Results 1 to 2 of 2

Thread: New Win32 cmd line packet sniffer.

  1. #1
    Senior Member
    Join Date
    Jan 2003

    New Win32 cmd line packet sniffer.

    Hey Hey,

    Next Generation Security Technologies has released ngSniff 1.2. You can grab the executable here. In the zip file you'll find a 40K executable and 4.8K of text files. No installation, no packet driver, just extract and run.

    It definately isn't the most advanced packet sniffer out there, but what it lacks in options, it makes up for in cleanliness. You can specify the interface (it will generate a list of interfaces... not pointing to some random registry driver entry but rather to the IP address), a host to specifically listen for, a host to specifically ignore, and a string of data to watch for. By default ngSniff will display to stdout, however you can tell it to write to a log file.

    I decided to generate a specific packet for testing purposes to display for you.

    This is the command I executed from the comand line of my Windows XP Machine.
    ngSniff.exe --interface 0 --pattern "AntiOnline"
    Here's the hping2 command I executed on my SuSE 9.1 box
    hping -RA -p 80 -t 69 -d 50 -E testdata
    If you care, testdata contains
    AntiOnline Test Packet
    Here's the capture displayed to stdout on the command line of my Windows XP Machine.
    IP HEADER ->
     IP->version: 4
     IP->ihl: 5
     IP->tos: 8
     IP->tot_len: 90
     IP->id: 52672
     IP->frag_off: 0
     IP->ttl: 69
     IP->protocol: 6
     IP->checksum: 44848
     TCP->sport: 1352
     TCP->dport: 80
     TCP->seq: 1572835341
     TCP->ack: 1842659933
     TCP->off: 5
     TCP->flags: RST|ACK
     TCP->window: 512
     TCP->checksum: 37159
     TCP->urp: 0
    ----- Begin of data dump -----
    41 6e 74 69 4f 6e 6c 69 6e 65 20 54 65 73 74 20  AntiOnline Test
    50 61 63 6b 65 74 0a 00 00 00 00 00 00 00 00 00  Packet..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00                                            ..
    ----- End of data dump -----
    As you can see I set a few of the fields manually so that you could see the results (the packet data obviously), the TCP Flags, the TTL, the destination port. Anyways as you can see, it's very clean, quite small and very easy to use... definately a handy addition to the IT toolkit.


    Tedob1 just pointed out that this is my '1337' post. I think I'm supposed to say "ph33r m3" or something corny like that... Anyways.. Yay for me!
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    Senior Member
    Join Date
    Nov 2001
    thanks for taking the trouble to test it then show your results. too many just post links for things they've never tried and have no idea how good or bad it reallly is.

    looks allot better than packetmon. not as good as ethereal but much more handy. im going to give it a go tomorrow. thanks!

    edit: oh no! i just noticed you post count....1337
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts