.\" Nast manpage .\" .\" This program is free software; you can redistribute it and/or modify .\" it under the terms of the GNU General Public License as published by .\" the Free Software Foundation; either version 2 of the License, or .\" (at your option) any later version. .\" .\" This program is distributed in the hope that it will be useful, .\" but WITHOUT ANY WARRANTY; without even the implied .\" warranty of .\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the .\" GNU General Public License for more details. .\" .\" You should have received a copy of the GNU General Public License .\" along with this program; if not, write to the Free Software .\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. .\" .TH NAST "8" "20040216" "NAST 0.2.0" .SH NAME nast \- Network Analyzer Sniffer Tool .SH SYNOPSIS nast [\-G] [\-i interface] [\-l filename] [\-f filter] [\-\-ld filename] [\-pdxPmsgrSMLbcCBVh] .SH DESCRIPTION Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap. .LP It can sniff in normal mode or in promiscuous mode the packets on a network interface and log it. It dumps the headers of packets and the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file. .TP As analyzer tool, it has many features like: .br * Build LAN hosts list .br * Follow a TCP-DATA stream .br * Find LAN Internet gateways .br * Discover promiscuous nodes .br * Reset an established connection .br * Perform a single half-open portscanner .br * Perform a multi half-open portscanner .br * Find link type (hub or switch) .br * Catch daemon banner of LAN nodes .br * Control ARP answers to discover possible ARP-spoofing .br * Byte counting with an optional filter .br * Write reports logging .br .TP It also provides a new ncurses interface. .PP .SH CMDLINE SNIFFER OPTIONS .TP \fB\-i, \-\-interface\fR Select the Interface, if not specified will be auto-detected. .br .TP \fB\-p, \-\-promisc\fR Disable promiscuous mode on NIC. .br .TP \fB\-d, \-\-ascii-data\fR Print data in ascii format. .br .TP \fB\-x, \-\-ascii-hex-data\fR Print data in ascii-hex format. .br .TP \fB\-f, \-\-filter <"filter">\fR Apply <"filter"> to sniffer (see "FILTER SYNTAX" section below for syntax) .br .TP \fB \-\-ld \fR Log captured data to (only payload). Use \-l to log all packet instead, useful with \-B .br .TP \fB\-T, \-\-tcpdump-log \fR Log all packets in tcpdump format to .br .TP \fB\-R, \-\-tcpdump-log-read \fR Read all packets saved in tcpdump format from .br .PP .SH ANALYZER FEATURES .TP \fB\-P, \-\-check-promisc \fR Check other NIC on the LAN with the promiscuous flag set. .br By performing a fake ARP broadcast, we can determine if a NIC is in promiscuous mode or not. If the checked host is in promiscuous mode it will responds with an ARP response otherwise it drop the packet. .br Note: This method doesn't work with all OS .br Use \fB-P all\fR to query all network NIC eg: root@localhost:~/$ nast \-P 192.168.1.2 NAST "NETWORK ANALYZER SNIFFER TOOL" 192.168.1.2 (localhost.org) Found!! We can check all nodes by using: .br root@localhost:~/$ nast \-P all .TP \fB\-m, \-\-host-list\fR Map the LAN by performing a series of ARP request to sequential subnet IP addresses. eg: root@localhost:~/$ nast \-m NAST "NETWORK ANALYZER SNIFFER TOOL" Mapping the Lan for 255.255.255.0 subnet ... please wait MAC address IP address (hostname) .br =========================================================== .br 00:4R:BR:3E:21:12 192.168.1.1(nast.experiment.net) .br 00:50:BA:80:AC:11 192.168.1.2 (localhost.org) (*) (*) This is localhost .br .TP \fB\-s, \-\-tcp-stream\fR Follow a TCP/IP connection printing all data in payload. You must specify the IP addresses of the ends. eg of a ftp connection: .br root@localhost:~/$ nast \-s NAST "NETWORK ANALYZER SNIFFER TOOL" Type connection extremes .br ------------------------ .br 1st ip : 192.168.1.1 .br 1st port : 1041 .br 2nd : 192.168.1.2 .br 2nd port : 21 .br NAST TCP STREAM LOG .br .br 192.168.1.1->mistaya.neverland.org .br PASV .br 192.168.1.1<-mistaya.neverland.org .br 227 Entering Passive Mode (192,168,1,2,4,12). .br 192.168.1.1->mistaya.neverland.org .br LIST .br (...) .br .br .TP \fB\-g, \-\-find-gateway\fR Try to find possible Internet-gateways. .br We send a SYN packet to a public host on port 80 through sequential