Free packets software for linux

ARPSpoofDetector performs active and passive detection of ARP spoofing and IP (IPv4) address collision. The program can send healing packets with regular ARP information.
ARPSpoofDetector is new GPL project initialized by NetMasters.CZ customers (specially 100MEGA Distribution). We didnt find suitable intrusion detection system or another applicable software to solve ARP spoofing detection and IP collision without false alarms and with easy configuration for our customers.
Main features:
- passive ARP spoofing detection from broadcast ARP reply packets
- passive IP collision detection from broadcast ARP packets and netbios packets
- active IP collision detection by sending ARP request packets
Log example:
Mon Jul 23 21:49:26 2007
Warning: IP 192.168.1.10 collision detected!
SERVER MAC address: 00:4f:ED:7C:3A:B9
ATTACKER MAC address: 00:20:38:7C:3A:CE
Attacker NETBIOS name: PERSEUS
Attacker NETBIOS group: WORKGROUP
Last attacker IP was 192.168.1.9
IP changes history:
From: Mon Jul 23 21:48:47 2007 To: Mon Jul 23 21:49:10 2007 was IP 192.168.1.3 (maybe over DHCP)
From: Mon Jul 23 21:49:10 2007 To: Mon Jul 23 21:49:26 2007 was IP 192.168.1.6 (maybe over DHCP)

Nulog is a firewall log analysis interface written in php. Netfilter is able to log selected packets directly in a database like MySQL or PostgreSQL.
Nulog uses this interface to display security events in real-time on a user-friendly interface.
Main features:
- show the last hosts that sent packets that got blocked by your firewall.
- show the last ports that hosts tried to open.
- search for packets logged from an host.
- search for packets logged for a given port.
- search for packets logged for a given user.
Installation
Settings up the database
To use it, create a mysql database ulogd, tape as root :
mysqladmin create ulogd
Next, populate the database using ulogd.mysqldump :
cat ulogd.mysqldump | mysql -u USER -p ulogd
Put your user and password in include/require.inc.
Note
The database is not the standard mysql database for ulogd. It add a few tables and indexes to have thing work fast.
Settings up netfilter
If you don?t use EdenWall or NuFW, you need to configure your netfilter installation.
Now you can log into the database. To log bad packet you have to use use ULOG
iptables -A FORWARD -j ULOG --ulog-nlgroup 1 --ulog-prefix "badif"
Enhancements:
- This release can use MySQL triggers instead of PHP code to compute statistical data.

Perro software is a set of three daemons that logs incoming IP/TCP, IP/UDP and IP/ICMP packets. Also produces detailed logs.

Installation:

1) cd src
3) Edit the Makefile (only to set the install and log directories if you want a non-standard one).
4) make
5) make install

ippl is a daemon which logs IP packets sent to a computer. It runs in the background, and displays information about the incoming packets.
Criteria can be used to specify what packets should be logged and what packets should be ignored.
ippl is free software and its licensed under the GPL license.
To run ippl, you will need a Linux system with a libc version 5 or higher. If you have libc version 5, you need to install the pthread library.
We would like it to run on a wide range of different Un*xes. For the moment, it only runs on Linux systems. If you are running another operating system and you would like to port ippl to it, please tell us.
Note that the development version should work with much more Un*ces systems, as it was entirely rewritten to use libpcap. I have currently run it on Linux (glibc2.1) and Solaris 2.6. I need some feedback from *BSD users, as I do not have a BSD system to compile it (I am aware of a limitation, due to the non-existent function, pthread_cancel on some Un*ces, and I am working on the problem).
Enhancements:
- ignore all and log all are now available
- fixed a minor memory leak

Net::DHCP::Packet is a Perl module with object methods to create a DHCP packet.

SYNOPSIS

use Net::DHCP::Packet;

my $p = new Net::DHCP::Packet->new(
Chaddr => 000BCDEF,
Xid => 0x9F0FD,
Ciaddr => 0.0.0.0,
Siaddr => 0.0.0.0,
Hops => 0);

Represents a DHCP packet as specified in RFC 1533, RFC 2132.

