diff options
-rw-r--r-- | curvetun.8 | 2 | ||||
-rw-r--r-- | mausezahn.8 | 184 | ||||
-rw-r--r-- | netsniff-ng.8 | 37 |
3 files changed, 112 insertions, 111 deletions
@@ -333,7 +333,7 @@ Client side's IP on eth0 is i.e. 5.6.7.8: client# ... lookup your default gateway (e.g. via route, here: 5.6.7.9) ... client# ifconfig curvec0 up client# ifconfig curvec0 10.0.0.2/24 - client# route add -net 1.2.3.0 netmask 255.255.255.0 gw 5.6.7.9 dev eth0 + client# route add \-net 1.2.3.0 netmask 255.255.255.0 gw 5.6.7.9 dev eth0 client# route add default gw 10.0.0.1 client# route del default gw 5.6.7.9 .PP diff --git a/mausezahn.8 b/mausezahn.8 index 1e67562..e124322 100644 --- a/mausezahn.8 +++ b/mausezahn.8 @@ -218,12 +218,12 @@ nowhere. .PP Using the interactive mode requires to start mausezahn as server: .PP - mausezahn -x + mausezahn \-x .PP Now you can telnet(1) to that server using the default port number 25542, but also an arbitrary port number can be specified: .PP - mausezahn -x 99 + mausezahn \-x 99 .PP mausezahn accepts incoming telnet connections on port 99. .PP @@ -619,49 +619,49 @@ All major command line options are listed when you execute mausezahn without arguments. For practical usage keep the following special (not so widely known) options in mind: .PP - -r Multiplies the specified delay with a random value. - -p <length> Pad the raw frame to specified length (using random bytes). - -P <ASCII Payload> Use the specified ASCII payload. - -f <filename> Read the ASCII payload from a file. - -F <filename> Read the hexadecimal payload from a file. - -S Simulation mode: DOES NOT put anything on the wire. + \-r Multiplies the specified delay with a random value. + \-p <length> Pad the raw frame to specified length (using random bytes). + \-P <ASCII Payload> Use the specified ASCII payload. + \-f <filename> Read the ASCII payload from a file. + \-F <filename> Read the hexadecimal payload from a file. + \-S Simulation mode: DOES NOT put anything on the wire. This is typically combined with one of the verbose - modes (-v or V). + modes (\-v or V). .PP -Many options require a keyword or a number but the -t option is an exception +Many options require a keyword or a number but the \-t option is an exception since it requires both a packet type (such as ip, udp, dns, etc) and an argument string which is specific for that packet type. Here are some simple examples: .PP - mausezahn -t help - mausezahn -t tcp help - mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be + mausezahn \-t help + mausezahn \-t tcp help + mausezahn eth3 \-t udp sp=69,dp=69,p=ca:fe:ba:be .PP Note: Don't forget that on the CLI the Linux shell (usually the Bash) interprets spaces as a delimiter character. That is, if you are specifying an argument that consists of multiple words with spaces in between, you MUST group this with quotes. For example, instead of .PP - mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33 + mausezahn eth0 \-t udp sp=1,dp=80,p=00:11:22:33 .PP you could either omit the spaces .PP - mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33 + mausezahn eth0 \-t udp sp=1,dp=80,p=00:11:22:33 .PP or, even more safe, use quotes: .PP - mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33" + mausezahn eth0 \-t udp "sp=1,dp=80,p=00:11:22:33" .PP In order to monitor what's going on, you can enable the verbose mode using -the -v option. The opposite is the quiet mode (-q) which will keep mausezahn +the \-v option. The opposite is the quiet mode (\-q) which will keep mausezahn absolutely quiet (except for error messages and warnings.) .PP -Don't confuse the payload argument p=... with the padding option -p. The latter +Don't confuse the payload argument p=... with the padding option \-p. The latter is used outside the quotes! .PP .SS The automatic packet builder: .PP -An important argument is "-t" which invokes a packet builder. Currently there +An important argument is "\-t" which invokes a packet builder. Currently there are packet builders for ARP, BPDU, CDP, IP, partly ICMP, UDP, TCP, RTP, DNS, and