Free promiscuous software for linux

pmacct is a small set of passive network monitoring tools to measure, account and aggregate IPv4 and IPv6 traffic; aggregation revolves around the key concept of primitives (VLAN id, source and destination MAC addresses, hosts, networks, AS numbers, ports, IP protocol and ToS/DSCP field are supported) which may be arbitrarily combined to build custom aggregation methods; support for historical data breakdown, triggers and packet tagging, filtering and sampling.

Aggregates can be stored into memory tables, SQL databases (MySQL or PostgreSQL) or simply printed to stdout. Data is collected from the network either using libpcap (and optionally promiscuous mode) or reading NetFlow v1/v5/v7/v8/v9 and sFlow v2/v4/v5 datagrams, both unicast and multicast.

IP accounting is the key in ISP/IXP network operations like billing, graphing network resources usage, live or historical traffic analysis, handling of network thresholds, provisioning and SLA monitoring. SNMP counters sometime are not this useful because of their coarse granularity.

Finer granularities become valuable if data are historical and match logical entities of interest such as Autonomous System Numbers, departmental or customer network chunks, specific traffic flows, etc. Further, actual large-scale networks are able to produce, in very short times, high amounts of data that become quickly difficult to be processed in a meaningful way

In this context, traffic aggregation and advanced filtering and sampling capabilities are requirements that cannot be missed anymore.

Either using memory or SQL tables as backend storage, pmacct can easily feed data to tools like MRTG, RRDtool, Cacti and Gnuplot among the others. A little scripting abilities are required to glue pmacct with external tools and a number of sample scripts and some tutorials are already available.

Icmpenum sends ICMP traffic to potential targets on a network.
Introduction:
Host enumeration is the act of determining the IP address of potential targets on a network. This can be done in both layer 2 and layer 3. Icmpenum sends ICMP traffic for such enumeration. The ICMP packets supported are: Echo, Timestamp, Information and Netmask. Furthermore, it supports spoofing and promiscuous listening for reply packets. Icmpenum is great for enumerating networks which allow ICMP traffic.
Installation:
1. Install the latest libpcap (libpcap 0.4, ftp://ftp.ee.lbl.gov/libpcap.tar.Z).
2. Install the latest Libnet (http://www.packetfactory.net/libnet/).
3. Compile icmpenum as follows:
gcc `libnet-config --defines` -o icmpenum icmpenum.c -lnet -lpcap
4. Copy icmpenum to your fave directory and (as root) start enumerating.
Usage:
Running icmpenum -h gives you the following screen:
# ./icmpenum -h
USAGE: ./icmpenum [opts] [-c class C] [-d dev] [-i 1-3] [-s src] [-t sec] hosts
opts are h n p r v
-h this help screen
-n no sending of packets
-p promiscuous receive mode
-r receiving packets only (no
-v verbose
-c class C in x.x.x.0 form
-i icmp type to send/receive, types include the following:
1 echo/echo reply (default)
2 timestamp request/reply
3 info request/reply
-d device to grab local IP or sniff from, default is eth0
-s spoofed source address
-t time in seconds to wait for all replies (default 5)
host(s) are target hosts (ignored if using -c)
Examples:
Here are some example uses of icmpenum to enumerate hosts.
Example 1:
[Host1]# icmpenum 192.168.1.1 192.168.1.2
This will use the default of Echo packets to try and determine if
192.168.1.1 and 192.168.1.2 are up and running.
Example 2:
[Host1]# icmpenum -i 2 -v 192.168.100.100 192.168.100.200
This will enumerate the two hosts using Timestamp packets in
verbose mode.
Example 3:
[Host1]# icmpenum -i 3 -s 10.10.10.10 -p -v 192.168.1.1 192.168.1.2
This will enumerate hosts 192.168.1.1 and 192.168.1.2 using
Information packets with a spoofed address of 10.10.10.10, since our real address is 10.10.10.11 we use the -p option to listen for the replies.
Here are some more advanced uses of icmpenum.
Example 4:
Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that the network 1.1.1.0 has potential hosts to enumerate, we use the following two entries to enumerate with Information packets:
[Host2]# icmpenum -r -t 30 -i 3 -c 1.1.1.0
[Host1]# icmpenum -s 7.7.7.7 -i 3 -c 1.1.1.0
Host2 starts first in receive mode with a timeout of 30 seconds and starts listening for Information packets from the 1.1.1.0 network. Then Host1 starts sending spoofed packets with Host2 as the source address, sending exactly what Host2 is listening for. It should be noted that this is hardly stealthy, as logs at 1.1.1s site could have 7.7.7.7s address all over them, but the -r function is good for testing.
Example 5:
Assuming Host1 is 6.6.6.6 and Host2 is 7.7.7.7, and that Host2 can sniff traffic between 1.1.1.0 and 2.2.2.0, we use the following entries to enumerate the 1.1.1.0 network:
[Host2]# icmpenum -t 20 -n -p -i 2 -c 1.1.1.0
[Host1]# icmpenum -s 2.2.2.2 -i 2 -c 1.1.1.0
Host2 starts first with a timeout of 20 seconds, makes sure not to send the packets with the -n option, listens promiscuously for Timestamp packets from the 1.1.1.0 network. Host1 sends the exact packets Host2 is listening for with a 2.2.2.2 spoofed source address. Yes, one could simply replace the -n option in Host2s command line with -s 2.2.2.2 and do the same thing from one workstation, but were demonstrating a distributed concept.
Enhancements:
- I have added ICMP MASK (type 17 and 18) requests and replys. Simply use the -i 4 option on the command line, such as; icmpenum -i 4 -c 1.2.3.1 (sends ICMP MASK requests to the Class C range 1.2.3.1/24 and reports any system as.
- Due to the use of some older versions of Libnet and Libpcap. I can see problems for some people compiling this and hence have placed two statically linked versions within the tarball

