_ _ _
| | __ __ _ _ __ _ __ ___| | _(_)
| |/ / / ` | '_| '_ \ / __| |/ / |
| < | (_| | | | |_) |\__ \ <| |
|_|\_(_)__,_|| | ._(_)___/_|\_\_|
___________________|_|__________________
A free ethernet protocol analyzer / sniffer
Introduction
K.ARP.SKI (karpski) is an ethernet protocol analyzer / sniffer. Its abilities as a sniffer or scanner are limited, but this sniffer is much easier to use than other popular sniffers such as tcpdump. In addition, there is a protocol definition file in which other protocols can be added. Karpski may also be used to launch programs against addresses on your local network and as a local network intrusion tool. Plus, it's free with source.
Its display is an Xwindows display. This was a design decision based on my need to display many windows simultaneously. Console mode would just not cut it. I chose the Gtk display library because it's proven, portable and free. You may not like my choice; the source is included.
This program was originally based on my desire to detect someone plugging an unauthorized computer into a LAN. It did this originally by looking at ARP packets. This is where the arp in karpski comes from.
Features
-- XWindows + Gtk output
-- Identifies Raw 802.3, SNAP, 802.3/802.2 AND Ethernet II packets.
-- Threaded for good responsiveness
-- Allows for on screen watches of one connection or all traffic for a
particular network station.
-- Automatic location of network stations
-- Includes a frame/protocol description language to add other protocols.
-- Allows you to "freeze" a network list and have the program inform you
of when a new station comes up.
-- Allows to-disk captures of most frame type / protocol combos.
-- Allows to-disk captures of unidentifiable packets.
-- Allows one to launch user configurable programs at any IP speaking station
on your network.
-- Watch realtime statistics on your whole network or on a particular
station.
-- Plays a scanning sound (currently KITT's scanning sound from Knight Rider)
-- GNU GPL licensing - source code included; your freedom assured.
Protocols supported on any level
IP (UDP, ICMP, TCP, IGMP - all others identified only)
Ethertalk
Appletalk AARP
Novell
SNMP
Cisco ID packets (frame type 2000)
All IANA registered 802.3/802.2 Ethernet frames
Beta
Karpski is BETA software. I cannot guarantee that it will work on ANY systems other than mine. I cannot guarantee it will not bring your network to its knees (although that would be weird; it doesn't send any packets :)
Development platform
Redhat 5.0
Linux 1.2.117
gcc 2.8.1
Pentium 166
128M RAM
XFree-86 SVGA server
Gtk-1.04
Enlightenment DR 0.13.3
Installation
Read INSTALL and follow the directions. INSTALL is a file that should have come with your karpski distribution.
Usage
Just run karpski. The commandline argument is the ethernet device to use.
Buttons
Start - This starts the scanning process.
Stop - This stops the scanning process.
Log - This displays the log for the current session. A log
contains warning information (such as new addresses on the
network, vendors with unregistered ID's, etc.
Overall stats - This displays the overall stats for all of the stations.
Connections - This displays a list of connections. Currently, only TCP
connections are supported. Clicking on a connection is
SUPPOSED to tell you what the status of its connection is
(open / half closed / closed), but it doesn't work yet in
a lot of cases.
Launch - Run a program, configured in your datdir (smashy.dat)
with the IP address being one of the parameters. If
there are no items in your smashy.dat file, this button
will be greyed out.
Watch - Watch all traffic to or from this MAC address.
Protocols - View a non-realtime view of the protocols used on the
network.
Info - Info about the hilighted MAC address. Shows similar
information
Quit - Quits! You will not currently be asked if you want to
save the current network. I had that option and it
bothered me because I'm still developing this.
Menus
Open list - This will open a previously saved network list and freeze
the current network list, making all new MAC addresses
log a warning.
Save list - This will save a network list and freeze the current
network list so that new MAC addresses generate a warning.
About - Displays the splash screen
Help - Displays fairly useless help and a good Simpsons quote :)
Also has the reference to the GPL.
Datfiles
I am not going to get into detail for protocol_parser.dat yet. I have not finished defining the language. It should be apparant what most of the commands do except for the number format.
The number format is offset, len, mask, net order, shift where:
offset- The offset
protocol_parser.dat - This contains all of the packet parsing
information except for the ether frame parsing
which is done in proto.c. I am not going to go
into detail for protocol_parser.dat yet. I have
not finished defining the language. Some of the
language is easy. Most values can be defined as
either a number (absolute value) or by a description
of where to find it.
This number format is offset, len, mask, net order, shift where:
offset- The offset from within the packet (or subpacket)
len- The length of the number
Mask- Any mask that needs to be applied to get the value.
Net order- Is this in net order (1) or not (0)?
Shift- A positive number means shift right, negative shift
left. Therefore, 2 is (n >> 2) and -1 is (n << 1).
capture_fliters.dat - This file contains definitions for three kinds of
capture filters (capture filters capture packets
to disk). Karpski will only save the best fit.
Therefore, if you have a capture on frame 0x0800 and
a protocol capture on 0x800 / TCP, the TCP packet
would be written ONLY to the TCP output file.
- protoframe <frame_type> <protocol_name> <output_path>
This captures all packets that match the frame type AND
the protocol type to the file <output_path>.
- frame <frame_type> <output_path>
This captures all packets that have <frame_type> as their
frame type to the file <output_path>
- defcap <output_path>
This captures all packets that are an unknown frame type to
the file <output_path>.
scanner.au - This is the sound heard when you scan, if you have
scan sounds on (/dev/audio required). This sound
must be in Sun AU format. To see if your sound is
in the correct format, type cat yoursound.au >
/dev/audio.
splash_karpksi.xpm - The splash screen.
smashy.dat - The launch vs. descriptions
vendor_codes.dat - A list of the various NIC vendors whose names can
be ascertained by the first three bytes of the MAC
address.
karpskirc - A Gtk rc style file for modifying the fonts that
karpski uses. I may use fonts that you don't use.
Code
karpski uses libpcap by The Lawrence Berkeley Labs people (ftp ftp.ee.lbl.gov). You need it for this to run.
I chose pcap and Gtk because these should theoretically be easily portable. Gtk should run on all popular UNIX platforms as should pcap. Unfortunately, I don't have any other test systems, so I have to rely on users success stories.
My code is ugly, I use globals everywhere and I comment only some of my routines. Sorry, I have an excuse! I added onto this piece by piece.
BUGS
If you find a bug, send me a report! I'll try to help with any weirdness, but please try running another Gtk app before you ask me for help. If you've followed the instructions in INSTALL, done a make install, and you have a properly working Gtk v1.0 or later, you can send me mail at btx@calyx.net.
Make sure that you have the latest version of karpski, currently available at http://mojo.calyx.net/~btx/karpski.html