host-lan and if a SYN-ACK return we have find the gateway. .br .TP \fB\-r, \-\-reset-connection\fR Destroy an established connection. You must specify the IP addresses of the ends and at least one port . Please, pay attention when use this function. eg: root@localhost:~/$ nast \-r NAST "NETWORK ANALYZER SNIFFER TOOL" Type connection extremes .br ------------------------ .br 1 ip / hostname : 192.168.1.1 .br 1 port (0 to autodetect) : 0 .br 2 ip / hostname : 192.168.1.2 .br 2 port (0 to autodetect) : 21 .br - Waiting for SEQ ACK (192.168.1.1 -> 192.168.1.2:21) .br - Stoled SEQ (247656261) ACK (3764364876)... .br - Connection has been reset .br .br This feature works only if we can read SEQ and ACK numbers, because RST mechanism works with them. .br .TP \fB\-S, \-\-port-scanner\fR Performs a half-open port scanning on the selected host. It tries also to determine some firewall (just iptables) rules. .br About this technique NMAP says: This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non-listener. If a SYN|ACK is received, a RST is immediately sent to tear down the connection (actually our OS kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets. .br eg: root@localhost:~/$ nast \-S .br .br NAST "NETWORK ANALYZER SNIFFER TOOL" .br Port Scanner extremes .br Insert IP to scan : 192.168.1.3 .br Insert Port range : 1-100 .br Wait for scanning... .br State Port Services Notes .br Open 22 ssh None .br Open 27 nsw-fe None All the other 98 ports are in state closed .br Scanning terminated on Apr 14 21:46:55 The Port range could be in the following style: .br eg: 1-100 (means from port 1 to 100) 1,3,5,1000 (means ports 1,3,5 and 1000) 1-50,60 (means from port 1 to 50 and port 60) .br .TP \fB\-M, \-\-multi-port-scanner\fR Same as above but done on all hosts of the lan. .br .TP \fB\-L, \-\-find-link\fR Tries to determine what type of link is used in the LAN (Hub or switch). .br In the LAN segment is there a HUB or a SWITCH? We can find it by sending a spoofed ICMP echo-request (to work there must be at least 3 host in LAN and at least one of them must reply with a ICMP echo-replay) .br .TP \fB\-b, \-\-daemon-banner\fR Checks the most famous daemon banner on the LAN's hosts. .br You can customize ports database adding them to ports[] variable in main.c .br .TP \fB\-c, \-\-check-arp-poisoning\fR Control ARP answers to discover possible ARP spoofing attacks like man-in-the-middle .br When run, Nast make a database of all network node (IP and MAC address), then sniff ARP response and verify the correctness of IP-mac address association. Remember to execute Nast when you are sure that nobody is making ARP-poisoning, than have fun and relax and check program output:). .br .TP \fB\-C, \-\-byte-counting <"filter">\fR Apply traffic counting to <"filter"> (see FILTER SYNTAX section below for syntax) .br Use \fB-C any\fR if you don't want to use a filter. eg: root@localhost:~/$ nast \-C any NAST "NETWORK ANALYZER SNIFFER TOOL" Reading from "eth0" Packets Total Current speed Average speed .br ---------------------------------------------------------------- .br - 24 1008B 18B/s 21B/s .br .PP .SH GENERAL OPTIONS .TP \fB\-G, \-\-ncurses\fR Run Nast with the ncurses interfaces (only if compiled with ncurses support) .br .TP \fB\-l, \-\-log-file \fR Log reports to . Work with many features. .br .TP \fB\-B, \-\-daemon\fR Run in background like daemon and turn off stdout (very useful for sniffer/stream/ARP control logging) .br .TP \fB\-V, \-\-version\fR Show version information .PP .SH NCURSES INTERFACE NOTE Versions later 0.2.0 have a new ncurses interface which has many improvements regarding the correspondent command line version. For example you can select the connection interactively for tcp stream and reset features and byte counting module show much more information (packets type and connections load). .TP Please read NCURSES_README file before using the ncurses interface! .PP .SH FILTER SYNTAX, WHAT PCAP GIVE US! Important: this section has been copied from Tcpdump 3.7.1 manpage and "expression" here stand from "filter". .br \fBRemeber\fR to enclose filter between apexes ("something like this") .br .IP "\fI expression\fP" .RS selects which packets will be dumped. If no \fIexpression\fP is given, all packets