Network sniffer with application link

Peter Siegrist 68fa61285f v1.5 new Param -P : disable promiscuous-mode 1 year ago
400px-Terminal_059.png ffac3ca21d first commit 7 years ago
README.md 68fa61285f v1.5 new Param -P : disable promiscuous-mode 1 year ago
Terminal_059.png ffac3ca21d first commit 7 years ago
sisniff 68fa61285f v1.5 new Param -P : disable promiscuous-mode 1 year ago

README.md

sisniff

Sisniff is a network sniffer like tcpdump, which prints out all the packets on a network interface from and to the local computer.
As a special feature, for each packet the coresponding application sending or receiving this packet is displayed.
With filter options like program name a specific application can be tracked.

It supports TCP, UDP and ICMP packets, both on IPv4 and IPv6
All BPF-Filter on top of IP which can be used by tcpdump are also supported.

For HTTP connections, there is an argument (-H resp. -Hl) to show short or long payload.

Under some cirumstances the program/PID cannot be evaluated. This mavericks would be reported as follow:

 "?/?" = No entry in /proc/net/[TCP/UDP/ICMP]
 "-/-" = Found Inode but no PID
 "./." = The Inode found is '0'

!! sisniff uses scapy's sniff() function, so scapy package is needed:
!! debian: apt-get install scapy
!! pip: pip/pip3 install scapy
!! other systems: http://www.secdev.org/projects/scapy

This program needs Python 3.x or Python 2.x.

Homepage (german): https://wiki.zweiernet.ch/wiki/sisniff

Direct Download: wget https://git.zweiernet.ch/sigi/sisniff/raw/master/sisniff

--------------------
# sisniff -h
usage: sisniff [-h] -i {eth0,lo,wlan0} [-n] [-P] [-p program|not-program] [-4] [-6] [-H] [-Hl] [filter]

sisniff V1.5
2017-2023 by sigi 

positional arguments:
  filter                Filter (BPF syntax) on top of IP (in dbl-quotes "...")

optional arguments:
  -h, --help            show this help message and exit
  -i {eth0,lo,wlan0}    Interface
  -n                    Do not resolve IP-Addresses
  -P                    Don't put interface into promiscuous mode
  -p program|not-program
                        Filter by program name (accepts * for matching) ([not-] negates)
  -4                    Only IPv4
  -6                    Only IPv6
  -H                   Show HTTP Payload
  -Hl                  Show HTTP Payload, long output
--------------------
  • Interfaces showed in the help are gathered from the running system.
  • program is meant the base name of the program/application, e.g. -p thunderbird-bin
  • program can contain '*' pattern at the beginning and/or the end, e.g. -p thunder*
  • not-program excludes the program from beeing showed, e.g. not-thunderbird-bin. The '*' pattern also is accepted.
  • filter is in same syntax as tcpdump uses. Must be written in double-quotes "..."
Example Commands
# sisniff "port not ssh"
# sisniff -p *vpn*
# sisniff -i wlan0 -p not-thunderbird-bin -4 "host not www.zweiernet.ch"
# sisniff -i eth0 -p firefox -Hl "port 80"      
Example Output