RogueScanner project is an open-source vulnerability management tool that is used to gain greater network visibility to enable you to quickly identify and remove rogue wireless devices that may provide a back door to access your critical data and infrastructure.

Considering that rogue access points and peers represent a major threat to data integrity, RogueScanner is a valuable tool that you can start using today at no cost.
More than 300 companies manufacture access points, and there are more than 10,000 different models of network infrastructure.

Companies thus face a major challenge in maintaining a system to track and identify all potential rogue wireless devices and in continually scanning the network to identify them. To address this challenge, Network Chemistry has made an open-source product available to help organizations begin to immediately scan their networks.

RogueScanner is available for use at no charge by organizations looking for a tool focused on device identification and rogue detection. RogueScanner leverages the Collaborative Device Classification system to automatically lookup and identify the device type and its identity in real time.

Whats New in This Release:

+ Reserved VLANs (1000 < VLAN < 1025) on Cisco devices are not queried.
+ Capture packets to trace.pcap and perform a hexdump of them in the log file
if DEBUG_PACKET is set (debug=0x01 or better).
+ Promiscuous mode testing is disabled unless ENABLE_SCAN_PROMISC is defined.
+ The switch/network scanning interval was bumped up to 24 hours.
+ Attribute data in the EvidenceMap wasnt being printed out correctly (always showed
up as "true") when issuing "device detail" commands in the CLI.
+ Ignore MACs in the bridge table that arent "learned" when querying switches.
+ *TAnalysisManager::LookupOrCreateDevice() will now refuse to create devices outside
"home_net" ranges, thus the IPs wont be scanned even if they are passively observed
on the local network.
+ Ignore our MAC address if a switch reports it to us.
+ Log timestamps are now in GMT.
+ Prevent duplicates in the "udp_ports" evidence by using AddEvidence() instead of
inserting into the EvidenceMap directly.
+ Manually invoke Rubys garbage collector after scanning a switch/router.
+ Added "packet queue size" CLI command to show how many packets are in the
AnalysisManagers packet queue.
+ If a device fails to be classified the classification will be retried automatically
in one minute.
+ All communication with the classification server is performed in a separate thread.
+ Keep ARP scanning from starving other threads for CPU time by introducing a delay
in addition to any that is added by bandwidth throttling.
+ Replaced internal ARP and routing table on WIN32 systems with functions from the
IPHelper API.
+ Added "device list size" command to show how many devices have been found.
+ Add read community strings from configured infrastructure devices to the list
of strings used when probing unknown devices.
+ Discard deferred scans if another scan of the same type is already deferred for
a device.
+ Added reporting of DHCP data.
+ If no scans are pending against a device, but a new port is found open then
submit the devices evidence.
+ Devices are re-scanned whenever a re-occuring ARP/Ping scan is launched.
+ Added "deferred list" CLI command to show scans that have been deferred.
+ Added "sniffer status" CLI command to report the number of packets that
have been received and dropped.
+ If we discover the IP of a device that we only knew about the MAC address for,
then issue scans against it.
+ If we see the MAC address associated with an IP change, then re-scan it since
its likely to be a different device.

