nast.8

Nast是一个基于Libnet 和Libpcap的sniffer包和LAN分析器。它可以在通常模式或混合模式下检查通过网络接口的数据包

.\"    Nast manpage
.\"
.\"    This program is free software; you can redistribute it and/or modify
.\"    it under the terms of the GNU General Public License as published by
.\"    the Free Software Foundation; either version 2 of the License, or
.\"    (at your option) any later version.
.\"		
.\"    This program is distributed in the hope that it will be useful,
.\"    but WITHOUT ANY WARRANTY; without even the implied
.\"    warranty of
.\"    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\"    GNU General Public License for more details.
.\"	
.\"    You should have received a copy of the GNU General Public License
.\"    along with this program; if not, write to the Free Software
.\"    Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
.\"
.TH NAST "8" "20030521" "NAST 0.1.7e"
.SH NAME
.B NAST 0.1.7e \- Network Analyzer Sniffer Tool

.SH SYNOPSIS
.B nast [-i interface] [-l filename] [-f filter] [--ld filename] [-G] [-pdxPmsgrSMLbcCBVh]

.SH DESCRIPTION
Nast is a packet sniffer and a LAN analyzer based on Libnet and Libpcap.
.LP
It can sniff in normal mode or in promiscuous mode the packets on a network interface and log it. 
It dumps the headers of packets and the payload in ascii or ascii-hex format. 
You can apply a filter. The sniffed data can be saved in a separated file.
.TP
As analyzer tool, it has many features like:
.br
* Build LAN hosts list
.br
* Follow a TCP-DATA stream
.br
* Find LAN Internet gateways
.br
* Discover promiscuous nodes
.br
* Reset an established connection
.br
* Perform a single half-open portscanner 
.br
* Perform a multi half-open portscanner
.br
* Find link type (hub or switch)
.br
* Catch daemon banner of LAN nodes
.br
* Control ARP answers to discover possible ARP-spoofing
.br
* Byte counting with an optional filter
.br
* Write reports logging
.br
.TP
It also provides a ncurses menu.
.PP
.SH SNIFFER OPTIONS
.TP
\fB-i, --interface\fR
Select the Interface, if not specified will be auto-detected.
.br
.TP
\fB-p, --promisc\fR
Disable promiscuous mode on NIC.
.br
.TP
\fB-d, --ascii-data\fR
Print data in ascii format.
.br
.TP
\fB-x, --ascii-hex-data\fR
Print data in ascii-hex format.
.br
.TP
\fB-f, --filter <"filter">\fR
Apply <"filter"> to sniffer (see "FILTER SYNTAX" section below for syntax)
.br
.TP
\fB    --ld <filename>\fR
Log captured data to <filename> (only payload). Use -l to log all packet instead, useful with -B
.br
.PP
.SH ANALYZER FEATURES
.TP
\fB-P, --check-promisc <ip>\fR
Check other NIC on the LAN with the promiscuous flag set.
.br
By performing a fake ARP broadcast, we can determine if a NIC is in promiscuous mode or not. 
If the checked host is in promiscuous mode it will responds with an ARP response otherwise it drop the packet.	
.br
Note: This method doesn't work with all OS
.br
Use \fB-P all\fR to query all network NIC

eg: root@localhost:~/$ nast -P 192.168.1.2

NAST "NETWORK ANALYZER SNIFFER TOOL"

192.168.1.2 (localhost.org)             Found!!

We can check all nodes by using:
.br
root@localhost:~/$ nast -P all

.TP
\fB-m, --host-list\fR
Map the LAN by performing a series of ARP request to sequential subnet IP
addresses.

eg: root@localhost:~/$ nast -m

NAST "NETWORK ANALYZER SNIFFER TOOL"

Mapping the Lan for 255.255.255.0 subnet ... please wait

MAC address             IP address (hostname)
.br
===========================================================
.br
00:4R:BR:3E:21:12       192.168.1.1(nast.experiment.net)
.br
00:50:BA:80:AC:11       192.168.1.2 (localhost.org) (*)

(*) This is localhost

.br
.TP
\fB-s, --tcp-stream\fR
Follow a TCP/IP connection printing all data in payload. You must specify the IP addresses of the ends.

eg of a ftp connection:
.br
root@localhost:~/$ nast -s

NAST "NETWORK ANALYZER SNIFFER TOOL"

Type connection extremes
.br
------------------------
.br
1st ip : 192.168.1.1
.br
1st port : 1041
.br
2nd : 192.168.1.2
.br
2nd port : 21
.br

NAST TCP STREAM LOG
.br
.br
192.168.1.1->mistaya.neverland.org
.br
PASV
.br
192.168.1.1<-mistaya.neverland.org
.br
227 Entering Passive Mode (192,168,1,2,4,12).
.br
192.168.1.1->mistaya.neverland.org
.br
LIST
.br
(...)
.br
.br
.TP
\fB-g, --find-gateway\fR
Try to find possible Internet-gateways.
.br
We send a SYN packet to a public host on port 80 through sequential host-lan and if a SYN-ACK
return we have find the gateway.
.br
.TP
\fB-r, --reset-connection\fR
Destroy an established connection. You must specify the IP addresses of the ends and at least one port . 
Please, pay attention when use this function.

eg: root@localhost:~/$ nast -r

NAST "NETWORK ANALYZER SNIFFER TOOL"

