daSniff - manual

daSniff - an open source customizable sniffer for Windows (Manual)

Usage description

Usage: daSniff [options] <adapter_number> [rules_file_name]
Default rules file name is daSniff.rules
Default displaying on screen (stdout)

   -l : list possible device numbers (do not use # in <adapter_number>)
   -s : stop on first rule match
   -d : drop packets containing only header (no data)
   -w : wait until pressing any key to exit (useful for batch files etc.)

Service usage description and .INI syntax

Usage: daSniff_svc [option]
Default rules file name is 'daSniff.rules'

   -l : list possible device numbers (do not use # in <adapter_number>)
   -i : install service
   -r : remove service
   -g : debug service (run as a normal console application)

The service reads startup parameters from a file named daSniffA_svc.ini in it's starting directory.

Here is an example daSniffA_svc.ini contents:


Description of the example contents:

rules_file path to the file containing sniffing rules if is recommended to use FULL PATH (here and inside .rules file) default name is daSniff.rules
adapter_num the number of adapter (use -l to view available adapters) default is 0
drop_empty drop packets containing only header (no data) default is 0 = NO
stop_on_match stop on first rule match default is 0 = NO

Rules file format description and notes

This is a plain text format using one line per rule. Every line (rule) contains a set of parameters. Parameter format is parameter_name=paramater_value or (for some parameters) parameter_name!=paramater_value which means "parameter must NOT be equal to parameter value". User decides which parameters to use. In order to log a packet it must match all parameters in any of rules included in rules file.

Possible parameters are:

name description default value
name description default value
Specifies the exact protocol of the packet. For example proto=tcp or proto!=udp (recognizable protocols tcp, udp, icmp and igmp, for others do not use this parameter!) none
Specifies a source IP/HOST address of the packet. For example saddr= or saddr=BOSS_COMPUTER or saddr= none
Specifies a source port of the packet. For example sport=80 or sport=6667 or sport!=22 none
Specifies a destination IP/HOST address of the packet. For example daddr= or daddr=BOSS_COMPUTER or daddr!=www.yahoo.com none
Specifies a destination port of the packet. For example dport=80 or dport=6667 or dport!=22 none
logtype= Specifies a logging type. Possible log types are:
logtype=0 -> logs as HEX + TEXT includes protocol header
logtype=1 -> logs as TEXT includes protocol header
logtype=2 -> logs as HEX includes protocol header
logtype=3 -> logs as HEX + TEXT
logtype=4 -> logs as TEXT
logtype=5 -> logs as HEX
logtype=6 -> no logs only header info
minsize= Specifies the minimum size of the packet in bytes (including packet header). For example minsize=100 means the packet must be at least 100 bytes. none
maxsize= Specifies the maximum size of the packet in bytes (including packet header). For example maxsize=200 means the packet must be at most 200 bytes none
file= Specifies a file name to log to. If file=- the screen is used for output (stdout). Note that file name must NOT contain spaces! For example file=input.txt or file=logs\input or file=E:\PROGRA~1\WINDOW~1 the screen is used for output (stdout)
Specifies a Regular Expression to match the packet data! Supported format is GNU Regular Expression. For example expr=PASSW??D or expr=username or expr!=username my_login none
Same as expr= but Regular Expression match is not case significant. For example expri=Pass??rd or expri=Username or expri!=Username my_logiN; none

Important .rules file format notes:

  1. expr[i]= parameter (if any) MUST always be LAST because everything after it is considered to be a Regular Expression!
  2. Do not leave spaces round "=" or "!=" in parameters!
  3. You may have only one expr or expri parameter per line! If you need more expressions, add more rules.
  4. Empty lines and lines started with "#" are ignored.
  5. If there are no rules in file, nothing will match!
  6. Look in examples\ directory for rule file examples!

Differences between A and B versions

A version

A version uses pure WinSock2 API and does not require other libraries or drivers but has some limitations:

  1. Does not catch outgoing traffic from the computer it is running on!
  2. Requires Microsoft Windows 2000 or newer version and administrator privileges

Note: If you have administrator account, but wish to use your normal user account, please look at runas utility (type runas /? in a command prompt for more help).

B version

B version uses packet drivers from WinPcap Developer's pack see the documentation at http://netgroup-serv.polito.it/winpcap for manuals, instructions and details. A copy of drivers setup program is included in daSniff version B setup. This version works on Microsoft Windows versions (9x/ME/NT/2000/XP)

Windows shell integration

daSniff rule files (.rules) are now registered in Windows shell by daSniff setup. Default action ("open" or double click on file name) will open the file in Notepad. It is also possible to start file using daSniff with adapter numbers 0 or 1. You need to right click on rules file and select the appropriate option from the drop-down menu. Be careful with relative file names inside rules like file=input.txt or file=logs\input.txt

Build notes

You need Microsoft Visual C++ 6.0 (It is not tested on other versions)

Although some files are UNICODE ready, the project itself is not prepared for UNICODE builds. The main reason is in regex.c library.

Natas (http://intex.ath.cx)

WinPcap (http://netgroup-serv.polito.it/winpcap)

Copyright: Demosten © 2012
Page last updated: 09.08.2011
Web design: Milen Dyankov