NAST - Network Analyzer Sniffer Tool DESCRIPTION Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap. It can sniff in normal mode or in promiscuos mode the packets on a network interface and log it. It dumps the headers of packets and the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file. As analyzer tool, it has many features like: * Build LAN hosts list * Follow a TCP-DATA stream * Find LAN internet gateways * Discorver promiscous nodes * Reset an established connection * Perform a single half-open portscanner * Perform a multi half-open portscanner * Find link type (hub or switch) * Catch daemon banner of LAN nodes * Control arp answers to discover possible arp-spoofings * Byte couting with an optional filter * Write reports logging It also provides a new ncurses interface. FEATURES Below are command line switches for NAST, with a description of what each does. -ipdxf Packet sniffer with filter and other options. Nast can sniff and log the packets caputerd in ASCII or ASCII-HEX format. You can use a pcap-filter and set promiscuous mode. -T -R Save and load in tcpdump format. Use -T to save and -R to load caputered packets in Tcpdump format from/to . --ld Log captured data to (only payload). Use -l to log all packet instead, useful with -B. -m Create a host LAN list. Map the LAN by performing a series of arp request to sequential subnet ip addresses. -s Follow a TCP stream. Can follow a TCP/IP stream and view all data in transfer. You must specify the IP addresses of the endpoints. -g Try to find possible internet-gateways. We send a syn packet to a public host on port 80 through sequential host-lan and if a syn-ack return we have find the gateway. -P Check other NIC on the LAN with the promisc flag set. By performing a fake ARP broadcast, we can determine if a NIC is in promiscuous mode or not. If the checked host is in prmisc mode it will respons with an ARP response otherwise it drop the packet. Note: This method doesn't work with all operating systems. Use -P all to query all network NIC. -r Destroy an established connection. You must specify the IP addresses of the ends and at least one port. Please, pay atten-tion when use this function. This feature works only if we can read SEQ and ACK numbers, becouse RST mechanism works with them. -S Performs a half-open port scanning on the selected host. It tries also to determine some firewall (just iptables) rules. About this technique: nmap says "This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non-listener. If a SYN|ACK is received, a RST is immediately sent to tear down the connection (actually our OS kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets." -M Performs a multi port scanning. Same as above but done on all hosts of the lan. -L Tries to determine what type of link is used in the LAN (Hub or switch). In the LAN segment is there a HUB or a SWITCH? We can find it by sending a spoofed ICMP echo-request (to work there must be at least 3 host in LAN and at least ont of them must reply with a icmp echo-reply). -b Catch Daemon banner. Checks the most famous daemon banner on the LAN's hosts. You can customize ports database adding them to ports[] variabile in main.c -c Verify is someone is making arp-poisoning comparing arp responses. Are you a sysadmin and do you want to look for possible arp-poisoning in your lan? This option is for you! When run, Nast makes a database of all network nodes (IP and MAC address), then sniffs ARP responses to verify the correctness of the IP-MAC address assocation. Remember to execute Nast when you are sure that nobody is making arp-poisoning, than relax and check program output :-) -C Byte couting. Apply traffic counting to <"filter"> (see FILTER SYNTAX section in manpage for syntax) Use -C any if you don't want to use a filter. -G Ncurses interface. Run Nast with the ncurses interface (only if compiled with ncurses support). -l Basic logging. Use -l flag to specify a logfile to log reports to. Work with many features. -B Run in background like daemon. Run in background like daemon and turn off stdout (very usefull for sniffer/stream/arp control logging). The NAST homepage is located at: http://nast.berlios.de/