Free packet software for linux

aircrack is a 802.11 sniffer and WEP/WPA key cracker.
It consists of: airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
Enhancements:
- airodump: show probing clients as "not associated"
- airodump: dont substract the noise level unless madwifi
- airodump: fixed channel hopping with old orinoco
- airmon.sh: added detection of the zd1211 driver

raddump interprets captured RADIUS packets to print a timestamp, packet length, RADIUS packet type, source and destination hosts and ports, and included attribute names and values for each packet.
Enhancements:
- Added support for IEEE 802.1q tagged VLAN frames.

Aps is a small tool for analyzing network traffic. It prints out a great deal of information about the relevant protocols including TCP, UDP, ARP, and ICMP.
It allows you to filter IP addresses, hardware addresses, ports, and specific protocols. It comes with a little GTK-GUI displaying packet counters for each protocol.
APS tries to print detailed info about network frames that are received from the SOCK_RAW (ETH_P_ALL) socket. I am not sure if this is the clean way, but it works fine. APS prints info about the hardware layer and the IP and TCP/UDP/ICMP header.
The tail of the packet (mostly the data) wich could not be interpreted is written on the screen as ascii/hex-dump or both (your choice).
Example
HW-ADDR: 00:60:8c:f6:40:96 -----> 00:80:ad:30:8f:3b
IP-ADDR: 192.168.17.52 -----> 192.168.17.50
IP-Ver4 || Head:0x0a (bytes) || Service(TOS):16 || Length over all:0061
Fragmentation: ID:0x4079 - Flags: 0 1 0 - Offset:00000
TTL:064 || Protokoll:006 (TCP) || HeaderCRC:0x567b
TCP-HEADER:
Ports: 0023-->1034 (telnet) Seq./Ack. Nr.:0x70843468 / 0xeae29434
Data-Offset:0x05 Reserved-6Bit:00 Flags:-urg-ACK-PSH-rst-syn-fin-
Window:0x7fe0 CRC:0x9420 Urgent-Pointer:0x0000
73 61 74 75 72 6e 32 3a 2f 73 72 76 2f 70 72 69 6e 74 71 23 20
HW-ADDR: 52:54:40:25:8d:88 -----> ff:ff:ff:ff:ff:ff
SAMBA/NetBios
e0 e0 03 ff ff 00 22 00 11 00 00 00 00 ff ff ff ff ff ff 04 52 00 00 00 00 52
40 25 8d 88 40 08 00 03 00 04 20 20 20 20 20 20 20 20 20
HW-ADDR: 00:80:ad:30:8f:3b -----> 00:60:8c:f6:40:96
IP-ADDR: 192.168.17.50 -----> 194.112.123.200
IP-Ver4 || Head:0x0a (bytes) || Service(TOS):0 || Length over all:0029
Fragmentation: ID:0x29ae - Flags: 0 0 0 - Offset:00000
TTL:064 || Protokoll:001 (ICMP) || HeaderCRC:0x411f
echo request CODE:0x0 CRC:0xf9f5 SIG:0x602 NUM:0x0
00 ea
Enhancements:
- added break for Packet-counter and fixed some minor bugs

nf-HiPAC is a full featured packet filter for Linux which demonstrates the power and flexibility of HiPAC. HiPAC is a novel framework for packet classification which uses an advanced algorithm to reduce the number of memory lookups per packet. nf-hipac package is ideal for environments involving large rulesets and/or high bandwidth networks.

nf-HiPAC provides the same rich feature set as iptables, the popular Linux packet filter. The complexity of the sophisticated HiPAC packet classification algorithm is hidden behind an iptables compatible user interface which renders nf-HiPAC a drop-in replacement for iptables. Thereby, the iptables semantics of the rules is preserved, i.e. you can construct your rules like you are used to. From a users point of view there is no need to understand anything about the HiPAC algorithm.

The nf-hipac userspace tool is designed to be as compatible as possible to iptables -t filter. It even supports the full power of iptables targets, matches and stateful packet filtering (connection tracking) besides the native nf-HiPAC matches. This makes a switch from iptables to nf-HiPAC very easy. Usually it is sufficient to replace the calls to iptables with calls to nf-hipac for your filter rules.

Why another packet filter?

Performance:

iptables, like most packet filters, uses a simple packet classification algorithm which traverses the rules in a chain linearly per packet until a matching rule is found (or not). Clearly, this approach lacks efficiency. As networks grow more and more complex and offer a wider bandwidth linear packet filtering is no longer an option if many rules have to be matched per packet. Higher bandwidth means more packets per second which leads to shorter process times per packet. nf-HiPAC outperforms iptables regardless of the number of rules, i.e. the HiPAC classification engine does not impose any overhead even for very small rule sets.

Scalability to large rulesets:

The performance of nf-HiPAC is nearly independent of the number of rules. nf-HiPAC with thousands of rules still outperforms iptables with 20 rules.