on the net will be dumped. Otherwise, only packets for which \fIexpression\fP is `true' will be dumped. .LP The \fIexpression\fP consists of one or more .I primitives. Primitives usually consist of an .I id (name or number) preceded by one or more qualifiers. There are three different kinds of qualifier: .IP \fItype\fP qualifiers say what kind of thing the id name or number refers to. Possible types are .BR host , .B net and .BR port . E.g., `host foo', `net 128.3', `port 20'. If there is no type qualifier, .B host is assumed. .IP \fIdir\fP qualifiers specify a particular transfer direction to and/or from .IR id . Possible directions are .BR src , .BR dst , .B "src or dst" and .B "src and" .BR dst . E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, .B "src or dst" is assumed. For `null' link layers (i.e. point to point protocols such as slip) the .B inbound and .B outbound qualifiers can be used to specify a desired direction. .IP \fIproto\fP qualifiers restrict the match to a particular protocol. Possible protos are: .BR ether , .BR fddi , .BR tr , .BR ip , .BR ip6 , .BR arp , .BR rarp , .BR decnet , .B tcp and .BR udp . E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. .LP [`fddi' is actually an alias for `ether'; the parser treats them identically as meaning ``the data link level used on the specified network interface.'' FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ethernet fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression. .LP Similarly, `tr' is an alias for `ether'; the previous paragraph's statements about FDDI headers also apply to Token Ring headers.] .LP In addition to the above, there are some special `primitive' keywords that don't follow the pattern: .BR gateway , .BR broadcast , .BR less , .B greater and arithmetic expressions. All of these are described below. .LP More complex filter expressions are built up by using the words .BR and , .B or and .B not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. .LP Allowable primitives are: .IP "\fBdst host \fIhost\fR" True if the IPv4/v6 destination field of the packet is \fIhost\fP, which may be either an address or a name. .IP "\fBsrc host \fIhost\fR" True if the IPv4/v6 source field of the packet is \fIhost\fP. .IP "\fBhost \fIhost\fP True if either the IPv4/v6 source or destination of the packet is \fIhost\fP. Any of the above host expressions can be prepended with the keywords, \fBip\fP, \fBarp\fP, \fBrarp\fP, or \fBip6\fP as in: .in +.5i .nf \fBip host \fIhost\fR .fi .in -.5i which is equivalent to: .in +.5i .nf \fBether proto \fI\\ip\fB and host \fIhost\fR .fi .in -.5i If \fIhost\fR is a name with multiple IP addresses, each address will be checked for a match. .IP "\fBether dst \fIehost\fP True if the ethernet destination address is \fIehost\fP. \fIEhost\fP may be either a name from /etc/ethers or a number (see .IR ethers (3N) for numeric format). .IP "\fBether src \fIehost\fP True if the ethernet source address is \fIehost\fP. .IP "\fBether host \fIehost\fP True if either the ethernet source or destination address is \fIehost\fP. .IP "\fBgateway\fP \fIhost\fP True if the packet used \fIhost\fP as a gateway. I.e., the ethernet source or destination address was \fIhost\fP but neither the IP source nor the IP destination was \fIhost\fP. \fIHost\fP must be a name and must be found both by the machine's host-name-to-IP-address resolution mechanisms (host name file, DNS, NIS, etc.) and by the machine's host-name-to-Ethernet-address resolution mechanism (/etc/ethers, etc.). (An equivalent expression is .in +.5i .nf \fBether host \fIehost \fBand not host \fIhost\fR .fi .in -.5i which can be used with either names or numbers for \fIhost / ehost\fP.) This syntax does not work in IPv6-enabled configuration at this moment. .IP "\fBdst net \fInet\fR" True if the IPv4/v6 destination address of the packet has a network number of \fInet\fP. \fINet\fP may be either a name from /etc/networks or a network number (see \fInetworks(4)\fP for details). .IP "\fBsrc net \fInet\fR" True if the IPv4/v6 source address of the packet has a network number of \fInet\fP. .IP "\fBnet \fInet\fR" True if either the IPv4/v6 source or destination address of the packet has a network number of \fInet\fP. .IP "\fBnet \fInet\fR \fBmask \fInetmask\fR" True if the IP address matches \fInet\fR with the specific \fInetmask\fR. May be qualified with \fBsrc\fR or \fBdst\fR. Note that this syntax is not valid for IPv6 \fInet\fR. .IP "\fBnet \fInet\fR/\fIlen\fR" True if the IPv4/v6 address matches \fInet\fR with a netmask \fIlen\fR bits wide. May be qualified with \fBsrc\fR or \fBdst\fR. .IP "\fBdst port \fIport\fR" True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of \fIport\fP. The \fIport\fP can be a number or a name used in /etc/services (see .IR tcp (4P) and .IR udp (4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., \fBdst port 513\fR will print both tcp/login traffic and udp/who traffic, and \fBport domain\fR will print both tcp/domain and udp/domain traffic). .IP "\fBsrc port \fIport\fR" True if the packet has a source port value of \fIport\fP. .IP "\fBport \fIport\fR" True if either the source or destination port of the packet is \fIport\fP. Any of the above port expressions can be prepended with the keywords, \fBtcp\fP or \fBudp\fP, as in: .in +.5i .nf \fBtcp src port \fIport\fR .fi .in -.5i which matches only tcp packets whose source port is \fIport\fP. .IP "\fBless \fIlength\fR" True if the packet has a length less than or equal to \fIlength\fP. This is equivalent to: .in +.5i .nf \fBlen <= \fIlength\fP. .fi .in -.5i .IP "\fBgreater \fIlength\fR" True if the packet has a length greater than or equal to \fIlength\fP. This is equivalent to: .in +.5i .nf \fBlen >= \fIlength\fP. .fi .in -.5i .IP "\fBip proto \fIprotocol\fR" True if the packet is an IP packet (see .IR ip (4P)) of protocol type \fIprotocol\fP. \fIProtocol\fP can be a number or one of the names \fIicmp\fP, \fIicmp6\fP, \fIigmp\fP, \fIigrp\fP, \fIpim\fP, \fIah\fP, \fIesp\fP, \fIvrrp\fP, \fIudp\fP, or \fItcp\fP. Note that the identifiers \fItcp\fP, \fIudp\fP, and \fIicmp\fP are also keywords and must be escaped via backslash (\\), which is \\\\ in the C-shell. Note that this primitive does not chase the protocol header chain. .IP "\fBip6 proto \fIprotocol\fR" True if the packet is an IPv6 packet of protocol type \fIprotocol\fP. Note that this primitive does not chase the protocol header chain. .IP "\fBip6 protochain \fIprotocol\fR" True if the packet is IPv6 packet, and contains protocol header with type \fIprotocol\fR in its protocol header chain. For example, .in +.5i .nf \fBip6 protochain 6\fR .fi .in -.5i matches any IPv6 packet with TCP protocol header in the protocol header chain. The packet may contain, for example, authentication header, routing header, or hop-by-hop option header, between IPv6 header and TCP header. The BPF code emitted by this primitive is complex and cannot be optimized by BPF optimizer code in \fItcpdump\fP, so this can be somewhat slow. .IP "\fBip protochain \fIprotocol\fR" Equivalent to \fBip6 protochain \fIprotocol\fR, but this is for IPv4. .IP "\fBether broadcast\fR" True if the packet is an ethernet broadcast packet. The \fIether\fP keyword is optional. .IP "\fBip broadcast\fR" True if the packet is an IP broadcast packet. It checks for both the all-zeroes and all-ones broadcast conventions, and looks up the local subnet mask. .IP "\fBether multicast\fR" True if the packet is an ethernet multicast packet. The \fIether\fP keyword is optional. This is shorthand for `\fBether[0] & 1 != 0\fP'. .IP "\fBip multicast\fR" True if the packet is an IP multicast packet. .IP "\fBip6 multicast\fR" True if the packet is an IPv6 multicast packet. .IP "\fBether proto \fIprotocol\fR" True if the packet is of ether type \fIprotocol\fR. \fIProtocol\fP can be a number or one of the names \fIip\fP, \fIip6\fP, \fIarp\fP, \fIrarp\fP, \fIatalk\fP, \fIaarp\fP, \fIdecnet\fP, \fIsca\fP, \fIlat\fP, \fImopdl\fP, \fImoprc\fP, \fIiso\fP, \fIstp\fP, \fIipx\fP, or \fInetbeui\fP. Note these identifiers are also keywords and must be escaped via backslash (\\). .IP [In the case of FDDI (e.g., `\fBfddi protocol arp\fR') and Token Ring (e.g., `\fBtr protocol arp\fR'), for most of those protocols, the protocol identification comes from the 802.2 Logical Link Control (LLC) header, which is usually layered on top of the FDDI or Token Ring header. .IP When filtering for most protocol identifiers on FDDI or Token Ring, \fItcpdump\fR checks only the protocol ID