Eli Fulkerson .com HomeProjectsRawsniff
 

rawsniff.exe

Description:

Rawsniff is a quick and dirty command-line RAW socket based packet sniffer. (This means that it has all the drawbacks of raw sockets, for instance only being able to pick up on traffic on the current machine and only working on IPv4. If you want a *real* packet sniffer, you are going to want something like Wireshark, or, well, Wireshark. On the other hand, rawsniff doesn't require installing a packet capture driver, all you need is Administrator access on the local machine to open the socket) There are command line filtering options to limit the amount of packet spam, as well as some limited decoding options (including a rough |strings mode for looking at arbitrary and otherwise unsupported protocols). Finally, rawsniff can export a libpcap formatted capture file to be analyzed in a more capable environment (Wireshark again).

Rawsniff must be run as an Administrator, for instance by finding cmd.exe, right clicking on it, and selecting "Run As Administrator" or by using "runas" (which bugs me, so I wrote uac.exe for my own use)

It was originally written to be run side by side with tcping to provide some low level information that the tcping couldn't provide by itself. Another sample use case for this utility is a situation where you suspect that a computer is infected and want to peek into its network traffic real quick without having to reboot the machine or set up a sniffer on separate hardware.

Updates:

14 Apr 2016 - Bug fixes and --packets X option, thanks to Jari Parviainen for these.

Download:

rawsniff.exe

rawsniff-src.zip Source is currently a bit sloppy. Use under GPLv3 if you like.

Usage:


Usage: rawsniff.exe [options]

Note:
    Must be administrator due to raw socket restrictions.  Also, antivirus may
    complain that you're opening a raw socket.  IPv4 only.

Options:
    -?            Get this help screen
    -v            Display version information
    --listen X    Listen on specified IP address (otherwise choose from list)

Types of packets:
    --tcp         Display TCP matches
    --udp         Display UDP matches
    --icmp        Display ICMP matches
    --other       Display matches for other protocols

Output options:
    --brief       Display brief (single line) packet information (default)
    --data        Brief mode, including readable ASCII data payloads
    --list        Display a list of packet information
    --full        Display the full list of packet information
    --gag         No output to console
    --pcap        Write out a timestamp.pcap file in the current directory.
                  (libpcap format)
    --packets X   Program exits after certain count of matching packets are
                  displayed (default is 2,147,483,647)

Filter:
    --ip X        Match packets with this IP in either src_ip or dst_ip
    --port X      Match packets with this IP in either src_port or dst_port
    --src_ip X    If specified, display packets with a given src_ip only
    --dst_ip X    If specfied, display packets with a given dst_ip only
    --src_port X  If specified, display packets with a given src_port only
    --dst_port X  If specified, display packets with a given dst_port only

Example Output - ASCII data and Pcap File:


C:\rawsniff.exe --data --pcap

For help, use "rawsniff.exe --help"

IP Address List:
----------------
0: <redacted>
1: <redacted>
2: <redacted>
3: <redacted>
4: 192.168.Y.Z
5: <redacted>

Please select an IPv4 address to listen on: 4
192.168.Y.Z selected.

Starting PCAP file: 2015-02-08-03-02-18-188850.pcap
1 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:52 SYN  data:E 4 i@ l v
2 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK  data:E ( j@ l > P u
3 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK  data:E ( j@ l > P u
4 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:110 ACK PSH  data:E n k@ l > P 4 A = T + q p \ R-/rI 1 [ t 1 9 3 5 / #
5 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:110 ACK PSH  data:E n k@ l > P 4 A = T + q p \ R-/rI 1 [ t 1 9 3 5 / #
6 TCP 192.168.Y.Z:4505 -> 255.255.215.226:80 size:40 ACK FIN  data:E (R @ K% P w e\ P J
7 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK  data:E ( l@ l @ > iP jK
8 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:40 ACK  data:E ( l@ l @ > iP jK
9 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:174 ACK PSH  data:E m@ x l @ > %P \ F 7DP1 9 g w O$ < 1 G b4 m 1 W= 0 y"c <: p /5 p n N +
8 < G +KK
10 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:174 ACK PSH  data:E m@ x l @ > %P \ F 7DP1 9 g w O$ < 1 G b4 m 1 W= 0 y"c <: p /5 p n N +
 8 < G +KK
11 TCP 192.168.Y.Z:4505 -> 255.255.215.226:80 size:40 ACK  data:E (R @ K$ P w e\ P J
12 TCP 192.168.Y.Z:4505 -> 255.255.215.226:80 size:40 ACK  data:E (R @ K$ P w e\ P J
13 TCP 192.168.Y.Z:4543 -> 255.255.165.8:443 size:898 ACK PSH  data:E n@ l > P t m 3Ws$ ] 8 c o r: e 0 d M ) ; + b g 7 | J* Ed u U J + X _ ! | x ;l Q `@ i]_Zc
( ?`g ; Ny l ' C{MD $Xl t Su f Q 5 R ,QA~OV d -BA e R ,QA~OV d -BA e 