Dynamic rulesets:

nf-HiPAC offers fast dynamic ruleset updates without stalling packet classification in contrast to iptables which yields bad update performance along with stalled packet processing during updates.

netAI comes from Network Traffic based Application Identification and has been developed for identifying the end host applications that are responsible for traffic flows in the network.
Unlike previous solutions that identify the application based on port numbers or packet payload (either through protocol decoding or signatures) netAI computes various payload independent features (e.g. packet length and packet inter-arrival time statistics) for a traffic flow and uses machine learning (ML) techniques.
ML is a discipline of the wider area of Artificial Intelligence (AI). Before netAI can be used to classify a particular application it must be trained on a representative set of traffic flows of that application. netAI can be used offline (reading packet data from tracefiles) and online (live capturing on network interfaces).
Main features:
- Reading packet data from live network interfaces or tracefiles (tcpdump or Endance format)
- Direct creation of WEKA data files (.arff files) from the packet data
- Interim flow information export (while flows are still active), TCP and time-based flow timeouts
- Flexible packet classification and filtering thanks to NetMate
- New features can be easily added and used
- Flexible selection of features to be used for classification
- A large number of machine learning algorithms can be used thanks to WEKA
- Feature extraction and ML based flow classification can be run on different machines - feature extractor supports data export via UDP or TCP

Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection.

Libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more.

Libnet features portable packet creation interfaces at both the IP-layer and link-layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort.

With a bit more time, more complex programs can be written (Traceroute and Ping were easily rewritten using libnet and libpcap).

Libnet was designed and is primarily maintained by Mike D. Schiffman (mike at infonexus dot com) and a host of other people (please see the libnet documentation for the complete list of contributers).

This is an open-source project. Donations are welcomed.

Zodiac is a DNS protocol analyzation and exploitation program. Zodiac project is a robust tool to explore the DNS protocol.
Internally it contains advanced DNS routines for DNS packet construction and disassembling and is the optimal tool if you just want to try something out without undergoing the hassle to rewrite DNS packet routines or packet filtering.
Main features:
- sniffing on all kinds of configured devices (Ethernet, PPP, ...)
- capturing and decoding nearly all types of DNS packets, including packet decompression
- ncurses driven text based frontend with interactive commandline and multiple windows
- threaded design allow more flexibility when adding your own features
- clean code, commented and tested just fine, ready for you to extend :-)
- internal DNS packet filtering allows installation of pseudo DNS filters you can "select()" on
- a large set of DNS packet construction primitives
- DNS name server versioning using BIND version requests
- DNS local spoofing, answering DNS queries on your LAN before the remote NS
- DNS jizz spoofing, exploiting a weakness within old BIND versions
- DNS ID spoofing, exploiting a weakness within the DNS protocol itself
If you like to help out getting the Missing or Incomplete features into zodiac, you can mail us for any zodiac-internal question you might have, we are happy to help you out with any DNS/Zodiac question. The code is pretty easy to understand, if you code your own extensions please try to maintain the current readable style and comment your changes/code.
Zodiac has been developed and tested on the Linux 2.2.x platform. It should work on all platforms that do have POSIX Threads, the terminal library ncurses and the libpcap packet capture library installed. To run zodiac you need root access for obvious reasons. If you get zodiac compiled and working on another platform then Linux 2.2.x, please let us know, well mention it here.

NetMate comes from Network Measurement and Accounting System and is a flexible and extensible network measurement tool (meter).
It can be used for accounting, delay/loss measurement, packet capturing and much more. The main advantage over other existing tools is that it can be easily extended due to its modular (class-based) structure and dynamic loadable packet processing and information export modules.
A GUI for controlling multiple meters and displaying measurement results is currently under development.
NMRSH is the NetMate Remote Shell which allows to remote control NetMate meters.
Main features:
- Flexibility and Extensibility
- Runtime loadable metric and export modules
- Modular architecture (C++ classes)
- Extensible Ruleset Format (XML-based)
- Portable Implementation
- GNU autotools
- OS tested: Linux (SuSE, Debian, Redhat), FreeBSD, Solaris
- Open Source (GPL)
- Configurable Multithreading
- IPv4 and IPv6 Support
- Multiple Classification Algorithms
- Automatic flow generation based on arbitrary packet attribute combinations
- Packet Sampling Support
- Secure Control Interface
- SSL Encryption
- Host-based Authentication (DNS, IP address)
- User-based Authentication (HTTP)
- Packet capturing using libpcap
- Support simultaneous measurement on multiple interfaces
- Currently only Ethernet, IPv4/IPv6, ICMP, TCP, UDP, data layer support
- Extensible to everything libpcap can capture
- Metric Modules
- Counter, bandwidth, jitter, port usage, packet length, RTP packet loss, packet ID generation (crc32 and md5), capture (tcpdump file), RTT (ICMP echo), text output (similar to tcpdump output), DNS latency, HTTP performance, TCP connection setup latency
- Export Modules
- Text file, binary file, SQL (under development), IPFIX (under development)
- Remote Control via Shell Tool or Standard Web Browser
- Interactive or batch processing of meter commands
Enhancements:
- Minor changes and bugfixes were made.