ArpMonitor will log any ARP request to and from your machine or network. Its built for monitoring switches or bridges.
If you would like to monitor your network bus, or entire network ( if you dont use a switch or something like that ), just do a ifconfig PROMISC, to set the promiscuous mode of your network interface, and arpmonitor will automagically get all the traffic.
I did arpmonitor to help me in a research, in 1998, about arp packets, delays between switches ports and so on.
NOTE: some var name and code was stolen from neped. since I didn`t suceed to contact the author, they are here...
Enhancements:
- Added promisc mode setting ( to use instead ifconfig promisc ), fixed some syslog errors, signal handling , log to syslog or stderr, command line options (see USAGE), network code cleanup.

The Network Security Monitor Daemon is a lightweight network security monitor for TCP/IP LANs. It will capture certain network events and record them in a relational database. The recorded data is available for analysis through a CGI-based interface.
You can run test version with ./Monitord, just to see how it works. Production version should be run in background, v.g. with nohup ./monitord &. Both versions will accept a device name as a parameter (default: eth0). You can send them SIGHUP at any time to print some stats. If you send SIGTERM, SIGQUIT or SIGINT, all threads will end gracefully.
Enhancements:
- Linux Kernel with "packet sockets" and "socket filtering" support.
- GNU C Library 2 (glibc2) with LinuxThreads support. (integrated in most recent versions).
- Full MySQL, including headers and libmysqlclient_r.
- GNU C Compiler (gcc).
- GNU Make (make).
- Perl (perl).
- Wget (wget).
Enhancements:
- Added chmod 4755 ... in Makefile
- Root should run make now, but not the daemon ;-)
- The daemon will drop root privileges as soon as possible
- (after creating the raw socket with an attached linux socket
- filter and putting the interface in promiscuous mode)
- No threads run with root privileges so its much safer
- (specially the new server thread which reads remote user input)
- Added stats thread
- To calculate/mantain exponential averages
- Added server thread
- It accepts HTTP requests and serves stats in XML

ETrace is a configurable static port network tracing tool, similar to traceroute, but supporting ICMP, TCP, UDP and other IP protocols.

Usage:

etrace [ -BbCcnv ] [ -p profile ] [ -F config ] [ -i interface ] [ -I icmp-type ] [ -T port ] [ -U port ] [ -P protocol ] [ -r probe-count ] [ -t timeout ] [ -1 hop ] [ -h hop ] [ -m hop ] [ -A address ] [ -s port ] [ -f flags ] [ -d data ] [ -D data-file ] [ -R count ] [ -q seq] [ -w window ] target [...]

Options:

etrace has a wealth of options ranging in function from controlling output to the detailed construction of trace packets.

Profile Options:

A profile is a pre-configured list of options stored in a shared, or user specific configuration file. By defining profiles, complex etrace option sets can be easily accessed with a single command line option.

-p, --profile
Specify a profile.
-C, --clear
Clear the current list of probes. This option can be used to allow a profile to inherit options from another profile, but specify its own list of probes.
-F, --config
Specify an alternative profiles file.

