BUTTSniffer Documentation Version 0.9.3 Copyright (C) 1998, Cult of the Dead Cow Written by DilDog (dildog@l0pht.com) http://www.cultdeadcow.com/~dildog/BUTTSniffer See the webpage for current information on the progress of this software. Currently, only filter documentation is here, more to be added as development progresses. BUTTSniffer Filters ------------------- About IP and Port Filtering BUTTSniffer supports IP and Port filtering on the sniffed information. There are a number of ways to invoke port filtering. One is from the interactive mode through the configure menu option, the other is through the direct disk dump option (EXE "-d" option, or DLL, function _Dump()). Either way, the filtering is the same, but with slightly different syntax obviously. To supply the direct disk dumper with a filter, you can use any of the following syntaxes: (replace with an interface name returned from '-l' or _List()) EXE: buttsniff -d c:\foo.dmp p 80 DLL: _Dump c:\foo.dmp p 80 This syntax logs only port 80 to a file 'foo.dmp'. EXE: buttsniff -d c:\foo.dmp p 60-100 DLL: _Dump c:\foo.dmp p 60-100 This syntax logs only ports 60 through 100 to a file 'foo.dmp'. EXE: buttsniff -d c:\foo.dmp p fnord.fil DLL: _Dump c:\foo.dmp p fnord.fil This syntax reads in a file names 'fnord.fil' and uses the filtering rules in the file to filter based on IP and port. Note that there is no way to filter specific IP addresses unless you use the 'filter file' option (third example above). The filtering only works on dump type 'p' at this time. In the future, there may be IP filtering on the command line, and possibly on the 'i' dump type, and possibly ethernet filtering on all options if demand is strong. The syntax of a filter file is simply a series of lines with a single filter rule per line. Filter rules are parsed 'top to bottom', and ALL filter rules are parsed before a decision is made on whether or not to reject a packet. A filter rule can take one of the following forms: IP Rules: {+-}a.b.c.d Where a,b,c, and d are numbers representing an IP address. if a,b,c, or d are '*', that particular field is matched for all possible numbers. + indicates inclusion, - exclusion. examples: +192.168.55.* matches everything in the 199.168.55 subdomain and includes in the list of things to be sniffed. -*.*.*.* matches all IP addresses and excludes them from the list of things to be sniffed. Port Rules: {+-}port {+-}loport-hiport Where 'port','loport' and 'hiport' are single numbers in the range 0-65535. If both loport and hiport are specified, hiport must be greater than or equal to loport examples: +80 includes every packet that is coming from or to port 80 in the list of things to be sniffed. -0-65535 excludes a packet destined for any port from the list of things to be sniffed. An empty rule file is taken to mean that you want to collect EVERYTHING. Here are a few practical examples: To capture the telnet sessions from/to the machine 10.0.0.5, use this file: -*.*.*.* +10.0.0.5 -0-65535 +23 To capture the information going to/from all non-priveleged ports on the 10.0.0 subnet, use the following: -*.*.*.* +10.0.0.* -0-1023 To capture all of the packets that are NOT going or from the 10.0.0 subnet use the following: -10.0.0.* Got it? Good. Now don't ask me any questions, unless you think you've found a bug. Also, if a rule is malformed in a filter file, that rule will be IGNORED. Files such as this: -*.*.*.* +mydog'sbutt -0-65535 +80 End up being parsed like this: -*.*.*.* -0-65535 +80 As for the interactive mode sniffing, the format is the same as the file, except you're given a nice little form to type your rules into. One caveat, is that when you are entering a single port rule, such as "+80", you must enter it as "80 - 80 " in the interactive system. Also note the use of and toggles instead of the + and -. Bow to the Cow, bizatches.