v1.1 a few fixes, and -p program * pattern exten.

README.md

@@ -1,11 +1,13 @@
 sisniff
 -------
 
-Like tcpdump, sisniff captures and displays all connections from and to the local machine. 
-Additionally it will show you the <b>applications belonging to each packet</b>.<br> 
+Sisniff is a network sniffer like tcpdump, which prints out all the packets on a network interface from and to the local computer.<br>
+As a special feature, for each packet the coresponding application which sends or receives this packet is showing.<br>
+With filter options like program name a specific application can be tracked.<p><br>
 
-It supports TCP, UDP and ICMP packets, both IPv4 and IPv6<br>
-The Sniffer accepts some filter like tcpdump.<br>
+
+It supports TCP, UDP and ICMP packets, both on IPv4 and IPv6<br>
+All BPF-Filter on top of IP which can be used by tcpdump are also supported.<br>
 <p>
 
 For HTTP connections, there is an argument to show part of its payload.<br>
@@ -38,7 +40,7 @@ Current Version can be downloaded from Git at: https://git.zweiernet.ch/sigi/sis
 usage: sisniff [-h] -i {eth0,lo,wlan0} [-n] [-p program|not-program] [-4] [-6] [-pH] [-pHl] [filter]
 
 sisniff V1.00
-2017-2019 by sigi <https://wiki.zweiernet.ch/wiki/sisniff>
+2017-2022 by sigi <https://wiki.zweiernet.ch/wiki/sisniff>
 
 positional arguments:
   filter                Filter (BPF syntax) on top of IP (in dbl-quotes "...")
@@ -57,8 +59,9 @@ optional arguments:
 </pre>
 
 * Interfaces showed in the help are gathered from the running system.
-* <code>program</code> means the name in the 'Program' column, e.g. <code>thunderbird-bin</code>
-* <code>not-program</code> excludes the program from beeing showed, e.g. <code>not-thunderbird-bin</code>
+* <code>-program</code> is meant the base name of the program/application, e.g. <code>-p thunderbird-bin</code>
+* <code>-program</code> can contain '*' pattern at the beginning and/or the end, e.g. <code>-p thunder*</code>
+* <code>not-program</code> excludes the program from beeing showed, e.g. <code>not-thunderbird-bin</code>. The '*' pattern also is accepted.
 * <code>filter</code> is in same syntax as tcpdump uses. Must be written in double-quotes "..."
 
 

sisniff

@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 
-# (c) 2017-2019 by Siegrist(SystemLoesungen) <PSS@ZweierNet.ch>
+# (c) 2017-2022 by Siegrist(SystemLoesungen) <PSS@ZweierNet.ch>
 #
 # All Rights reserved.
 # This program is free software; you can redistribute it and/or
@@ -35,7 +35,7 @@ def _to_str(inp):
         return "".join( chr(x) for x in inp)
     
 
-VERSION = "1.00"
+VERSION = "1.1"
 
 PROC_TCP4 = "/proc/net/tcp"
 PROC_UDP4 = "/proc/net/udp"
@@ -300,7 +300,7 @@ def doPackets(packet):
             	spid,sexe,suid = get_conn_info(packet[0][1].proto, conn_addr, conn_port, packet[0][1].version)
             elif packet[0][1].version == 6:
             	spid,sexe,suid = get_conn_info(packet[0][1].nh, conn_addr, conn_port, packet[0][1].version)
-            if re.match("^[0-9]+$", spid):
+            if re.match("[0-9]+$", spid):
                 program = sexe
                 pid = spid
                 uid = suid
@@ -329,10 +329,23 @@ def doPackets(packet):
         pass
     else:
         if filter_prog.startswith('not-'):
-            if program == filter_prog[4:]:
+            filter_progn = filter_prog[4:]
+            if filter_progn.startswith('*') and filter_progn.endswith('*') and re.match(filter_progn[1:-1], program):
+                return
+            elif filter_progn.startswith('*') and not filter_progn.endswith('*') and re.match(filter_progn[1:]+'$', program):
+        	    return
+            elif not filter_progn.startswith('*') and filter_progn.endswith('*') and re.match('^'+filter_progn[:-1], program):
+        	    return
+            elif not filter_progn.startswith('*') and not filter_progn.endswith('*') and re.match('^'+filter_progn+'$', program):
                 return
         else:
-            if program != filter_prog:
+            if filter_prog.startswith('*') and filter_prog.endswith('*') and not re.match(filter_prog[1:-1], program):
+                return
+            elif filter_prog.startswith('*') and not filter_prog.endswith('*') and not re.match(filter_prog[1:]+'$', program):
+        	    return
+            elif not filter_prog.startswith('*') and filter_prog.endswith('*') and not re.match('^'+filter_prog[:-1], program):
+        	    return
+            elif not filter_prog.startswith('*') and not filter_prog.endswith('*') and not re.match('^'+filter_prog+'$', program):
                 return
         
     
@@ -446,11 +459,11 @@ iface_list = ifaces.split('\n')
 rfilter = "ip or ip6"
 print("")
 # commandline params
-parser = argparse.ArgumentParser(description='sisniff V'+VERSION+"\n2017-2019 by sigi <https://wiki.zweiernet.ch/wiki/sisniff>",
+parser = argparse.ArgumentParser(description='sisniff V'+VERSION+"\n2017-2022 by sigi <https://wiki.zweiernet.ch/wiki/sisniff>",
                                    formatter_class=argparse.RawDescriptionHelpFormatter)
 parser.add_argument('-i', help="Interface (required)", choices=iface_list, required=True)
 parser.add_argument('-n', help="Do not resolve IP-Addresses", action="store_true")
-parser.add_argument('-p', help='Filter by program name ([not-] negates)', type=str, metavar='program|not-program')
+parser.add_argument('-p', help='Filter by program name (accepts * for matching) ([not-] negates)', type=str, metavar='program|not-program')
 parser.add_argument('-4', dest='v4', help="Only IPv4", action="store_true")
 parser.add_argument('-6', dest='v6', help="Only IPv6", action="store_true")
 parser.add_argument('-pH', help="Show HTTP Payload", action="store_true")