Interface options

-i, --interface
Specify interface. If unspecified, etrace will examine the routing table and select the most appropriate interface for each target address.
-c, --promisc
Put in interface into promiscuous mode. As this option increases the load on the system in general, it should only be used if spoofing of source packets address is enabled with the "-A" option.
Trace Type Options
-I, --icmp
Specify an ICMP trace and the packet type to use. ICMP traces may use Echo (E or P), Timestamp (T or S), Netmask (N or M) or Info (I). The default trace probe is an ICMP Echo.
-h, --hop
Specify a specific hop to investigate.
-m, --maximum
Specify the maximum number of hops.
-r, --probes
Set the maximum number of probes to send per hop. The default is 3.
-t, --timeout
Set the maximum amount of time, in milli-seconds, to wait for a response to a probe. The default is 3000 (three seconds).

Packet Construction Options

-A, --address
Specify the source IP address of generated packets.
-s, --source
Set the source port of the generated probe packets. If unspecified, etrace uses a random high port.
-f, --flags
Specify TCP and/or IP flags. Takes a comma delimitered list of any of the following flags: RF, DF, MF, FIN, SYN, RST, PSH, ACK, URG, ECE, CWR (Default: SYN)
-d, --data
Specify the data content of generated probe packets. Standard meta-characters are recognised (e.g. "nt") as are binary values given in octal (e.g. " 00x00");
-D, --data-file
Load the data content of the generated probe packets from the specified file. Filenames beginning with @ a loaded from the etrace shared data directory (usually /usr/local/share/etrace). etrace currently ships with the following predfined packet data files: dns, ike.
-R, --random
Fill the data content of the generated probe packets with the specified number of random bytes.
-b, --badcksum
Generate and send probe packets with bad checksums.
-q, --seq
Specify the TCP sequence number.
-w, --window
Specify the TCP window size.

Output Options

-v, --verbose
Increase output verbosity.
-B, --debug
Enable debugging output.
-n, --numeric
Disable name resolution.

Examples:

etrace www.sample.com

Launches a trace ICMP Echo, the default, trace to www.sample.com. Specifiying the options "-I E" whould accomplish the same results.

etrace -T 80 www.sample.com

Similar to the previous example, except the trace is performed on TCP port 80.

etrace --udp 53 --data-file @dns ns.sample.com

Starts are trace to ns.sample.com on UDP port 53 with the trace packets containing data loaded from the file /usr/local/share/etrace/dns (a file supplied with etrace that contains a simple dns request to resolve 127.0.0.1).

etrace -p dns -p fast ns.sample.com

The default profiles shipped with etrace include "dns" (which equates to the options shown in the previous example) and "fast" (which decreases both timeouts and the number of probes sent for each hop, as well as disabling name resolution). Profiles are stackable, with latter options overriding those specified in earlier profiles.

ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to the console.
ssldump depends on the libpcap capture library. Some systems (e.g. FreeBSD) now have libpcap as part of their standard install. On other systems, you will need to install it. You can obtain the distribution from:
http://www.tcpdump.org/
If linked with OpenSSL, ssldump can display certificates in decoded form and decrypt traffic (provided that it has the appropriate keying material). Again, OpenSSL may be installed on your system. Otherwise you can obtain it from:
http://www.openssl.org/
Enhancements:
- Security fix: some potential over and underflows
- Added support for VLANs.
- Added -P flag to disable promiscuous mode.
- Fixed bugs in the TCP reassembly code. A lot of bug fixes.

Darkstat is a network traffic analyzer. Its basically a packet sniffer which runs as a background process on a cable/DSL router and gathers all sorts of useless but interesting statistics.
Darkstat is no longer under active development or maintainership.
I no longer have the time to do it. And I no longer have a need for it. darkstat was originally written because I had very specific requirements for a network link monitor. I now use traf.
I started work on darkstat 3 a long time ago, got a fair bit of work done on it, then stalled for ages as other things took priority. If someone else wants to take over, mail me about it. I considered putting up a "work in progress" tarball on this page.
Compatibility:
Darkstat works fine for me under Gentoo Linux and FreeBSD STABLE. It sort-of works on OpenBSD and NetBSD.
Enhancements:
- The Web interface has been improved.
- Reports can now be paged through and sorted by different criteria.
- Promiscuous sniffing and DNS resolution can now be disabled on the command line.
- Minor bug fixes and performance improvements were made.