.\" .\" $Id: packit.8.in,v 1.1.1.2 2003/10/03 09:57:51 lamont Exp $ .\" .\" Copyright (c) 2002 Darren Bounds .\" .\" .TH PACKIT 8 "10 20 2002" "Packit 1.0" "Packet analysis and injection tool" .SH NAME Packit \- Packet analysis and injection tool .SH SYNOPSIS Packet capture: .br \fBpackit\fR \fB-m\fR capture [\fB-cGHnvsX\fR] [\fB-i\fR \fIinterface\fR] [\fB-r\fR|\fB-w\fR\fI file\fR] expression .br Packet injection: .br \fBpackit\fR \fB-m\fR inject [\fB-t\fR \fIprotocol\fR] [\fB-aAbcCdDeFgGhHjJkKlLmMnNoOpPqQrRsSTuUvwWxXyYzZ\fR] [\fB-i\fR \fIinterface\fR] .br .SH DESCRIPTION .ft \fBPackit\fR is a network auditing tool. It\'s value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. By allowing you to define (spoof) all TCP, UDP, ICMP, IP, ARP, RARP and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection systems, port scanning, simulating network traffic and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP. .SH PACKIT BASE OPTIONS \fB-m\fR \fImode\fR .br .ti +5 Select a runtime mode. Currently supported modes .br .ti +5 are \fBcapture\fR, \fBinject\fR and \fBtrace\fR. The default is \fBinject\fR. .br .SH PACKET CAPTURE OPTIONS \fBPacket capture\fR options are as follows: .br \fB-c\fR \fIcount\fR .br .ti +5 Specify the number of packets to capture .br \fB-e\fR Display link-layer header data. .br \fB-G\fR Display the timestamp in GMT rather than localtime. .br \fB-i\fR \fIinterface\fR .br .ti +5 Listen on \fIinterface\fR. If unspecified, packit will use the lowest .br .ti +5 numbered device in the 'up' state (excluding loopback). .br \fB-n\fR Don't resolve host addresses to names but resolve ports numbers. .br .ti +5 Disables DNS lookups. .br \fB-nn\fR Don't resolve ports numbers to their protocol names but resolve .br .ti +5 host addresses. .br \fB-nnn\fR Don't resolve host addresses or port numbers. .br \fB-r\fR \fIfile\fR .br .ti +5 Read packet data from tcpdump formated binary log \fIfile\fR. (example: .br .ti +5 a file created with -w) .br \fB-s\fR \fIsnaplen\fR .br .ti +5 Read snaplen bytes of data from each packet rather than the .br .ti +5 default of 68. .br \fB-v\fR Enables verbose packet capture. .br \fB-w\fR \fIfile\fR .br .ti +5 Write the raw packets to \fIfile\fR rather than displaying time to .br .ti +5 stderr. .br \fB-X\fR Display hexadecimal & ascii dump of each packet up to snap .br .ti +5 length bytes. .br \fIexpression\fR .br .ti +5 selects which packets should be displayed. If no \fIexpression\fR is .br .ti +5 given, all packets are displayed. See the \fItcpdump\fR(1) man page for .br .ti +5 more detailed information. .br .SH PACKET INJECTION / TRACE .br Packet injection is used to define and inject IP based network traffic onto your network. You have the ability to define essentially any ARP, IP, TCP, UDP, ICMP and Ethernet header value. This can be valuable in a number of ways, including testing firewalls, intrusion detection systems, simulating traffic flow and general TCP/IP auditing. .br .SH CHOOSE YOUR PROTOCOL .br \fB-t\fR \fIprotocol\fR .br .ti +5 Specify the type of packet to inject. Supported values are: \fBARP\fR, .br .ti +5 \fBRARP\fR, \fBTCP\fR, \fBUDP\fR and \fBICMP\fR. This option defaults to \fBTCP\fR in inject .br .ti +5 mode and to \fBICMP\fR in trace mode. .br .SH PACKET INJECTION / TRACE GENERAL This section documents the operational command-line options. .br \fB-c\fR \fIcount\fR .br .ti +5 The value of \fIcount\fR is the total number of packets we would like .br .ti +5 to inject (a count value of 0 means forver). .br \fB-b\fR \fIburst rate\fR .br .ti +5 Specifies the number of packets to inject every interval (defined .br .ti +5 by -w). (A burst rate of 0 will send packets as quickly as .br .ti +5 possible) .br \fB-h\fR .br .ti +5 Host response mode. Enabling this option will print any packet .br .ti +5 you inject and then wait (see -H for timeout) to see if the remote .br .ti +5 host responds. .br \fB-H\fR \fItimeout\fR .br .ti +5 Specify the timeout value (in seconds) to use with '-h'. .br .ti +5 This value defaults to '1' second. .br \fB-i\fR \fIinterface\fR .br .ti +5 Specify the interface to transmit from, if the machine has .br .ti +5 multiple interfaces. .br \fB-v\fR .br .ti +5 Verbose injection mode. Displays each packet you inject. It .br .ti +5 also has the same effect as in capture mode while used with .br .ti +5 the '-h' option. .br \fB-p\fR \fIpayload\fR .br .ti +5 This option defines the payload portion of the header. .br .ti +5 Hex payload should be prefixed with '0x' with each value .br .ti +5 separated by a whitespace. .br .ti +5 ASCII Example: -p 'hello, this is my packet' .br .ti +5 Hex Example: -p '0x 70 61 63 6B 69 74' .br \fB-w\fR \fIinterval\fR .br .ti +5 Specify the number of seconds to wait between packet bursts. .br .ti +5 This value defaults to '1' second. .br \fB-Z\fR \fIlength\fR .br .ti +5 Specify the size of the packet(s) to inject. (Max: 65535) .br .SH IP HEADER OPTIONS This section documents the IP header command-line options. .br \fB-s\fR \fIsrc address\fR .br .ti +5 The IP address the packet will appear to come from. If .br .ti +5 unspecified, packit will default to the IP address of the .br .ti +5 lowest numbered device in the 'up' state (excluding loopback). .br \fB-sR\fR Use a random source IP address. .br \fB-d\fR \fIdst address\fR .br .ti +5 The IP address of the machine you would like to contact. .br \fB-dR\fR Use a random destination IP address. .br \fB-o\fR \fItype of service\fR .br .ti +5 TOS values are typically in hexidecimal format, however, packit .br .ti +5 only accepts TOS values as integers. .br .ti +5 Below are the 4 valid TOS bit values: .br .ti +5 - Minimize delay: 16 (0x10) .br .ti +5 - Maximize throughput: 8 (0x08) .br .ti +5 - Maximize reliability: 4 (0x04) .br .ti +5 - Minimize monetary cost: 2 (0x02) .br \fB-n\fR \fIID number\fR .br .ti +5 The ID number is used to identify each datagram sent by a host. .br .ti +5 It generally increments by one with each datagram sent. This .br .ti +5 value is random by default. .br \fB-T\fR \fITTL\fR .br .ti +5 The TTL value defines the upper limit on the number of devices .br .ti +5 through which the datagram may pass to reach it's destination. .br .ti +5 The default value is \fB128\fR. .br \fB-V\fR \fIIP protocol number\fR .br .ti +5 Specify the IP protocol assocated with this packet (RAWIP only). .br .ti +5 The default value is \fB255\fR. .br .SH TCP HEADER OPTIONS This section documents the TCP header command-line options. .br \fB-S\fR \fIsrc port\fR .br .ti +5 The port from which our source address is communicating from. This .br .ti +5 value is random by default. .br \fB-D\fR \fIdst port\fR .br .ti +5 The port on the destination we would like to communicate on. In .br .ti +5 inject mode this value is 0 by default while in trace mode this .br .ti +5 value is random by default. You may also specify a range of .br .ti +5 addresses in the format: \fB-D 1:1024\fR. .br \fB-f\fR Do not fragment this packet. .br \fB-F\fR \fItcp flags\fR .br .ti +5 There are 6 TCP header flag bits. They can be used in combination .br .ti +5 with one another and are specified using the following .br .ti +5 identifiers: .br .ti +5 - S : SYN (Synchronization sequence number) .br .ti +5 - F : FIN (Sender is