Ethernet packet sniffer
GreedyDog2.4 Online Manual
UNYUN <unyun@shadowpenguin.org>
Shadow Penguin Security <http://www.shadowpenguin.org>
1. Overview
GreedyDog (gdd) is the ethernet packet sniffer for Linux, FreeBSD,
OpenBSD, NetBSD, Solaris2, SunOS4, AIX, HP-UX, IRIX, MacOSX, and Win32. gdd keeps stream
of each TCP session and writes to logfile. So, to make a session stream,
it is not necessary to reconstruct the packets which are fragmented, logfile
can be analysed very easily. This feature is useful to log the comparatively
large session such as telnet. Administrator can watch the telnet session
of remote user as one stream unit until the connection close, if cracker
makes telnet session to other network by way of administrated network,
gdd can log all activities of cracker as one stream that includes
other network. Furthermore, gdd have IDS function based on "grep&action".
gdd monitors session stream, if suspicious action is detected, gdd
executes specified action.
2. Download and Install
GreedyDog is available at Shadow
Penguin Securiy.
Currently, the execution of gdd is confirmed on the following platforms.
You can make the execution file and manpage of gdd by following steps.
#./configure #make #make install * execution file is placed on /usr/local/bin * manpage is placed on /usr/local/man/man1If your system has libpcap, the following message is shown when configure command is executed.
libpcap is detected on this system. Do you use libpcap to capture packet? (y/n)
gdd has packet capture routine, but libpcap is also supported. If you would like to use libpcap, enter 'y'.
If you see some errors while compiling, please e-mail
logfile of compiler output to webmaster@shadowpenguin.org.
[Win32]
The source code can be build by Microsoft Visual C++ 6.0.
[HP-UX 10.20]
If you can not capture packet sent from the host running gdd, apply patch PHNE_18173 and execute following command.
echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmemYou can insert this e.g. into /sbin/init.d/lan
3. Usage
gdd requires root privilege to execute because it uses raw socket.
gdd can be executed with no options. If you execute with no options,
gdd captures the TCP packets (port1 to 1024) from the network interface
of "eth0", writes the log to /var/log/gdd/log as text format.
If you want to capture other port or other interface, you should specify
the options on the commandline arguments(You can specify port, interface,
logfile, logfile format, and so on). You can see the overview of option
usage by option "-h".
# ./gdd -h Ethernet Packet Sniffer - GreedyDog 2.4 Developed by Shadow Penguin Security http://www.shadowpenguin.org Usage: gdd [options] Options: -h : print this help message -v : show version -x : disable startup message -H <on/off> : hold temporary log -p <port> : destination and source port -d <IPaddress> : destination IP address -s <IPaddress> : source IP address -N <nic_name> : nic_name -D <nit_dev> : nit_device -l <log_file> : logfile -t <tmp_logdir> : temporary log directory -e <err_logfile> : error logfile -a <action> : set action -m <mode> : set mode -f <config_file> : read configuration file * If you don't specify any options, gdd reads configuration written in "/usr/local/etc/gdd/gdd.conf". * If configuration file is read by "-f" option, all options which are specified at commandline are ignored.[Win32]
Options
| -H: | gdd generates temporary files for each session(see, description of "-e" option). Generally, temporary file is deleted when session is closed, but if you set "hold temporary log" flag by this option, gdd doesn't delete temporary log. |
| -p: | gdd can select the number of TCP port of the target packet to
capture. For example, if you would like to capture the telnet session,
you should select port 23. You can specify 65536 combinations of port number. (example) gdd -p 23 -p 512-514 In this example, TCP port 23,512,513,514 are selected to capture. You can specify '-' to select range of port number. You can also specify the logfile format to each port. Currently, gdd supports four types of logformat as follows.
