Like tcpdump, sisniff captures and displays all connections from and to the local machine.
Additionally it will show you the applications belonging to each packet.
It supports TCP, UDP and ICMP packets.
The Sniffer accepts some filter like tcpdump.
For HTTP connections, there is an argument to show part of its payload.
Under some cirumstances the program/PID cannot be evaluated. This mavericks would be reported as follow:
"?/?" = No entry in /proc/net/[TCP/UDP/ICMP] "-/-" = Found Inode but no PID "./." = The Inode found is '0'
!! sisniff uses scapy's sniff() function, so scapy package is needed:
!! debian: apt-get install scapy
!! pip: pip/pip3 install scapy
!! other systems: http://www.secdev.org/projects/scapy
This program needs Python 3.x or Python 2.x. -------------------- # sisniff -h usage: sisniff [-h] -i {eth0,lo,wlan0} [-n] [-p program|not-program] [-pH] [-pHl] [filter] sisniff V0.90 positional arguments: filter Filter (BPF syntax) on top of IP (in dbl-quotes "...") optional arguments: -h, --help show this help message and exit -i {eth0,lo,wlan0} Interface (required) -n Do not resolve IP-Addresses -p program|not-program Filter by program name ([not-] negates) -pH Show HTTP Payload -pHl Show HTTP Payload, long output --------------------
programmeans the name in the 'Program' column, e.g.
thunderbird-bin
not-programexcludes the program from beeing showed, e.g.
not-thunderbird-bin
filteris in same syntax as tcpdump uses. Must be written in double-quotes "..."