SYSLOG. (Additionally you can insert a VLAN tag or a MPLS label stack but this works independent of the packet builder.) @@ -669,18 +669,18 @@ this works independent of the packet builder.) You get context specific help of every packet builder using the help keyword, such as: .PP - mausezahn -t bpdu help - mausezahn -t tcp help + mausezahn \-t bpdu help + mausezahn \-t tcp help .PP For every packet you may specify an optional payload. This can be done either via HEX notation using the payload (or short p) argument or directly as ASCII -text using the -P option: +text using the \-P option: .PP - mausezahn eth0 -t ip -P "Hello World" # ASCII payload - mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex payload - mausezahn eth0 -t ip "proto=89, \\ - p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \\ # same with other - ttl=1" # IP arguments + mausezahn eth0 \-t ip \-P "Hello World" # ASCII payload + mausezahn eth0 \-t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 # hex payload + mausezahn eth0 \-t ip "proto=89, \\ + p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \\ # same with other + ttl=1" # IP arguments .PP Note: The raw link access mode only accepts hex payloads (because you specify everything in hex here.) @@ -688,11 +688,11 @@ everything in hex here.) .SS Packet count and delay: .PP Per default only one packet is sent. If you want to send more packets then -use the count option -c <count>. When count is zero then mausezahn will send +use the count option \-c <count>. When count is zero then mausezahn will send forever. Per default mausezahn sends at maximum speed (and this is really fast ;-)). If you don't want to overwhelm your network devices or have other reasons to send at a slower rate then you might want to specify a delay using -the -d <delay> option. +the \-d <delay> option. .PP If you only specify a numeric value it is interpreted in microsecond units. Alternatively, for easier use, you might specify units such as seconds sec or @@ -701,15 +701,15 @@ spaces between the value and the unit! Here are typical examples: .PP Send infinite frames as fast as possible: .PP - mausezahn -c 0 "aa bb cc dd ...." + mausezahn \-c 0 "aa bb cc dd ...." .PP Send 100,000 frames with a 50 msec interval: .PP - mausezahn -c 100000 -d 50msec "aa bb cc dd ...." + mausezahn \-c 100000 \-d 50msec "aa bb cc dd ...." .PP Send infinite BPDU frames in a 2 second interval: .PP - mausezahn -c 0 -d 2s -t bpdu conf + mausezahn \-c 0 \-d 2s \-t bpdu conf .PP Note: mausezahn does not support fractional numbers. If you want to specify for example 2.5 seconds then express this e.g. in milliseconds (2500 msec). @@ -717,12 +717,12 @@ example 2.5 seconds then express this e.g. in milliseconds (2500 msec). .SS Source and destination addresses: .PP As mnemonic trick keep in mind that all packets run from "A" to "B". You can -always specify source and/or destination MAC addresses using the -a and -b +always specify source and/or destination MAC addresses using the \-a and \-b options, respectively. These options also allow keywords such as rand, own, bpdu, cisco, and others. .PP -Similarly, you can specify source and destination IP addresses using the -A -and -B options, respectively. These options also support FQDNs (i.e. domain +Similarly, you can specify source and destination IP addresses using the \-A +and \-B options, respectively. These options also support FQDNs (i.e. domain names) and ranges such as 192.168.0.0/24 or 10.0.0.11-10.0.3.22. Additionally (only) the source address supports the rand keyword (ideal for "attacks"). .PP @@ -748,9 +748,9 @@ created by the WiFi-driver. As example to introduce some interesting options, lets continuously send frames at max speed with random source MAC address and broadcast destination address, additionally pad the frame to 1000 bytes: .PP - mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc dd" + mausezahn eth0 \-c 0 \-a rand \-b bcast \-p 1000 "08 00 aa bb cc dd" .PP -The direct link access supports automatic padding using the -p <total frame +The direct link access supports automatic padding using the \-p <total frame length> option. This allows you to pad a raw L2 frame to the desired length. You must specify the total length and the total frame length must have at least 15 bytes for technical reasons. Zero bytes are used for this padding. @@ -764,18 +764,18 @@ sent with your own interface addresses as source MAC and IP address, and a broadcast destination MAC/IP address. Send a gratitious ARP (as used for duplicate IP detection): .PP - mausezahn eth0 -t arp + mausezahn eth0 \-t arp .PP ARP cache poisoning: .PP - mausezahn eth0 -t arp "reply, senderip=192.168.0.1, targetmac=00:00:0c:01:02:03, \\ - targetip=172.16.1.50" + mausezahn eth0 \-t arp "reply, senderip=192.168.0.1, targetmac=00:00:0c:01:02:03, \\ + targetip=172.16.1.50" .PP where by default your interface MAC address will be used as sendermac, senderip denotes the spoofed IP, targetmac and targetip identifies the receiver. By default the Ethernet source address is your interface MAC and the destination address is broadcast. Of course you can change this using again the -flags -a and -b. +flags \-a and \-b. .PP .SS `-- BPDU: .PP @@ -784,14 +784,14 @@ create the Spanning Tree in bridged networks). By default standard IEEE 802.1d (CST) BPDUs are sent and it is assumed that your computer wants to become the root bridge (rid=bid). Optionally the 802.3 destination address can be a specified MAC address, broadcast, own MAC, or Cisco's PVST+ MAC address. The -destination MAC can be specified using the -b command which (besides MAC +destination MAC can be specified using the \-b command which (besides MAC addresses) accepts keywords such as bcast, own, pvst, or stp (default). Since version 0.16 PVST+ is supported. Simply specify the VLAN for which you want to send a BPDU: .PP - mausezahn eth0 -t bpdu "vlan=123, rid=2000" + mausezahn eth0 \-t bpdu "vlan=123, rid=2000" .PP -See mausezahn -t bpdu help for more details. +See mausezahn \-t bpdu help for more details. .PP .SS `-- CDP: .PP @@ -802,44 +802,44 @@ example p=00:0e:00:07:01:01:90) and if you want to stress the CDP database of some device, mausezahn can send each CDP message with another system-id using the change keyword: .PP - mausezahn -t cdp change -c 0 + mausezahn \-t cdp change \-c 0 .PP Some routers and switches may run into deep problems ;-) See -mausezahn -t cdp help for more details. +mausezahn \-t cdp help for more details. .PP .SS `-- 802.1Q VLAN Tags: .PP mausezahn allows simple VLAN tagging for IP (and other higher layer) packets. -Simply use the option -Q <[CoS:]VLAN>, such as -Q 10 or -Q 3:921. By +Simply use the option \-Q <[CoS:]VLAN>, such as \-Q 10 or \-Q 3:921. By default CoS=0. For example send a TCP packet in VLAN 500 using CoS=7: .PP - mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa" + mausezahn eth0 \-t tcp \-Q 7:500 "dp=80, flags=rst, p=aa:aa:aa" .PP You can create as many VLAN tags as you want! This is interesting to create QinQ encapsulations or VLAN hopping: Send a UDP packet with VLAN tags 100 (outer) and 651 (inner): .PP - mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q 100,651 + mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \-Q 100,651 .PP Don't know if this is useful anywhere but at least it is possible: .PP - mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" \\ - -Q 6:5,7:732,5:331,5,6 + mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \\ + \-Q 6:5,7:732,5:331,5,6 .PP Mix it with MPLS: .PP - mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is great" -Q 100,651 -M 314 + mausezahn eth0 \-t udp "dp=8888, sp=13442" \-P "Mausezahn is great" \-Q 100,651 \-M 314 .PP Only in raw Layer 2 mode you must create the VLAN tag completely by yourself. For example if you want to send a frame in VLAN 5 using CoS 0 simply specify 81:00 as type field and for the next two bytes the CoS (, CFI) and VLAN values: .PP - mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-aa-aa" + mausezahn eth0 \-b bc \-a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-aa-aa-aa-aa" .PP .SS `-- MPLS labels: .PP mausezahn allows you to insert one or more MPLS headers. Simply use the option --M <label:CoS:TTL:BoS> where only the label is mandatory. If you specify a +\-M <label:CoS:TTL:BoS> where only the label is mandatory. If you specify a second number it is interpreted as the experimental bits (the CoS usually). If you specify a third number it is interpreted as TTL. Per default the TTL is set to 255. The Bottom of Stack flag is set automatically (otherwise the frame @@ -849,23 +849,23 @@ each MPLS header definition. Here are some examples: .PP Use MPLS label 214: .PP - mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com + mausezahn eth0 \-M 214 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com .PP Use three labels (the 214 is now the outer): .PP - mausezahn eth0 -M 9999,51,214 -t tcp "dp=80" -P "HTTP..." -B myhost.com + mausezahn eth0 \-M 9999,51,214 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com .PP Use two labels, one with CoS=5 and TTL=1, the other with CoS=7: .PP - mausezahn eth0 -M 100:5:1,500:7 -t tcp "dp=80" -P "HTTP..." -B myhost.com + mausezahn eth0 \-M 100:5:1,500:7 \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com .PP Unset the BoS flag (which will result in an invalid frame): .PP - mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B myhost.com + mausezahn eth0 \-M 214:s \-t tcp "dp=80" \-P "HTTP..." \-B myhost.com .PP .SS Layer 3-7: .PP -IP, UDP, and TCP packets can be padded using the -p option. Currently 0x42 is +IP, UDP, and TCP packets can be padded using the \-p option. Currently 0x42 is used as padding byte ('the answer'). You cannot pad DNS packets (would be useless anyway). .PP @@ -873,7 +873,7 @@ useless anyway). .PP mausezahn allows you to send any (malformed or correct) IP packet. Every field in the IP header can be manipulated. The IP addresses can be specified via -the -A and -B options, denoting the source and destination address, +the \-A and \-B options, denoting the source and destination address, respectively. You can also specify an address range or a host name (FQDN). Additionally, the source address can also be random. By default the source address is your interface IP address and the destination address is a @@ -881,15 +881,15 @@ broadcast. Here are some examples: .PP Ascii payload: .PP - mausezahn eth0 -t ip -A rand -B 192.168.1.0/24 -P "hello world" + mausezahn eth0 \-t ip \-A rand \-B 192.168.1.0/24 \-P "hello world" .PP Hex payload: .PP - mausezahn eth0 -t ip -A 10.1.0.1-10.1.255.254 -B 255.255.255.255 p=ca:fe:ba:be + mausezahn eth0 \-t ip \-A 10.1.0.1-10.1.255.254 \-B 255.255.255.255 p=ca:fe:ba:be .PP Will use correct source IP address: .PP - mausezahn eth0 -t ip -B www.xyz.com + mausezahn eth0 \-t ip \-B www.xyz.com .PP The Type of Service (ToS) byte can either be specified directly by two hexadecimal digits (which means you can also easily set the Explicit @@ -898,7 +898,7 @@ specify a common DSCP value (bits 3-8) using a decimal number (0..63): .PP Packet sent with DSCP = Expedited Forwarding (EF): .PP - mausezahn eth0 -t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af + mausezahn eth0 \-t ip dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af .PP If you leave the checksum zero (or unspecified) the correct checksum will be automatically computed. Note that you can only use a wrong checksum when @@ -907,26 +907,26 @@ you also specify at least one L2 field manually. .SS `-- UDP: .PP mausezahn support easy UDP datagram generation. Simply specify the -destination address (-B option) and optionally an arbitrary source address -(-A option) and as arguments you may specify the port numbers using the +destination address (\-B option) and optionally an arbitrary source address +(\-A option) and as arguments you may specify the port numbers using the dp (destination port) and sp (source port) arguments and a payload. You can also easily specify a whole port range which will result in sending multiple packets. Here are some examples: .PP Send test packets to the RTP port range: .PP - mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \\ - p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00" + mausezahn eth0 \-B 192.168.1.1 \-t udp "dp=16384-32767, \\ + p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00" .PP Send a DNS request as local broadcast (often a local router replies): .PP - mausezahn eth0 -t udp dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\\ - 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01" + mausezahn eth0 \-t udp dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\\ + 77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01" .PP Additionally you may specify the length and checksum using the len and sum arguments (will be set correctly by default). Note: several protocols have same arguments such as len (length) and sum (checksum). If you specified a udp type -packet (via -t udp) and want to modify the IP length, then use the alternate +packet (via \-t udp) and want to modify the IP length, then use the alternate keyword iplen and ipsum. Also note that you must specify at least one L2 field which tells mausezahn to build everything without help of your kernel (the kernel would not allow to modify the IP checksum and the IP length). @@ -937,7 +937,7 @@ mausezahn currently only supports the following ICMP methods: PING (echo request), Redirect (various types), Unreachable (various types). Additional ICMP types will be supported in future. Currently you would need to tailor them by your own, e.g. using the IP packet builder (setting proto=1). Use the -mausezahn -t icmp help for help on actually implemented options. +mausezahn \-t icmp help for help on actually implemented options. .PP .SS `-- TCP: .PP @@ -948,8 +948,8 @@ you want to specify multiple flags. For example, a SYN-Flood attack against host 1.1.1.1 using a random source IP address and periodically using all 1023 well-known ports could be created via: .PP - mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023, flags=syn" \\ - -P "Good morning! This is a SYN Flood Attack. \\ + mausezahn eth0 \-A rand \-B 1.1.1.1 \-c 0 \-t tcp "dp=1-1023, flags=syn" \\ + \-P "Good morning! This is a SYN Flood Attack. \\ We apologize for any inconvenience." .PP Be careful with such SYN floods and only use them for firewall testing. Check @@ -959,16 +959,16 @@ sequence number (SQNR). If you want to try a DoS attack by sending a RST-flood and you do NOT know the target's initial SQNR (which is normally the case) then you may want to sweep through a range of sequence numbers: .PP - mausezahn eth0 -A legal.host.com -B target.host.com \\ - -t tcp "sp=80,dp=80,s=1-4294967295" + mausezahn eth0 \-A legal.host.com \-B target.host.com \\ + \-t tcp "sp=80,dp=80,s=1-4294967295" .PP Fortunately, the SQNR must match the target host's acknowledgement number plus the announced window size. Since the typical window size is something between 40000 and 65535 you are MUCH quicker when using an increment using the ds argument: .PP - mausezahn eth0 -A legal.host.com -B target.host.com \\ - -t tcp "sp=80, dp=80, s=1-4294967295, ds=40000" + mausezahn eth0 \-A legal.host.com \-B target.host.com \\ + \-t tcp "sp=80, dp=80, s=1-4294967295, ds=40000" .PP In the latter case mausezahn will only send 107375 packets instead of 4294967295 (which results in a duration of approximately 1 second compared to @@ -982,14 +982,14 @@ mausezahn supports UDP-based DNS requests or responses. Typically you may want to send a query or an answer. As usual you can modify every flag in the header. Here is an example of a simple query: .PP - mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com" + mausezahn eth0 \-B mydns-server.com \-t dns "q=www.ibm.com" .PP You can also create server-type messages: .PP - mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \\ + mausezahn eth0 \-A spoofed.dns-server.com \-B target.host.com \\ "q=www.topsecret.com, a=172.16.1.1" .PP -The syntax according to the online help (-t dns help) is: +The syntax according to the online help (\-t dns help) is: .PP query|q = <name>[:<type>] ............. where type is per default "A" (and class is always "IN") @@ -1004,7 +1004,7 @@ additionally add an 'answer' then an answer is sent. Examples: q = www.xyz.com, a=A:3600:192.168.1.10 q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10 .PP -Please try out mausezahn -t dns help to see the many other optional command +Please try out mausezahn \-t dns help to see the many other optional command line options. .PP .SS `-- RTP and VoIP path measurements: @@ -1017,11 +1017,11 @@ low-pass filtered estimation specified in RFC 3550 or using an alternative "real-time" method which is even more precise (the RFC-method is used by default). For example on Host1 you start a transmission process: .PP - mausezahn -t rtp -B 192.168.1.19 + mausezahn \-t rtp \-B 192.168.1.19 .PP And on Host2 (192.168.1.19) a receiving process which performs the measurement: .PP - mausezahn -T rtp + mausezahn \-T rtp .PP Note that the option flag with the capital "T" means that it is a server RTP process, waiting for incoming RTP packets from any mausezahn source. In case @@ -1030,11 +1030,11 @@ perform a bidirectional measurement, you must specify a stream identifier. Here is an example for bidirectional measurements which logs the running jitter average in a file: .PP - Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 & - Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/" + Host1# mausezahn \-t rtp id=11:11:11:11 \-B 192.168.2.2 & + Host1# mausezahn \-T rtp id=22:22:22:22 "log, path=/tmp/mz/" .PP - Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 & - Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/" + Host2# mausezahn \-t rtp id=22:22:22:22 \-B 192.168.1.1 & + Host2# mausezahn \-T rtp id=11:11:11:11 "log, path=/tmp/mz/" .PP In any case the measurements are printed continuously onto the screen; by default it looks like this: @@ -1061,7 +1061,7 @@ default it looks like this: .PP More information is shown using the txt keyword: .PP - mausezahn -T rtp txt + mausezahn \-T rtp txt Got 100 packets from host 192.168.0.3: 0 lost (0 absolute lost), 1 out of order Jitter_RFC (low pass filtered) = 30 usec Samples jitter (min/avg/max) = 1/186/2527 usec @@ -1075,7 +1075,7 @@ More information is shown using the txt keyword: Samples jitter (min/avg/max) = 0/91/1683 usec Delta-RX (min/avg/max) = 18673/20378/24822 usec .PP -See mausezahn -t rtp help and mz -T rtp help for more details. +See mausezahn \-t rtp help and mz \-T rtp help for more details. .PP .SS `-- Syslog: .PP @@ -1084,9 +1084,9 @@ and is sometimes vulnerable. For example you might insert forged Syslog messages by spoofing your source address (e.g. impersonate the address of a legit network device): .PP - mausezahn -t syslog sev=3 -P "You have been mausezahned." -A 10.1.1.109 -B 192.168.7.7 + mausezahn \-t syslog sev=3 \-P "You have been mausezahned." \-A 10.1.1.109 \-B 192.168.7.7 .PP -See mausezahn -t syslog help for more details. +See mausezahn \-t syslog help for more details. .PP .SH NOTE .PP diff --git a/netsniff-ng.8 b/netsniff-ng.8 index 7b6f9a4..08fe192 100644 --- a/netsniff-ng.8 +++ b/netsniff-ng.8 @@ -124,14 +124,14 @@ Otherwise, a number given as an unsigned integer will limit processing. .SS -P <name>, --prefix <name> When dumping pcap files into a folder, a file name prefix can be defined with this option. If not otherwise specified, the default prefix is \[lq]dump\-\[rq] -followed by a Unix timestamp. Use \[lq]--prefex ""\[rq] to set filename as seconds -since the Unix Epoch e.g. 1369179203.pcap +followed by a Unix timestamp. Use \[lq]\-\-prefex ""\[rq] to set filename as +seconds since the Unix Epoch e.g. 1369179203.pcap .PP .SS -T <pcap-magic>, --magic <pcap-magic> Specify a pcap type for storage. Different pcap types with their various meta -data capabilities are shown with option \[lq]-D\[rq]. If not otherwise specified, the -pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable pcap format, is -used. Pcap files with swapped endianness are also supported. +data capabilities are shown with option \[lq]\-D\[rq]. If not otherwise +specified, the pcap-magic 0xa1b2c3d4, also known as a standard tcpdump-capable +pcap format, is used. Pcap files with swapped endianness are also supported. .PP .SS -D, --dump-pcap-types Dump all available pcap types with their capabilities and magic numbers that @@ -235,8 +235,8 @@ the packet dissector output to the terminal. No files will be recorded. .SS netsniff-ng --in eth0 --out dump.pcap -s -T 0xa1e2cb12 -b 0 tcp or udp Capture TCP or UDP traffic from the networking device eth0 into the pcap file named dump.pcap, which has netsniff-ng specific pcap extensions (see -\[lq]netsniff-ng -D\[rq] for capabilities). Also, do not print the content to the -terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write +\[lq]netsniff-ng \-D\[rq] for capabilities). Also, do not print the content to +the terminal and pin the process and NIC IRQ affinity to CPU 0. The pcap write method is scatter-gather I/O. .PP .SS netsniff-ng --in wlan0 --rfraw --out dump.pcap --silent --bind-cpu 0 @@ -316,13 +316,14 @@ the bpfc(8) man page. Low-level filters can be used with netsniff-ng in the following way: .PP 1. bpfc foo > bar - 2. netsniff-ng -f bar + 2. netsniff-ng \-f bar .PP Here, foo is the bpfc program that will be translated into a netsniff-ng -readable \[lq]opcodes\[rq] file and passed to netsniff-ng through the -f option. +readable \[lq]opcodes\[rq] file and passed to netsniff-ng through the \-f +option. .PP -Similarly, high-level filter can be either passed through the -f option, -e.g. -f "tcp or udp" or at the end of all options without the \[lq]-f\[rq]. +Similarly, high-level filter can be either passed through the \-f option, +e.g. \-f "tcp or udp" or at the end of all options without the \[lq]\-f\[rq]. .PP The filter syntax is the same as in tcpdump(8), which is described in the man page pcap-filter(7). Just to quote some examples from pcap-filter(7): @@ -369,7 +370,7 @@ To select all ICMP packets that are not echo requests or replies .PP .SH PCAP FORMATS: .PP -netsniff-ng supports a couple of pcap formats, visible through ``netsniff-ng -D'': +netsniff-ng supports a couple of pcap formats, visible through ``netsniff-ng \-D'': .PP .SS tcpdump-capable pcap (default) Pcap magic number is encoded as 0xa1b2c3d4 resp. 0xd4c3b2a1. As packet meta data @@ -433,7 +434,7 @@ The easiest route is simply to impersonate the local gateway, stealing client traffic en route to some remote destination. Of course, the traffic must be forwarded by your attacking machine, either by enabling kernel IP forwarding or with a userland program that accomplishes the same -(fragrouter -B1). +(fragrouter \-B1). .PP Several people have reportedly destroyed connectivity on their LAN to the outside world by ARP spoofing the gateway, and forgetting to enable IP @@ -467,7 +468,7 @@ header is currently ignored. .PP Also, when replaying pcap files, demultiplexing traffic among multiple networking interfaces does not work. Currently, it is only sent via the -interface that is given by the --out parameter. +interface that is given by the \-\-out parameter. .PP When performing traffic capture on the Ethernet interface, the pcap file is created and packets are received but without a 802.1Q header. When one @@ -492,18 +493,18 @@ A user reported the following, just to demonstrate this mess: some tests were made with two machines, and it seems that results depend on the driver ... .PP AR8131: - ethtool -k eth0 gives "rx-vlan-offload: on" + ethtool \-k eth0 gives "rx-vlan-offload: on" - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header - ethtool -K eth0 rxvlan off + ethtool \-K eth0 rxvlan off - wireshark gets a QinQ header even though noone sent QinQ - netsniff-ng gets the vlan header .PP RTL8111/8168B: - ethtool -k eth0 gives "rx-vlan-offload: on" + ethtool \-k eth0 gives "rx-vlan-offload: on" - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header - ethtool -K eth0 rxvlan off + ethtool \-K eth0 rxvlan off - wireshark gets the vlan header - netsniff-ng doesn't get the vlan header .PP |