-
Notifications
You must be signed in to change notification settings - Fork 2
/
README
executable file
·85 lines (58 loc) · 3.06 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
EnderUNIX Hafiye 1.0 README
---------------------------
This is the README file for Hafiye release 1.0.
When I looked at the source code for various famous sniffers, I've
noticed that they all had all seperate .C files for interpreting
various protocols. Why not have a sniffer that can understand
user-supplied protocol details? Here it is.
You'll notice that under $HAFIYEDIR/KB directory, there are several
subdirectories, LII, LIII, LIV. Under these directories, there should
be knowledge-base configuration files for the protocols. For example,
to make hafiye know about IP Protocol, you'll need to write a file
about IP and put it under LII, since IP is a layer II protocol.
Similarly, to teach hafiye about TCP, there is a need for a file
for TCP under LIII directory.
If you want to learn how to write configuration files, take a look
at the file named README.configfile. You'll find enough information
to write one.
When fired, Hafiye first visits each sub-directory under its knowledge-base
directory and opens to see whether it is a protocol knowledge-base file.
If so, It loads the necessary information from that file and places it
into its memory space.
After constructing the supplied knowledge-base, Hafiye starts looping
for receiving packets. When a packet arrives, it demultiplexes the
layers according to its knowledge-base and prints protocol-based
information.
If you wonder how to compile Hafiye, INSTALL file is there for you
to read.
Well, assuming that you've read README.configfiles and INSTALL, you
should've had a working Hafiye installation.
To see what you can do with Hafiye, type
# hafiye -h
and it'll print you available options. For the present time, there are
only four options:
-i you can specify an interface to listen on. This is useful
if you have multiple interfaces to listen on, and you want
to work on a specific interface.
-k specify a location that hosts your knowledge-base files.
By default, this location is /usr/local/share/hafiye
-d shows debugging information. this may be necessary while
debugging your knowledge-base files.
-p put the listening interface into promiscous mode. Promisc
mode is a mode when your machines gets interested in every
packet it can see regardless of whehter the packet is
addressed to itself or not. Anyway, if you're reading
this documentation, you should already know this...
-n packet count. If you specify an amount with this option,
hafiye will read that much packets and it'll exit afterwards.
-t read timeout. If there comes no packet within this time,
we give up sniffing anymore.
these are "options", which means you'll have the freedom not to supply
anyone of them and accept defaults.
After the options, you can specify a pcap filter. This is the same
filter you use with tcpdump. Just have a look at the tcpdump man page
to see what you can do!
If you fire hafiye without any options or pcap filter, hafiye will
put itself into non-promisc mode, and it'll capture and intepret
each and every packet that it can handle.
Ok, here it is. Enjoj!