|
| -d,-s: | gdd can select the source or destination IP address of the target
packet to capture. For example, if you would like to capture the packet
from "192.168.0.3" only, you can specify "192.168.0.3/32"
as source IP address(-s). The format of IP address specification is as
follows. "aaa.bbb.ccc.ddd/mask" If you would like to capture the packet from "192.168.0.*" (* means "all"), you specify source IP address as "192.168.0.0/24". (example) gdd -s 192.168.0.*/24 |
| -N: | You can select the network interface. If this parameter is not specified,
default network interface is selected automatically. if you would like
to change the interface, you must specify the interface with "-N"
option. [Win32] Specify IP address of network interface. (example) gdd -N eth1 |
| -D: | You can select network interface tap. "/dev/bpf" is selected by default, if you would like to change the interface tap, you must specify the interface with "-D" option. In case of Linux, this option is ignored. |
| -l | You can select the filename and directory of logfile. "/var/log/gdd/log"
is selected by default, if you change it, you must specify the path of
logfile with "-l" option. (example) gdd -l /var/log/gddlog [Notice] If the permission of logfile is not appropriate (ex. it's readable or writeable by non-root users), gdd displays error message and terminates. The appropriate permission of logfile is 600(-rw-------) owner=root. |
| -t | gdd makes temporary logfile of each session to temporary directory.
"/var/log/gdd/tmp" is selected by default temporary directory,
if you change it, you must specify the path of logfile with "-t"
option. (example) gdd -t /var/log/gddtemp [Notice] If the permission of temporary directory is not appropriate (ex. it's readable or writeable by non-root users), gdd displays error message and terminates. |
| -e | You can select the filename and directory of error logfile. "/var/log/gdd/errlog"
is selected by default, if you change it, you must specify the path of
logfile with "-e" option. (example) gdd -l /var/log/gdderrlog [Notice] If the permission of error logfile is not appropriate (ex. it's readable or writeable by non-root users), gdd displays error message and doesn't start. The appropriate permission of logfile is 600(-rw-------) owner=root. |
| -a | You can specify "action". gdd can execute specified
action if the specified pattern is included in the session stream. "action"
consists of two parts. First one is the "execution filename"
which is executed when the specified pattern is included. Second one is
the "pattern" which is specified to egrep. The format of "action"
is as follows. execution_file:pattern gdd executes egrep to the temporary session file by specified "pattern". If egrep finds the specified pattern, gdd execute specified execution file. You can see the example of this option in /usr/local/etc/gdd/gdd.conf.sample. [Win32] You must prepare grep for Win32 if you use this feature. See, "4. Notice for Win32". |
| -m | This flag decides several mode of gdd. Currently, gdd has three
modes. In dump mode, gdd shows all packets that fulfill specified
conditions. In debug mode, gdd shows some debug information
for gdd developers or testers. In secure mode, gdd
analyzes sequence number of all sniffed packets. If the packet that contain
spoofed IP address is sniffed, gdd drops it by sequence number check.
If this feature is not used, gdd is deceived by spoofed packet,
security problem (spoofed log problem and spoofed session close problem)
happens. However, this feature is now under development. If this feature
is enabled by secure option, gdd may become unstable. If
you use gdd for security purpose, I recommend that you enable this
mode. If you use gdd for personal experimentation or penetration
test purpose, I recommend that you disable this mode. (example : enable debug,secure,dump mode) gdd -m debug,seucre,dump |
| -f | You can specify parameters for gdd in the specified configuration
file. If you don't specify any options, gdd reads /usr/local/etc/gdd/gdd.conf. [Win32] gdd_win32.conf in current directory is read If configuration file is read by "-f" option, all options which are specified at commandline are ignord. Detail is described in /usr/local/etc/gdd/gdd.conf.sample. |
4. Notice for Win32
gdd works on Windows2000 and WindowsXp.
In Win32 case, the default directory (described as /usr/local/gdd) is the current directory. Win32
gdd doesn't check the file or directory permission. You can not use
'/' character to specify directory. Please use '\' character.
If you specify -N option, specify IP address as network interface.
If you execute gdd without any options, gdd boots up as GUI mode.
5. Caution
Currently, this program maybe has some bugs. There is possibility that
the host running gdd can be attacked remotely and locally (especially,
DoS attack). Use of this program constitutes acceptance for use in an AS
IS condition. There are NO warranties with regard to this program. In no
event shall we be liable for any damages whatever arising out of or in
connection with the use or spread of this program. However, we would like
to improve this program, if you find bug of this program, or have any comment
to improve this program, please e-mail to webmaster@shadowpenguin.org.
We recognize that this program can also be used for system cracking purpose.
We hope that this program is not used by crackers or script kiddies.
6. License
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your option)
any later version. This program is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
7. Thanks
I would like to thank following people who helped me.
gddpackage contains following software. see, readme or sourcefile of each software