Next: Referências Bibliográficas Up: Um Sistema de Testes Previous: Conclusão Sumário
Este apêndice contém as páginas de manual do programa sniffdet e da biblioteca libsniffdet versão 0.7. Como o software tem um alcance mundial (é de livre distribuição), seu desenvolvimento e documentação foram feitos primariamente em inglês, e esse é o idioma na qual as páginas de manual a seguir estão escritas.
LIBSNIFFDET(3) Remote Sniffer Detection Library LIBSNIFFDET(3)
NAME
libsniffdet - Sniffer detection library
DESCRIPTION
This library is useful for remote sniffer detection or to discover
machines which are running in promiscuous mode. You can see the
full documentation at http://sniffdet.sourceforge.net
SYNOPSIS
#include <sniffdet.h>
GENERAL DEFINITIONS
CALLBACK
The callback functions used by the detection tests for activity
report and interactivity issues must have the following prototype,
providing that its return value is used to cancel the current
execution of the detection test.
int (*user_callback)(struct test_status *status, int msg_type, char
*msg);
The first argument is a structure of the type below, containing
information about the state of execution (in percent) and the
quantity of incoming and outcoming packets of the current test.
struct test_status {
unsigned short int percent; // 0% to 100%
unsigned int bytes_sent;
unsigned int bytes_recvd;
};
The second argument is one of the following enumerations.
RUNNING - used just for resposivity purposes
NOTIFICATION - general messages
ERROR - critical conditions (abort cases)
WARNING - critical conditions (do not abort the execution)
DETECTION - detection performed
ENDING - indicates the end of the detction test
DEVICE
The following functions should be used to initialize/finish the
network device.
struct sndet_device * sndet_init_device(
char *device,
int promisc,
char *errbuf);
int sndet_finish_device(
struct sndet_device *device,
char *errbuf);
Where struct sndet_device has the following layout:
struct sndet_device {
char *device;
int datalink;
int pkt_offset;
struct libnet_link_int *ln_int;
pcap_t *pktdesc;
bpf_u_int32 network;
bpf_u_int32 netmask;
int rawsock;
};
// datalink type
// device name
// sync bytes
// raw socket id
RESULTS
All the detection tests return their results in the following
structure.
struct test_info {
enum test_code code;
int valid;
char *test_name;
char *test_short_desc;
time_t time_start;
time_t time_fini;
unsigned int b_sent;
unsigned int b_recvd;
unsigned int pkts_sent;
unsigned int pkts_recvd;
union {
struct icmptest_result icmp;
struct arptest_result arp;
struct dnstest_result dns;
struct latencytest_result latency;
} test;
};
// detection test enumeration - see libsniffdet.h
// wether it was valid or not
// name of the test
// test short description
// start time
// stop time
// bytes sent
// bytes received
// packets sent
// packets received
// specifics results
GENERAL USE FUNCTIONS
There are many functions built to provide basic network and
general purpose functions.
u_long sndet_resolve(char *hostname);
Resolve hostname, returns binary representation in
network-ordered representation. Hostname is an ASCII string
representing an IPv4 address (canonical hostname or doted
decimal representation).
int sndet_random(void);
Returns a pseudo random integer
int sndet_ping_host(
Common ping function. Provided are the target name (host), a
pointer to the interface structure (device), the timeout in
seconds, the interval between target probes (send_interval)and
the amount of packets sent on each probe (burst_size). The last
two args are used to return the results and to write the error
message in case an internal error occurs. It returns non-zero
if any error occurs.
u_long sndet_get_iface_ip_addr(
Returns interface IP address in binary notation (host-ordered)
for the given interface structure (sndet). If any error
occurs, an error message will be writen in errbuf.
struct ether_addr * sndet_get_iface_mac_addr(
Returns interface MAC address
unsigned char *sndet_gen_tcp_pkt(
Generates a TCP packet based on information supplied in
custom_pkt information
void sndet_sleep(long sec, long usec);
Independent and portable way for sleeping
DETECTION TESTS
The folowing are the detection test implemented by the library.
They always have as obrigatory arguments the name of the target
host and the device structure. The rest of theirs parameters will
be replaced for internal values if not specified (passing NULL or
zero, depending of the data type). As a general rule, all the tests
return non-zero if an error occurs. For more specific information
about the error, one should verify the message returned by the
callback functions.