field of an LLC header in so-called SNAP format with an Organizational Unit Identifier (OUI) of 0x000000, for encapsulated Ethernet; it doesn't check whether the packet is in SNAP format with an OUI of 0x000000. .IP The exceptions are \fIiso\fP, for which it checks the DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) fields of the LLC header, \fIstp\fP and \fInetbeui\fP, where it checks the DSAP of the LLC header, and \fIatalk\fP, where it checks for a SNAP-format packet with an OUI of 0x080007 and the Appletalk etype. .IP In the case of Ethernet, \fItcpdump\fR checks the Ethernet type field for most of those protocols; the exceptions are \fIiso\fP, \fIsap\fP, and \fInetbeui\fP, for which it checks for an 802.3 frame and then checks the LLC header as it does for FDDI and Token Ring, \fIatalk\fP, where it checks both for the Appletalk etype in an Ethernet frame and for a SNAP-format packet as it does for FDDI and Token Ring, \fIaarp\fP, where it checks for the Appletalk ARP etype in either an Ethernet frame or an 802.2 SNAP frame with an OUI of 0x000000, and \fIipx\fP, where it checks for the IPX etype in an Ethernet frame, the IPX DSAP in the LLC header, the 802.3 with no LLC header encapsulation of IPX, and the IPX etype in a SNAP frame.] .IP "\fBdecnet src \fIhost\fR" True if the DECNET source address is .IR host , which may be an address of the form ``10.123'', or a DECNET host name. [DECNET host name support is only available on Ultrix systems that are configured to run DECNET.] .IP "\fBdecnet dst \fIhost\fR" True if the DECNET destination address is .IR host . .IP "\fBdecnet host \fIhost\fR" True if either the DECNET source or destination address is .IR host . .IP "\fBip\fR, \fBip6\fR, \fBarp\fR, \fBrarp\fR, \fBatalk\fR, \fBaarp\fR, \fBdecnet\fR, \fBiso\fR, \fBstp\fR, \fBipx\fR, \fInetbeui\fP" Abbreviations for: .in +.5i .nf \fBether proto \fIp\fR .fi .in -.5i where \fIp\fR is one of the above protocols. .IP "\fBlat\fR, \fBmoprc\fR, \fBmopdl\fR" Abbreviations for: .in +.5i .nf \fBether proto \fIp\fR .fi .in -.5i where \fIp\fR is one of the above protocols. Note that \fItcpdump\fP does not currently know how to parse these protocols. .IP "\fBvlan \fI[vlan_id]\fR" True if the packet is an IEEE 802.1Q VLAN packet. If \fI[vlan_id]\fR is specified, only true is the packet has the specified \fIvlan_id\fR. Note that the first \fBvlan\fR keyword encountered in \fIexpression\fR changes the decoding offsets for the remainder of \fIexpression\fR on the assumption that the packet is a VLAN packet. .IP "\fBtcp\fR, \fBudp\fR, \fBicmp\fR" Abbreviations for: .in +.5i .nf \fBip proto \fIp\fR\fB or ip6 proto \fIp\fR .fi .in -.5i where \fIp\fR is one of the above protocols. .IP "\fBiso proto \fIprotocol\fR" True if the packet is an OSI packet of protocol type \fIprotocol\fP. \fIProtocol\fP can be a number or one of the names \fIclnp\fP, \fIesis\fP, or \fIisis\fP. .IP "\fBclnp\fR, \fBesis\fR, \fBisis\fR" Abbreviations for: .in +.5i .nf \fBiso proto \fIp\fR .fi .in -.5i where \fIp\fR is one of the above protocols. Note that \fItcpdump\fR does an incomplete job of parsing these protocols. .PP .SH EXAMPLES Here are some examples of the use of NAST: .br .SH nast \-f "src 192.168.1.2" .br In this example with the help of the filter we choose to see only the traffic from 192.168.1.2 .br .SH nast \-p \-B \-\-ld logfile.txt .br Here we run nast in background mode and log all data that pass through our NIC. .br .SH nast \-S \-l logfile.txt .br In this other case we log the results of the port scanner in the file "logfile.txt" .br .SH nast \-c \-B .br This is a very useful options. We run in background mode nast that checks if someone is arp-poisoning. .br .PP .SH SUPPORTED PLATFORMS Tested: .br * Linux 2.4.x .br * Linux 2.6.x .br * FreeBSD 5.x .br * FreeBSD 4.x .LP Not tested yet: .br * Linux 2.2.x .PP .SH AVAILABILITY Official web site: http://nast.berlios.de .br Newsletter: http://lists.berlios.de/mailman/listinfo/nast-news .PP .SH KNOWN BUGS * Promiscuous mode scanner many times returns wrong results .br * Sometimes the port scanner generates false results .LP Please report bugs to authors .PP .SH AUTHORS Embyte .br Snifth .PP .SH LICENSE GNU GENERAL PUBLIC LICENSE Version 2, June 1991 .br See COPYING for details.