finished) .br .ti +5 - A : ACK (Acknowledgement number is valid) .br .ti +5 - P : PSH (Receiver should push this data to the remote host) .br .ti +5 - U : URG (The urgent pointer is valid) .br .ti +5 - R : RST (Reset this connection) .br .ti +5 As an example, to set the SYN and FIN bits use the .br .ti +5 following: -F SF .br \fB-q\fR \fIsequence number\fR .br .ti +5 The sequence number is a 32-bit unsigned (positive) number used .br .ti +5 to identify the byte in a stream of data from the sending TCP .br .ti +5 to the receiving TCP that the first byte of data represents. .br \fB-a\fR \fIack number\fR .br .ti +5 The acknowledgement (ack) number defines the next sequence .br .ti +5 number that the sender of the ack expects to see. It is .br .ti +5 typically the sequence number + 1 during valid TCP .br .ti +5 communication. It is a 32-bit unsigned (positive) number. .br \fB-W\fR \fIwindow size\fR .br .ti +5 The window size provides flow control. It is a 16-bit .br .ti +5 number that defines how many bytes the receiver is willing .br .ti +5 to accept. The default value is \fB1500\fR. .br \fB-u\fR \fIurgent pointer\fR .br .ti +5 In valid TCP communication, the urgent pointer is .br .ti +5 only useful if the URG flag is set. Used with the .br .ti +5 sequence number, it points to the last byte of urgent .br .ti +5 data. .br .SH UDP HEADER OPTIONS This section documents the UDP header command-line options. UDP is the default IP protocol for TRACE mode. .br \fB-S\fR \fIsrc port\fR .br .ti +5 The port from which our source address is communicating from. This .br .ti +5 value is random by default. .br \fB-D\fR \fIdst port\fR .br .ti +5 The port on the destination we would like to communicate on. In .br .ti +5 inject mode this value is 0 by default while in trace mode this .br .ti +5 value is random by default. You may also specify a range of .br .ti +5 addresses in the format: \fB-D 1:1024\fR. .br .SH ICMP HEADER OPTIONS This section documents the ICMP header command-line options. .br \fB-K\fR \fItype\fR .br .ti +5 Specify the ICMP type. See /usr/share/docs/packit/ICMP.txt for details on types. .br \fB-C\fR \fIcode\fR .br .ti +5 Specify the ICMP code. See /usr/share/docs/packit/ICMP.txt for details on codes. .br \fBECHO REQUEST / ECHO REPLY OPTIONS\fR .br \fB-N\fR \fIid number\fR .br .ti +5 Define the 16-bit ICMP identification number. This value is .br .ti +5 random by default. .br \fB-Q\fR \fIsequence number\fR .br .ti +5 Define the 16-bit ICMP sequence number. This value is random .br .ti +5 by default. .br \fBUNREACHABLE / REDIRECT / TIME EXCEEDED OPTIONS\fR .br \fB-g\fR \fIgateway\fR .br .ti +5 Define the gateway in which to redirect traffic to. This option .br .ti +5 is only used for ICMP redirects (type 5). .br \fB-j\fR \fIaddress\fR .br .ti +5 Define the source address of the original packet. .br \fB-J\fR \fIsrc port\fR .br .ti +5 Define the source port of the original packet. .br \fB-l\fR \fIaddress\fR .br .ti +5 Define the destination address of the original packet. .br \fB-L\fR \fIdst port\fR .br .ti +5 Define the destination port of the original packet. .br \fB-m\fR \fItime to live\fR .br .ti +5 Define the Time To Live of the original packet. This option .br .ti +5 defaults to \fB128\fR. .br \fB-M\fR \fIid\fR .br .ti +5 Define the IP ID of the original packet. This option defaults .br .ti +5 to \fBrandom\fR. .br \fB-O\fR \fItype of service\fR .br .ti +5 Define the Type of Service of the original packet. See the .br .ti +5 \fB-o\fR option for the possible values. .br \fB-P\fR \fIprotocol\fR .br .ti +5 Define the protocol of the original packet. This option .br .ti +5 