Tool 7: Sniff


  This tool captures network packets. It can display them, or save them
  in a file (named 'record' in netwox).
  Parameter --device indicates on which device to sniff. Please note
  that under some systems, such as Windows, sniffing on some devices is
  not supported.
  Parameter --filter defines the sniff filter. It permits to restrict
  captured packets. This kind of filter is named a BPF or pcap filter.
  Basic elements of a filter are:
    net 192.168.10
    net mask
    port 21
    dst host
    src port 2345
    ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working)
    ether src aa:bb:cc:dd:ee:ff
  Here are filter examples:
    "net 192.168 and icmp"
    "host or dst port 80"
    "(udp or tcp) and not host"
  Parameter --pause permits to press P (pause) or Q (quit) keys
  to pause or stop capture.
  Parameter --hdrencode and --dataencode defines how to display header
  and data/payload. Common useful values are: array, dump, synth,
  nothing, text. Full list is available through netwag or running tool
  Parameter --rawip indicates to ignore Ethernet/link layer, and start
  displaying at IP header.
  Parameter --extended indicates to try to decode other protocols such
  as DNS or DHCP.
  Parameter --ipreas tries to reassemble IP packets. This might miss
  Parameter --tcpreord tries to reorder TCP flow (seqnum increments).
  This might miss packets.
  Parameter --outfile indicates the name of file where to store captured
  packets. Parameter --recordencode defines how to encode data in this
  file (suggested values: bin, pcap and mixed_wrap). Capture can
  automatically swap file using parameters --split-size or --split-age.
  The DLT (Data Link Type) of packets in this record will be 'raw' if
  --rawip is set, otherwise the sniff DLT obtained by tool 13.


  ethereal, frame, snoop, tcpdump


  netwox 7 [-d device] [-f filter] [-p|+p] [-H encode] [-D encode] [-r|+r] [-x|+x] [-i|+i] [-t|+t] [-s|+s] [-o file] [-R recordencode] [-c uint32] [-C uint32]


parameter description example
-d|--device device device name Eth0
-f|--filter filter pcap filter  
-p|--pause|+p|--no-pause can pause  
-H|--hdrencode encode header encoding type for screen array
-D|--dataencode encode data encoding type for screen dump
-r|--rawip|+r|--no-rawip sniff at IP level  
-x|--extended|+x|--no-extended display other protocols This boolean is set.
Use + or --no- to unset it.
-i|--ipreas|+i|--no-ipreas reassemble IP packets  
-t|--tcpreord|+t|--no-tcpreord reorder TCP packets  
-s|--screen|+s|--no-screen display to screen This boolean is set.
Use + or --no- to unset it.
-o|--outfile file save in record file dstfile.txt
-R|--recordencode recordencode encoding type for record file bin
-c|--split-size uint32 maximum size of record in kb 0
-C|--split-age uint32 maximum age of record in seconds 0


  netwox 7