SANS Internet Storm Center

justniffer a Packet Analysis Tool
Are you looking for another packet sniffer? justniffer is a packet sniffer with some interesting features. According to the author, this packet sniffer can rebuild and save HTTP file content sent over the network. "It uses portions of Linux kernel source code for handling all TCP/IP stuff. Precisely, it uses a slightly modified version of the libnids libraries that already include a modified version of Linux code in a more reusable way."[1] The tarball can be downloaded here and a package is already available for Ubuntu. The binary execution is pretty straightforward, you can capture/read of the wire or replay captured pcap files. This example (using -l option for custom log format) will output the Time, Destination IP, Website and URL: justniffer -l "%request.timestamp %dest.ip %request.header.host %request.url" -f file.pcap 11/01/14 17:31:42 208.65.75.22 www.blackberry.com /select/wifiloginsuccess/EN/ 11/01/14 13:08:45 23.67.251.66 init.ess.apple.com /WebObjects/VCInit.woa/wa/getBag?ix=1 11/01/14 12:55:27 74.125.226.88 fonts.gstatic.com /s/droidserif/v6/0AKsP294HTD-nvJgucYTaOL2WfuF7Qc3ANwCvwl0TnA.woff2 11/01/14 12:55:26 74.125.193.95 fonts.googleapis.com /css?family=Droid+Serif:regular\|Crimson+Text:italic It also comes with a script justniffer-grab-http-traffic (a python script) that output the web content (html, javascript, images,etc) captured in the traffic to a directory. This is an example of running the python script against an interface, all the traffic gets saved in /tmp/web_traffic. justniffer-grab-http-traffic -d /tmp/web_traffic -U nobody -i eth1 It can decode other protocols by reading them in "raw" format. For example, just reading an email without any options output the follow summary information: root@sniffer:/tmp/justniffer -f mail_mime.pcap 192.168.37.202 - - [-] "" test.mail.ca 0 "" "" 192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] "HELO web88101.mail.re2.yahoo.com" mail.server.ca 0 "" "" 192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] "MAIL FROM:" 2.1.0 0 "" "" 192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] "RCPT TO:" 2.1.5 0 "" "" 192.168.37.202 - - [29/Dec/2008:19:35:08 -0500] "DATA" Enter 0 "" "" 192.168.37.202 - - [29/Dec/2008:19:35:10 -0500] "Received: (qmail 5457 invoked by uid 60001); 30 Dec 2008 00:35:02 -0000" 2.0.0 0 "" "" 192.168.37.202 - - [29/Dec/2008:19:35:10 -0500] "QUIT" 2.0.0 0 "" "" Adding "raw" now to the output with -r and it decode the traffic in its entirety including dumping the raw base64 attachment: root@sniffer:/tmp/justniffer -f mail_mime.pcap -r 220 test.mail.ca ESMTP Sendmail 8.13.8+Sun/8.13.8; Mon, 29 Dec 2008 19:35:08 -0500 (EST) HELO web88101.mail.re2.yahoo.com 250 test.mail.ca Hello web88101.mail.re2.yahoo.com [206.190.37.202], pleased to meet you MAIL FROM: 250 2.1.0 ... Sender ok RCPT TO: 250 2.1.5 ... Recipient ok DATA 354 Enter mail, end with "." on a line by itself [...] This is another tool alternative to capture and analyze traffic that can be added to your tool bag. Give it a try. [1] http://justniffer.sourceforge.net [2] http://justniffer.sourceforge.net/#!/justniffer_grab_http_traffic [3] http://justniffer.sourceforge.net/#!/examples ----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu	Guy 515 Posts ISC Handler Nov 3rd 2014
Thread locked Subscribe	Nov 3rd 2014 7 years ago
I especially like the way that justniffer-grab-http-traffic uncompresses gzip-encoded web content, a feature that for me was quite hard to find in command line sniffing tools.	Anonymous
Quote	Nov 3rd 2014 7 years ago