ICMP TEST
int sndet_icmptest(
char *host,
struct sndet_device *device,
unsigned int tmout,
unsigned int tries,
unsigned int send_interval,
user_callback callback,
struct test_info *result,
char *fakehwaddr
);
// suspicious host
// timeout in seconds
// max number of tries
// interval between packets sent (in msec)
// fake MAC hardware address sent to the host
ARP TEST
int sndet_arptest(
char *host,
struct sndet_device *device,
unsigned int tmout,
unsigned int tries,
unsigned int send_interval,
user_callback callback,
struct test_info *result,
char *fakehwaddr
);
// suspicious host
// timeout in seconds
// max number of tries
// interval between packets sent (in msec)
// fake MAC hardware address sent to the host
DNS TEST
int sndet_dnstest(
char *host,
struct sndet_device *device,
unsigned int tmout,
unsigned int tries,
unsigned int send_interval,
user_callback callback,
struct test_info *info,
// bogus pkt information, optional
char *fake_ipaddr,
char *fake_hwaddr,
ushort dport, ushort sport,
char *payload,
short int payload_len
);
// pkt source
// pkt destination
// destination/source port
// payload data
// payload length
LATENCY TEST
int sndet_latencytest_pktflood(
char *host,
struct sndet_device *device,
unsigned int tmout,
unsigned int probe_interval,
user_callback callback,
struct test_info *info,
struct custom_info *bogus_pkt
);
// suspicious host
// timeout in seconds
// interval between probes (x10 msec)
// info about the fake packet desired
As the result, there's the structure below (time measured as
tenths of second and RTT = Round Trip Time).
struct latencytest_result {
// time is expressed in msec/10
u_int normal_time;
u_int min_time;
u_int max_time;
u_int mean_time;
};
EXAMPLES
See the documentation included with the library and the source
distribution, which you can found at
http://sniffdet.sourceforge.net
BUGS
This library is in beta stage and is not widely tested. Your
support is appreciated. :-)
Please report bugs at http://sniffdet.sourceforge.net or to
sniffdet-devel@lists.sourceforge.net
Also take a look in our TODO file.
COPYRIGHT
Copyright (C) 2002
Ademar de Souza Reis Jr. <myself /at/ ademar.org>
Milton Soares Filho <eu_mil /at/ yahoo.com>
SEE ALSO
sniffdet(1) libnet(3) pcap(3)
http://sniffdet.sourceforge.net
sniffdet manpage 2002-11-28 LIBSNIFFDET(3)
SNIFFDET(1) Remote Sniffer Detection Tool SNIFFDET(1)
NAME
sniffdet 0.7 - Remote sniffer detection tool
SYNOPSIS
sniffdet [options] TARGET
DESCRIPTION
Sniffdet is an OpenSource implementation of a set of tests for
remote sniffers detection in TCP/IP network environments. It is
useful for remote sniffer detection or to just discover machines
which are running in promiscuous mode.
Sniffdet is very flexible and allows you to configure many of its
options by using the config file /etc/sniffdet.conf. It also has
plugins support for the result of its tests (currently, XML and
stdout output are created).
You can see the full documentation at
http://sniffdet.sourceforge.net
OPTIONS
TARGET is a canonical hostname or a dotted decimal IPv4 address
-i --iface=DEVICE
Use network DEVICE interface for tests.
Default is eth0 in linux systems.
-l --log=FILE
Use FILE for tests log.
Default is none
-c --configfile=FILE
Use FILE as configuration file for application.
Default is /etc/sniffdet.conf
-f --hostsfile=FILE
Use FILE as input for tests target. The file must be in
ascii with one hostname, IP or net address per line.
Comments start with '#'
-u --uid=UID
Run program with UID (after dropping root).
Default is UID 280 (from config file)
-g --gid=GID
Run program with GID (after dropping root)
Default is GID 280 (from config file)
-t --test=[testname]
Perform a specific test(s)
Where [testname] is a list composed by at least one of:
dns DNS test
arp ARP response test
icmp ICMP ping response test
latency ICMP ping latency test
See the full documentation included with the
library for information about all tests
--pluginsdir=[directory]
Select a directory where sniffdet will load plugins from
-p --plugin=[plugin_name]
Select a plugin to load (xml, stdout, etc).
-f --targetsfile=[file]
Scan all targets present in a file with a test.