Type connection extremes
.br
------------------------
.br
1 ip / hostname : 192.168.1.1
.br
1 port (0 to autodetect) : 0
.br
2 ip / hostname : 192.168.1.2
.br
2 port (0 to autodetect) : 21
.br

- Waiting for SEQ ACK (192.168.1.1 -> 192.168.1.2:21)
.br
- Stoled SEQ (247656261) ACK (3764364876)...
.br
- Connection has been resetted
.br

.br
This feature works only if we can read SEQ and ACK numbers, because RST
mechanism works with them.
.br
.TP
\fB-S, --port-scanner\fR
Performs a half-open port scanning on the selected host. It tries also to determine some firewall (just iptables) rules.
.br
About this technique NMAP says:
This technique is often referred to as "half-open" scanning, because you
don't open a full TCP  connection.  You send  a SYN packet, as if you are going to open a real
connection and you wait for a response. A SYN|ACK indicates the port is
listening. A RST is indicative of a non-listener.  If a SYN|ACK is received, a RST is immediately sent 
to tear down  the  connection  (actually  our OS kernel does this for us). 
The primary advantage to this scanning technique is that fewer sites will
log it.  Unfortunately you need root privileges to build these custom SYN packets.
.br

eg: root@localhost:~/$ nast -S
.br
.br
NAST "NETWORK ANALYZER SNIFFER TOOL"
.br
Port Scanner extremes
.br
Insert IP to scan   : 192.168.1.3
.br
Insert Port range   : 1-100
.br

Wait for scanning...
.br

State           Port            Services                Notes
.br
Open            22              ssh                     None
.br
Open            27              nsw-fe                  None

All the other 98 ports are in state closed
.br
Scanning terminated on Apr 14 21:46:55

The Port range could be in the following style:
.br
eg: 1-100       (means from port 1 to 100)
    1,3,5,1000  (means ports 1,3,5 and 1000)
    1-50,60     (means from port 1 to 50 and port 60)
.br

.TP
\fB-M, --multi-port-scanner\fR
Same as above but done on all hosts of the lan.
.br
.TP
\fB-L, --find-link\fR
Tries to determine what type of link is used in the LAN (Hub or switch).
.br
In the LAN segment is there a HUB or a SWITCH? We can find it by sending a
spoofed ICMP echo-request (to work there must be at least 3 host in LAN and
at least one of them must reply with a ICMP echo-replay)
.br    
.TP
\fB-b, --daemon-banner\fR
Checks the most famous daemon banner on the LAN's hosts.
.br
You can customize ports database adding them to ports[] variable in main.c
.br
.TP
\fB-c, --check-arp-poisoning\fR
Control ARP answers to discover possible ARP spoofing attacks like
man-in-the-middle
.br
When run, Nast make a database of all network node (IP and MAC address), 
then sniff ARP response and verify the correctness of IP-mac address association. 
Remember to execute Nast when you are sure that
nobody is making ARP-poisoning, than have fun and relax and check program output:).    
.br
.TP
\fB-C, --byte-counting <"filter">\fR
Apply traffic counting to <"filter"> (see FILTER SYNTAX section below for syntax)
.br
Use \fB-C any\fR if you don't want to use a filter.

eg: root@localhost:~/$ nast -C any

NAST "NETWORK ANALYZER SNIFFER TOOL"

Reading from "eth0"

Packets         Total           Current speed           Average speed
.br
----------------------------------------------------------------
.br
- 24            1008B           18B/s                   21B/s

.br
.PP
.SH GENERAL OPTIONS
.TP
\fB-G, --ncurses\fR
Run Nast with the ncurses menu (only if compiled with ncurses support)
.br
.TP
\fB-l, --log-file <filename>\fR
Log reports to <filename>. Work with many features.
.br
.TP
\fB-B, --daemon\fR
Run in background like daemon and turn off stdout (very useful for sniffer/stream/ARP control logging)
.br
.TP
\fB-V, --version\fR
Show version information
.PP

.SH FILTER SYNTAX, WHAT PCAP GIVE US!
Important: this section has been copied from Tcpdump 3.7.1 manpage 
and "expression" here stand from "filter".
.br
\fBRemeber\fR to enclose filter between apexes ("something like this")
.be
.IP "\fI expression\fP"
.RS
selects which packets will be dumped.
If no \fIexpression\fP
is given, all packets on the net will be dumped.
Otherwise,
only packets for which \fIexpression\fP is `true' will be dumped.
.LP
The \fIexpression\fP consists of one or more
.I primitives.
Primitives usually consist of an
.I id
(name or number) preceded by one or more qualifiers.
There are three
different kinds of qualifier:
.IP \fItype\fP
qualifiers say what kind of thing the id name or number refers to.
Possible types are
.BR host ,
.B net
and
.BR port .
E.g., `host foo', `net 128.3', `port 20'.
If there is no type
qualifier,
.B host
is assumed.
.IP \fIdir\fP
qualifiers specify a particular transfer direction to and/or from
.IR id .
Possible directions are
.BR src ,
.BR dst ,
.B "src or dst"
and
.B "src and"
.BR dst .
E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'.
If
there is no dir qualifier,
.B "src or dst"
is assumed.
For `null' link layers (i.e. point to point protocols such as slip) the
.B inbound
and
.B outbound
qualifiers can be used to specify a desired direction.
.IP \fIproto\fP
qualifiers restrict the match to a particular protocol.
Possible