defaults to \fBUDP\fR. .br \fBMASK REQUEST / MASK REPLY OPTIONS\fR .br \fB-N\fR \fIid number\fR .br .ti +5 Define the 16-bit ICMP identification number. This value is .br .ti +5 random by default. .br \fB-Q\fR \fIsequence number\fR .br .ti +5 Define the 16-bit ICMP sequence number. This value is random .br .ti +5 by default. .br \fB-G\fR \fIaddress mask\fR .br .ti +5 Define the address network mask. The default value for this .br .ti +5 option is:\fB255.255.255.0\fR. .br \fBTIMESTAMP REQUEST / TIMESTAMP REPLY OPTIONS\fR .br \fB-N\fR \fIid number\fR .br .ti +5 Define the 16-bit ICMP identification number. This value is .br .ti +5 random by default. .br \fB-Q\fR \fIsequence number\fR .br .ti +5 Define the 16-bit ICMP sequence number. This value is random .br .ti +5 by default. .br \fB-U\fR \fIoriginal timestamp\fR .br .ti +5 Define the 32-bit original timestamp. This value is 0 .br .ti +5 by default. .br \fB-k\fR \fIreceived timestamp\fR .br .ti +5 Define the 32-bit received timestamp. This value is 0 .br .ti +5 by default. .br \fB-z\fR \fItransmit timestamp\fR .br .ti +5 Define the 32-bit transmit timestamp. This value is 0 .br .ti +5 by default. .br .SH ARP AND RARP HEADER OPTIONS This section documents the ARP/RARP header command-line options. In my opinion, these options have the ability to do the most damage with the least effort, especially on large cable and DSL networks. Use with caution. .br Packit only supports ARP/RARP protocol addresses in IPv4 format \fB-A\fR \fIoperation type\fR .br .ti +5 Define the ARP / RARP / IRARP operation type. The valid options .br .ti +5 are as follows: .br .ti +5 - 1 : ARP Request (Default for ARP packages.) .br .ti +5 - 2 : ARP Reply .br .ti +5 - 3 : Reverse ARP Request (Default for RARP packages.) .br .ti +5 - 4 : Reverse ARP Reply .br .ti +5 - 5 : Inverse ARP Request .br .ti +5 - 6 : Inverse ARP Reply .br \fB-y\fR \fItarget IP address\fR .br .ti +5 The IP address of the target host. .br \fB-yR\fR Use a random target host IP address. .br \fB-Y\fR \fItarget ethernet address\fR .br .ti +5 The ethernet (hardware) address of the target host. .br \fB-YR\fR Usage a random target host ethernet address. .br \fB-x\fR \fIsender IP address\fR .br .ti +5 The IP address of the sender host. .br \fB-xR\fR Use a random sender host IP address. .br \fB-X\fR \fIsender ethernet address\fR .br .ti +5 The ethernet (hardware) address of the sender host. .br \fB-XR\fR Usage a random sender host ethernet address. .br .SH ETHERNET HEADER OPTIONS This section documents the Ethernet header command-line options. .br \fB-e\fR \fIsrc ethernet address\fR .br .ti +5 The ethernet (hardware) address the packet will appear to come .br .ti +5 from. .br \fB-eR\fR Use a random source ethernet address. .br .ti +5 If you define this, you will most likely need to define the .ti +5 destination ethernet header value as well. When using either -e or .br .ti +5 -E, you enable link level packet injection and enable link level .br .ti +5 packet injection and the destination cannot be auto-defined while .br .ti +5 injecting in this manner. .br \fB-E\fR \fIdst ethernet address\fR .br .ti +5 The ethernet (hardware) of the next routable interface the packet .br .ti +5 will cross while making it's way to the destination. .br \fB-ER\fR Use a random destination ethernet address. .br The following two rules should be followed if you actually want the destination to receive to receive the packets you're sending: \fB1)\fR If the destination exists beyond your default route (gateway), .br .ti +5 the destination ethernet address should be set to the default .br .ti +5 routes address should be set to the default routes ethernet .br .ti +5 address. This can typically be found by using the \fBarp(8)\fR command. .br \fB2)\fR If the destination exists on your subnet, the destination .br .ti +5 ethernet address should be set to its ethernet address. This .br .ti +5 can typically be found by using the \fBarp\fR command. .br .SH PACKET CAPTURE EXAMPLES To print all TCP communications that doesn't revolve around SSH (port 22). .br .ti +5 \fBpackit\fR -m cap 'tcp and not port 22' .br To print the start and end packets (the SYN and FIN pack- ets) of each TCP conversation that involves a non-local host, don't resolve addresses and display hex/ascii dump of the packet. .br .ti +5 \fBpackit\fR -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 .br .ti +12 and not src and dst net localnet' .br To write the first 10 ICMP packets captured to a file. .br .ti +5 \fBpackit\fR -m cap -c 10 -w /tmp/mylog 'icmp' .br .SH PACKET INJECTION EXAMPLES \fBIMPORTANT\fR: The ethernet address 'f:00:d:f:00:d' in these examples is a mock representation of the ethernet address of my default route. In order for these examples to work properly, you would need to change it to your correct default route ethernet address. .br Inject 10 ICMP type 8 (echo request) packets from host '3.1.33.7' to host '192.168.0.1' and watch for a response. .br .ti +5 \fBpackit\fR -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h .br Inject an ICMP type 18 (mask reply) packet with an ICMP id of 211 and an address mask of 255.255.255.0. .br .ti +5 \fBpackit\fR -t icmp -K 18 -d 127.0.0.1 -N 211 -G 255.255.255.0 .br Inject 5 TCP packets from random hosts to 'www.microsoft.com' with the SYN flag set, a window size of 666, a random source ethernet address, a destination ethernet address of f:00:d:f:00:d, with a payload of "HI BILL", displaying each packet injected. .br .ti +5 \fBpackit\fR -sR -d www.microsoft.com -F S -c 5 -W 666 .br .ti +12 -eR -E f:00:d:f:00:d -p 'HI BILL' -v .br Inject a total of 1000 TCP packets in 20 packet per second bursts from 192.168.0.1 on port 403 to 192.168.0.20 on port 80 with the SYN and RST flags set, a sequence number of 12345678910 and a source ethernet address of 0:0:0:0:0:0. .br .ti +5 \fBpackit\fR -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80 .br .ti +12 -F SR -q 12345678910 -c 1000 -b 20 -e 0:0:0:0:0:0 .br Inject a TCP packets from 10.22.41.6 to 172.16.1.3 on ports ranging from 1-1024 with the SYN flag set and display each packet we send. .br .ti +5 \fBpackit\fR -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v .br Inject a broadcast ARP reply stating that 4.3.2.1 is at 5:4:3:2:1:0. Also, spoof the source ethernet adddress for a little more authenticity and supply the payload in hex. .br .ti +5 \fBpackit\fR -t arp -A 2 -x 4.3.2.1 -X 5:4:3:2:1:0 -e 5:4:3:2:1:0 .br .ti +12 -p '0x 70 61 63 6B 69 74' .br .SH TRACE ROUTE EXAMPLES Appear as a DNS response by using a UDP source port of 53 (DNS) .br .ti +5 \fBpackit\fR -m trace -t UDP -d 192.168.2.35 -S 53 .br Appear as HTTP traffic by using TCP port 80 .br .ti +5 \fBpackit\fR -m trace -t TCP -d www.google.com -S 80 -FS .br .SH SEE ALSO pcap(3), bpf(4), libnet(3), tcpdump(1) .SH BUGS Due to limitations in some versions of *BSD, specifying arbitrary ethernet and/or ARP header data may not be supported. .br ARP capture data is incomplete. .br Like this man page, packit is still very much a work in progress. Please send bug reports, questions or requests to dbounds@intrusense.com. .SH AUTHOR Darren Bounds .br The latest version can be found at: .br .ti +7 .ft I http://packetfactory.openwall.net/projects/packit .ft