This tool captures network packets. It can display them, or save them
in a file (named 'record' in netwox).
Parameter --device indicates on which device to sniff. Please note
that under some systems, such as Windows, sniffing on some devices is
not supported.
Parameter --filter defines the sniff filter. It permits to restrict
captured packets. This kind of filter is named a BPF or pcap filter.
Basic elements of a filter are:
host 1.2.3.4
net 192.168.10
net 192.168.10.0 mask 255.255.255.0
net 192.168.10.0/24
port 21
dst host 1.2.3.4
src port 2345
ether host a:b:c:d:e:f ('ether a:b:c:d:e:f' is not working)
ether src aa:bb:cc:dd:ee:ff
ip
arp
rarp
tcp
icmp
udp
Here are filter examples:
"host 1.2.3.4"
"net 192.168 and icmp"
"host 1.2.3.4 or dst port 80"
"(udp or tcp) and not host 1.2.3.4"
Parameter --pause permits to press P (pause) or Q (quit) keys
to pause or stop capture.
Parameter --hdrencode and --dataencode defines how to display header
and data/payload. Common useful values are: array, dump, synth,
nothing, text. Full list is available through netwag or running tool
12.
Parameter --rawip indicates to ignore Ethernet/link layer, and start
displaying at IP header.
Parameter --extended indicates to try to decode other protocols such
as DNS or DHCP.
Parameter --ipreas tries to reassemble IP packets. This might miss
packets.
Parameter --tcpreord tries to reorder TCP flow (seqnum increments).
This might miss packets.
A record is a capture file. It contains several packets captured
during a sniff. It can also be created by hand. There are 7 formats
for records: pcap (tcpdump compatible), bin (binary, unreadable by
humans but fast) and mixed/mixed_wrap/dump/hexa/hexa_wrap (easy to
read and edit). A record also has an associated DLT (Data Link Type),
indicating at which level a packet start: raw (start at IP header) and
ether (start at Ethernet header) are the 2 most common DLT. Tool 13
displays DLT of each device.
Parameter --outfile indicates the name of file where to store captured
packets. Parameter --recordencode defines how to encode data in this
file (suggested values: bin, pcap and mixed_wrap). Capture can
automatically swap file using parameters --split-size or --split-age.
The DLT (Data Link Type) of packets in this record will be 'raw' if
--rawip is set, otherwise the sniff DLT obtained by tool 13.
This tool may need to be run with admin privilege in order to sniff.
| parameter | description | example |
| -d|--device device | device name | Eth0 |
| -f|--filter filter | pcap filter | |
| -p|--pause|+p|--no-pause | can pause | |
| -H|--hdrencode encode | header encoding type for screen | array |
| -D|--dataencode encode | data encoding type for screen | dump |
| -r|--rawip|+r|--no-rawip | sniff at IP level | |
| -x|--extended|+x|--no-extended | display other protocols | This boolean is set. Use + or --no- to unset it. |
| -i|--ipreas|+i|--no-ipreas | reassemble IP packets | |
| -t|--tcpreord|+t|--no-tcpreord | reorder TCP packets | |
| -s|--screen|+s|--no-screen | display to screen | This boolean is set. Use + or --no- to unset it. |
| -o|--outfile file | save in record file | dstfile.txt |
| -R|--recordencode recordencode | encoding type for record file | bin |
| -c|--split-size uint32 | maximum size of record in kb | 0 |
| -C|--split-age uint32 | maximum age of record in seconds | 0 |
| -Q|--losepriv|+Q|--no-losepriv | lose privileges to nobody user under Linux |