-v --verbose
Run in verbose mode (extra output messages).
Default is no.
-s --silent
Run in silent mode (no output messages).
Default is no.
-h --help
Show a help screen and exit
--version
Show version information and exit
EXAMPLES
# sniffdet -i eth1 -t dns,arp,icmp foo.localdomain
Test the host foo.localdomain with dns, arp and icmp tests using
the interface eth1
# sniffdet -i eth0 -t latency foo.localdomain --plugin=xml
Test the machine foo.localdomain using the latency test through the
interface eth0. Output results using the xml plugin.
BUGS
This program is in beta stage and is not widely tested. Your
support is appreciated. :-)
Please report bugs at http://sniffdet.sourceforge.net or to
sniffdet-devel@lists.sourceforge.net
Also see our TODO file.
COPYRIGHT
Copyright (C) 2002
Ademar de Souza Reis Jr. <myself /at/ ademar.org>
Milton Soares Filho <eu_mil /at/ yahoo.com>
SEE ALSO
sniffdet.conf(5) libsniffdet(3)
http://sniffdet.sourceforge.net
sniffdet manpage 2002-11-25 SNIFFDET(1)
SNIFFDET(1) Remote Sniffer Detection Tool SNIFFDET(1)
NAME
sniffdet.conf - sniffdet configuration file
DESCRIPTION
sniffdet.conf allows you to configure the way sniffdet performs its
tests. It's located in /etc by default and has various sections,
all described below.
SYNTAX
The syntax is very simple. Each section has a name and is delimited
by brackets "{}". Inside the section, simple attributions are made
to variables.
Comments are started with "#" and can be located anywhere in the
file. Everything after a "#" is ignored by the parser until a line
break.
Blank lines are ignored.
EXAMPLE
An example of a configuration file follows (it's filled with
some default values from the current implementation of libsniffdet,
but should not be used in production enviroments. We strongly
recommend that you create your own config file to avoid
identification of the tests by the sniffers.
# snifdet example configuration file
# http://sniffdet.sourceforge.net
#
# see sniffdet.conf (5) manpage
# global configuration
global {
verbose = 0;
# this is one or a combination of FILE, STDOUT, STDERR, SYSLOG
logtype = FILE;
# want a log by default?
logfile = "sniffdet.log";
#plugins_dir = "/usr/lib/sniffdet/plugins";
plugin = "stdout.so";
# UID to use after dropping root privileges
UID = 280;
# GID to use after dropping root privileges
GID = 280;
iface = "eth0";
fake_hwaddr = {0xff, 0x00, 0x00, 0x00, 0x00, 0x00};
fake_ipaddr = "192.168.1.100";
}
# icmp test variables
icmptest {
# interface per test not supported yet
#iface = "eth0";
timeout = 20; # secs
tries = 10;
interval = 1000 # msecs
fake_hwaddr = {0xff, 0x00, 0x00, 0x00, 0x00, 0x00};
}
# arp test variables
arptest {
# interface per test not supported yet
#iface = "eth0";
timeout = 20; # secs
tries = 10;
interval = 1000 # msecs
fake_hwaddr = {0xff, 0x00, 0x00, 0x00, 0x00, 0x00};
}
# dns test variables
dnstest {
# interface per test not supported yet
#iface = "eth0";
timeout = 20; # secs
tries = 10;
interval = 1000 # msecs
fake_ipaddr = "10.0.0.10"
fake_hwaddr = {0x46, 0x0f, 0xA4, 0x33, 0x11, 0xD1};
sport = 22;
dport = 22;
# payload support not implemented in parser yet...
#payload = "login: foobar";
}
# latency test variables
latencytest {
# interface per test not supported yet
#iface = "eth0";
timeout = 300; # secs
interval = 1500; # msecs
# tcpflags support not implemented in parser yet...
#tcpflags = SYN;
# payload support not implemented in parser yet...
#payload = "";
}
# EOF
COPYRIGHT
Copyright (C) 2002
Ademar de Souza Reis Jr. <myself /at/ ademar.org>
Milton Soares Filho <eu_mil /at/ yahoo.com>
BUGS
- payload and tcpflags parser not implemented yet
- multi-line support not implemented
SEE ALSO
sniffdet(1) libsniffdet(3)
http://sniffdet.sourceforge.net
sniffdet manpage 2002-11-28 SNIFFDET(1)