Example Output - Watching DNS Traffic:


C:\rawsniff.exe --udp --data --port 53

For help, use "rawsniff.exe --help"

IP Address List:
----------------
0: <redacted>
1: <redacted>
2: <redacted>
3: <redacted>
4: 192.168.Y.Z
5: <redacted>

Please select an IPv4 address to listen on: 4
192.168.Y.Z selected.

1 UDP 192.168.Y.Z:58743 -> 8.8.8.8:53 size:62 data:E >] w 5 * elifulkerson com
2 UDP 8.8.8.8:53 -> 192.168.Y.Z:58743 size:78 data:E N 8 5 w : G elifulkerson com F; @ g
3 UDP 192.168.Y.Z:58744 -> 8.8.8.8:53 size:62 data:E >] x 5 * elifulkerson com
4 UDP 8.8.8.8:53 -> 192.168.Y.Z:58744 size:115 data:E s 8 5 x _ elifulkerson com ) ns1 linode admin x 8@ 8@ u Q
5 UDP 192.168.Y.Z:64863 -> 8.8.8.8:53 size:63 data:E ?] _ 5 + W whatismyproxy com
6 UDP 8.8.8.8:53 -> 192.168.Y.Z:64863 size:79 data:E O 8 5 _ ; whatismyproxy com M @ g
7 UDP 192.168.Y.Z:64864 -> 8.8.8.8:53 size:63 data:E ?] ` 5 + U whatismyproxy com
8 UDP 8.8.8.8:53 -> 192.168.Y.Z:64864 size:116 data:E t 8 5 ` ` W whatismyproxy com ) ns1 linode admin w 9 8@ 8@ u Q
9 UDP 192.168.Y.Z:64865 -> 8.8.8.8:53 size:61 data:E =]! a 5 ) dnsparanoia com
10 UDP 8.8.8.8:53 -> 192.168.Y.Z:64865 size:77 data:E M 8 5 a 9^' dnsparanoia com M ^
11 UDP 192.168.Y.Z:64866 -> 8.8.8.8:53 size:61 data:E =]" b 5 )i dnsparanoia com
12 UDP 8.8.8.8:53 -> 192.168.Y.Z:64866 size:114 data:E r 8 5 b ^&s dnsparanoia com ) ns1 linode admin x 8@ 8@ u Q

Example Output - ICMP decode:


C:\rawsniff --icmp --full

For help, use "rawsniff.exe --help"

IP Address List:
----------------
0: <redacted>
1: <redacted>
2: <redacted>
3: <redacted>
4: 192.168.Y.Z
5: <redacted>

Please select an IPv4 address to listen on: 4
192.168.2.20 selected.

- PACKET 1
 - IP Packet Header
   IPv       : 4
   Header Len: 5
   ToS       : 0
   Total Len : 60
   ID        : 23843
   Evil      : 0
   Don't Frag: 0
   More Frags: 0
   FragOffset: 0
   TTL       : 128
   Protocol  : ICMP
   Checksum  : 2770
   src_ip    : 192.168.X.Y
   dst_ip    : 8.8.8.8

 - ICMP Segment Header
   type  : 8 Echo
   code  : 0
 chksum  : 19802

- PACKET 2
 - IP Packet Header
   IPv       : 4
   Header Len: 5
   ToS       : 0
   Total Len : 60
   ID        : 23843
   Evil      : 0
   Don't Frag: 0
   More Frags: 0
   FragOffset: 0
   TTL       : 128
   Protocol  : ICMP
   Checksum  : 2770
   src_ip    : 192.168.X.Y
   dst_ip    : 8.8.8.8

 - ICMP Segment Header
   type  : 8 Echo
   code  : 0
 chksum  : 19802