture and send raw data from a network card, with the possibility to filter and store in a buffer the captured packets. o wireshark Wireshark is one of the world's foremost network protocol analyzers, and is the standard in many parts of the industry. It is the continuation of a project that started in 1998. Hundreds of developers around the world have contributed to it, and it it still under active development. o xipdump Xipdump(1) is a protocol analyzer and tester. It's a kind of graphical tcpdump(8) which adds the possibility of changing packet values and resending them. The graphical representation of a packet is intended to offer a complete, customizable view at a glance. (Note: This list of software and information available at Wiretapped is not exhaustive. Users are encouraged to browse and search the archive and read any available "-README.txt" files that are available)