daSniff FAQ

daSniff - an open source customizable sniffer for Windows (FAQ)

This FAQ is based on users' questions I received via e-mail or contact page. If you have important questions not included in this FAQ, it is not a problem to include them too.

FAQ

Q: I having a very difficult time understanding how to use daSniffb. The program works fine, however telling it what to do in DOS is somewhat of a mystery. Could you please send step by step instructions on how to tell the program what to do?

The reason I made daSniff so difficult to tune is "I want it customizable". It actually sniffs only your LAN segment which means that every device that makes traffic routing will stop others' packets and you cannot sniff them. You need some knowledge about TCP/IP in order to achieve your goals and make it useable.

Here I will try with the requested step-by-step instructions:

1. After installing daSniffB go to it's directory and enter dasniffb -l (to enter directory you could use "DOS Prompt to daSniff" shortcut in daSniff program group or open a new "DOS prompt" box and cd to it) on my home win98 computer the result looks like this:

C:\Program Files\daSniff>dasniffb -l
daSniff version 1.0.B - a customizable windows sniffer
Author: Demosten - http://demosten.com (stjordanov@hotmail.com)

#0 -> PPPMAC
#1 -> RTL8139
#2 -> DNEMAC
#3 -> DNEMAC

If you get an error message the most common reason is that the WinPCap library included in daSniffB setup failed to install.

2. Choose which device you would like to sniff. In above example PPPMAC is my PPP connection to my ISP and RTL8139 is my LAN card.

3. Prepare filter rules file. Default name is dasniff.rules. See notes section below for more details.

4. Start sniffing chosen device using prepared rules file by entering daSniff device_number rules_file_path in your "DOS prompt" box. For example:

  • dasniffb 0 - will start sniffing packets for/from PPPMAC using dasniff.rules as filter rules file (this is the default name if not specified)
  • dasniffb 1 e:\myrules.txt - will start sniffing packets for/from RTL8139 (RTL8139 = 1 in my case) using e:\myrules.txt as filter rules file.

--- no more steps ---

Notes: The hardest part of all is writing that filter rules file. The sniffer itself sniffs ALL traffic but in this file YOU decide which packets to display or safe to file. ALL sniffed packet are checked up to ALL rules in this file. And if a packet matches to any of the rules, this packet is displayed (or logged to a file). The rules file is in plain text file format where every line is a rule. The line can contain from 1 to 8 different parameters described in daSniff manual. You can use your favorite text editor to edit this file but you MUST save it as plain text file.

I will let the examples talk.

Consider somebody have IP 192.168.1.2 in your LAN and you wish to log all her outgoing traffic into a file named c:\out.txt - here is a rule to do it:
saddr=192.168.1.2 logtype=4 file=c:\out.txt
that's all .. you could try different values of logtype to get different logging formats.

The same is with logging incoming to 192.168.1.2 data to c:\in.txt:
daddr=192.168.1.2 logtype=4 file=c:\in.txt

Next one is a little more advanced. It logs all outgoing POP3 mail from your LAN segment (this includes username and password).
proto=tcp dport=110 logtype=4 file=pop3.txt

But if you ONLY wish to know username and password not the contents which could be BIG. You need 2 rules (1 for username and 1 for password):
proto=tcp dport=110 logtype=4 file=pop3.txt expr=USER .
proto=tcp dport=110 logtype=4 file=pop3.txt expr=PASS .
Here everything after expr= is checked as a regular expression with packet's contents and packet is logged ONLY if matches.

Q: How do you apply the rules to the program? I have tried to make my own rules but the program keeps saying that the file does not exist or cannot open file. What am I doing wrong?

The rules are in a text file which name you must pass to the program as a parameter. For example, consider your rules file is named myrules.txt in your daSniff directory (For example: Program Files\daSniff):

E:\Program Files\daSniff>dasniffb -s -d 0 myrules.txt

This will work fine! Here -s -d are options, 0 is the adapter number and myrules.txt is your own rules file.

But if you had to use another directory and pass file name like E:\Program Files\my rules\my rules.txt the only way to do it right in MS Windows is to enclose it in "". So, now we have:

E:\Program Files\daSniff>dasniffb -s -d 0 "E:\Program Files\my rules\my rules.txt"

Q: How to setup daSniff version A service and make it work?

To setup it you must:

1. Edit daSniffA_svc.ini so that it contains rules_file="full_path_to_file" It is important to use full path. For example rules_file="d:\dasniff\daSniff.rules". For more information about daSniffA_svc.ini syntax refer to the manual. Note: daSniffA_svc.ini must be in the same directory as daSniffA_svc.exe

2. Setup that rules file. All lines must log to a file (not screen). For example for rules file:
# Match ALL packets and log them to a file
logtype=2 file=d:\dasniff\all.txt

3. Run dasniffa_scv -i to install the service. Now it should be visible in "Service manager"

4. Start daSniff service. If something went wrong try dasniffa_scv -g from the command line and look at the result.


Copyright: Demosten © 2012
Page last updated: 09.08.2011
Web design: Milen Dyankov