CONSTRUCTOR

This module only provides basic constructor. For "easy" constructors, you can use the Net::DHCP::Session module.

new( )

new( BUFFER )

new( ARG => VALUE, ARG => VALUE... )

Creates an Net::DHCP::Packet object, which can be used to send or receive DHCP network packets. BOOTP is not supported.

Without argument, a default empty packet is created.

$packet = Net::DHCP::Packet();

A BUFFER argument is interpreted as a binary buffer like one provided by the socket recv() function. if the packet is malformed, a fatal error is issued.

use IO::Socket::INET;
use Net::DHCP::Packet;

$sock = IO::Socket::INET->new(LocalPort => 67, Proto => "udp", Broadcast => 1)
or die "socket: $@";

while ($sock->recv($newmsg, 1024)) {
$packet = Net::DHCP::Packet->new($newmsg);
print $packet->toString();
}

To create a fresh new packet new() takes arguments as a key-value pairs :

ARGUMENT FIELD OCTETS DESCRIPTION
-------- ----- ------ -----------

Op op 1 Message op code / message type.
1 = BOOTREQUEST, 2 = BOOTREPLY
Htype htype 1 Hardware address type, see ARP section in "Assigned
Numbers" RFC; e.g., 1 = 10mb ethernet.
Hlen hlen 1 Hardware address length (e.g. 6 for 10mb
ethernet).
Hops hops 1 Client sets to zero, optionally used by relay agents
when booting via a relay agent.
Xid xid 4 Transaction ID, a random number chosen by the
client, used by the client and server to associate
messages and responses between a client and a
server.
Secs secs 2 Filled in by client, seconds elapsed since client
began address acquisition or renewal process.
Flags flags 2 Flags (see figure 2).
Ciaddr ciaddr 4 Client IP address; only filled in if client is in
BOUND, RENEW or REBINDING state and can respond
to ARP requests.
Yiaddr yiaddr 4 your (client) IP address.
Siaddr siaddr 4 IP address of next server to use in bootstrap;
returned in DHCPOFFER, DHCPACK by server.
Giaddr giaddr 4 Relay agent IP address, used in booting via a
relay agent.
Chaddr chaddr 16 Client hardware address.
Sname sname 64 Optional server host name, null terminated string.
File file 128 Boot file name, null terminated string; "generic"
name or null in DHCPDISCOVER, fully qualified
directory-path name in DHCPOFFER.
IsDhcp isDhcp 4 Controls whether the packet is BOOTP or DHCP.
DHCP conatains the "magic cookie" of 4 bytes.
0x63 0x82 0x53 0x63.
DHO_*code Optional parameters field. See the options
documents for a list of defined options.
See Net::DHCP::Constants.
Padding padding * Optional padding at the end of the packet

See below methods for values and syntax descrption.

Note: DHCP options are created in the same order as key-value pairs.

Host enumeration is the act of determining the IP address of potential targets on a network. This can be done in both layer 2 and layer 3. Icmpenum project can send ICMP traffic for such enumeration.

The ICMP packets supported are: Echo, Timestamp, Information and Netmask. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks which allow ICMP traffic.

IPTables::IPv4::IPQueue is a Perl extension for libipq.

SYNOPSIS

use IPTables::IPv4::IPQueue qw(:constants);

$queue = new IPTables::IPv4::IPQueue();
$msg = $queue->get_message();
$queue->set_verdict($msg->packet_id(), NF_ACCEPT)

$queue->set_mode(IPQ_COPY_PACKET, 2048);

IPTables::IPv4::IPQueue->errstr;

undef $queue;

Perlipq (IPTables::IPv4::IPQueue) is a Perl extension for iptables userspace packet queuing via libipq.

Packets may be selected from the stack via the iptables QUEUE target and passed to userspace. Perlipq allows these packets to be manipulated in Perl and passed back to the stack.

More information on userspace packet queueing may be found in libipq(3).