APS - LINUX packet sniffer in C
(this tool will not be continued, it will be exchanged by a project called OOPS
OOPS will be published here in a few weeks or months ... okay maybe years ...
All these tools are under the GNU Public License
aps-0.19.tar.gz (90kB / 2001-03-23)
aps-0.18.tar.gz (90kB / 2000-10-28)
Here are the binaries (without GTK-GUI of course :-)
aps-0.19.bin.tar.gz (370kB)
aps-0.18.bin.tar.gz (370kB)
(statically linked ELF-binary, compiled with egcs-2.91.66 R1.1.2 on Slackware 7.0)
--For details on version differences see the - ChangeLog -
--To see what is planed read the - ToDo-List -
--You might also want to have a LOOK on it -> THE SCREENSHOT (about 110Kb)
APS means Advanced Packet Sniffer. It mainly is the product of my great interest in networking, programing and the techniqes that are used to make network traffic reliable and fast. The second reason is that i want to get into programming C for different (linux/unix) variants.
WHAT IT DOES:
APS tries to print detailed info about network frames that are received from the SOCK_RAW (ETH_P_ALL) socket. I am not sure if this is the clean way, but it works fine. (maybe this will get to libpcap in any future release, at least i hope so !! :-) APS prints info about the hardware layer and the IP and TCP/UDP/ICMP header.
The tail of the packet (mostly the data) wich could not be interpreted is written on the screen as ascii/hex-dump or both (your choice).
Here is an example of its output:
HW-ADDR: 00:60:8c:f6:40:96 -----> 00:80:ad:30:8f:3b IP-ADDR: 192.168.17.52 -----> 192.168.17.50 IP-Ver4 || Head:0x0a (bytes) || Service(TOS):16 || Length over all:0061 Fragmentation: ID:0x4079 - Flags: 0 1 0 - Offset:00000 TTL:064 || Protokoll:006 (TCP) || HeaderCRC:0x567b TCP-HEADER: Ports: 0023-->1034 (telnet) Seq./Ack. Nr.:0x70843468 / 0xeae29434 Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin- Window:0x7fe0 CRC:0x9420 Urgent-Pointer:0x0000 73 61 74 75 72 6e 32 3a 2f 73 72 76 2f 70 72 69 6e 74 71 23 20 HW-ADDR: 52:54:40:25:8d:88 -----> ff:ff:ff:ff:ff:ff SAMBA/NetBios e0 e0 03 ff ff 00 22 00 11 00 00 00 00 ff ff ff ff ff ff 04 52 00 00 00 00 52 40 25 8d 88 40 08 00 03 00 04 20 20 20 20 20 20 20 20 20 HW-ADDR: 00:80:ad:30:8f:3b -----> 00:60:8c:f6:40:96 IP-ADDR: 192.168.17.50 -----> 194.112.123.200 IP-Ver4 || Head:0x0a (bytes) || Service(TOS):0 || Length over all:0029 Fragmentation: ID:0x29ae - Flags: 0 0 0 - Offset:00000 TTL:064 || Protokoll:001 (ICMP) || HeaderCRC:0x411f echo request CODE:0x0 CRC:0xf9f5 SIG:0x602 NUM:0x0 00 ea
Here the help-output of the version in development for an overview of functionality:
aps [options][-p <from_port> <to_port>][-o <frame_type>] options: -d display rest-output in (1)HEX (2)ASCII (3)BOTH (4)NONE (5)PROTECTED-ASCII (6)MODE-5 with HEX (7)ONLY rest in HEX (8)only rest in PROTECTED-ASCII (9)ONLY rest in PROTECTED-ASCII with HEX (10)RAW-HEX-DUMP (without interpretation and filters!!) -c do NOT use colorization (ANSI-CODES) -b activate beep for some protocolls (see manpage) -q do not say hello and bye nor print the copyleft -Q do not say anything (using X-GUI instead ?) -s do not display summary statistics info -n do not print info of IP-Header -i display only this IP-ADDR (192.168.17.4) -I do not display this IP-ADDR (192.168.17.4) -h display only this HW-ADDR (de:ad:be:ef:00:00) -H do not display this HW-ADDR (de:ad:be:ef:00:00) -p display only these ports (23-80) or (23-23) -P do not display this port (23-80) or (23-23) -o display only one frame type (can be combined: ("-o arp -o tcp-udp") -h print this HELP (or --help) -v print Version and COPYLEFT valid frame-types are: smb,loop,arp,rarp,all-ip,tcp-ip,udp-ip,icmp-ip,other