SNIFF - A simple ethernet monitor
---------------------------------
SNIFF is a simple monitor for ethernet packets. SNIFF allows you to capture
and view packets occurring on a 10mbps ethernet, and to employ both hardware
and software filters to control which packets are monitored. SNIFF is *NOT*
a "protocol monitor", it does not know about or decode TCP/IP or any other
network protocol. The content of the network packets are shown in standard
HEX/ASCII dump format, and it is up to you (the user) to know the meaning
of the displayed data.

SNIFF interfaces to the ethernet card via a standard DOS packet driver, this
driver must be supplied by your ethernet card manufacturer, and is included
with most cards. See your network card documentation and software.

Packet drivers for a large assortment of ethernet cards are also available
from:
    Crynwr Software    11 Grant St.    Potsdam, NY 13676
This collection is available on SIMTEL and other software archive sites
under the filenames: PKTD*.ZIP (or whatever archive format is used)

You can also try the originators of the packet driver specification:
    FTP Software, Inc.   26 Princess St.   Wakefield, MA  01880-3004
    (617) 246-0900
for more information.



RUNNING SNIFF
-------------
Install the packet driver for your network card in accordance with the
card documentation. If possible, use the standard packet driver software
interrupt of 60 hex (0x60)... If you use a different interrupt, you will
have to specify the interrupt to SNIFF via a command line switch every
time you start it.

Start SNIFF running by typing SNIFF at the DOS command prompt. The following
command line options are available:

  F=filename    - Write packets to file
    When this option is used, all monitored packets are written to a file,
    which can be viewed using the included SNIFFR program, or processed by
    another program (See later in this document for information of the file
    format).

  I=xx          - Specify packet driver interrupt
    This option allows you to specify the software interrupt on which the
    packet driver has been installed. If not specified, SNIFF assumes the
    value of 60 hex (0x60) which is the standard packet driver interrupt.

  M=n           - Specify the packet driver reception mode
    This controls the packet driver and ethernet hardware, and can be
    used to filter out some types of packets.. for most applications,
    you will want to use '6' which means 'all' packets. Values are:
        1 - Monitor NO packets (receiver off)
        2 - Monitor normal packets to our ethernet address only
        3 - Our packets + broadcast packets
        4 - Our packets + broadcast + limited multicast packets
        5 - Our packets + broadcast + all multicast packets
        6 - All packets

  S=xxxx        - Specify the packet type to send
    SNIFF supports diagnostic functions where it can send test packets to
    other ethernet addresses ... This parameter specifies the packet type
    to insert in these packets.

  T=xxxx        - Specify packet type to monitor
    This defines the packet type (16 bit hex number) that SNIFF will
    monitor. If not specified, SNIFF monitors all packet types.

  /M            - Force monochrome screen
    Causes SNIFF to use a monochrome screen color scheme... Useful if you
    have a screen which does not support color bur is reported by the
    system as a color screen.



USING SNIFF
-----------
Once SNIFF starts up and displays it's main screen, you will see monitored
packets showing on the screen in the following format:

[q] size To:aa.aa.aa.aa.aa.aa Fr:aa.aa.aa.aa.aa.aa Type:xxxx
0000  dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd dd  ccccccccccccccc
... Mode data may follow ...

q = SNIFF queue position (0-31) ... not terribly useful except as a
    running counter on the screen to let you quickly see how many packets
    are spanning a visible range.

size = the size of the packet in bytes (including the 14 byte header)

aa = Ethernet to/from address, each address is a series of 6 HEX bytes.

xxxx = Packet type (16 bit word - 2 hex bytes)

0000 = Dump line address ... Depending on the size of the packet and the
    configuration of SNIFF, there may be a variable number of lines in
    the ASCII dump (including 0 lines).

dd  = Hex data bytes shown in the ASCII dump

ccc.. = ASCII character representations of the 'dd' data bytes.



Along the bottom of the screen, SNIFF will display the following information:

total shown Addr:n +/-Dump:n <>mode:6 0-9send:n C/E/M/R/T/ESC

total = Total number of packets seen by SNIFF on the ethernet interface
    (wraps back to 0 after 65535)

shown = Total number of packets which have been displayed by SNIFF
    (trigger matches)

Addr: = Number of ethernet addresses collected by SNIFF (0-10)

+/-dump: = Maximum number of HEX/ASCII dump lines currently configured

<>mode: = Current capture mode (same as M= command line option)

0-9send: = Number of packets send via 0-9 and 'M'

C/E/M/R/T/ESC = Reminder of other commands



The following commands may be entered on the keyboard while SNIFF is
running:

A = Show current address list
    Every time SNIFF displays a packet that has an address it has not
    seen before, it will "capture" the address into it's address list.
    Up to 10 addresses can be so captured.

C = Clear the screen

D = Dump entire packet
    Displays the content of the entire last packet received in HEX/ASCII
    dump notation... useful when you have configured SNIFF to only display
    1-2 lines of the packet, but need to see all of some, or when you want
    to see the packet header data in the dump output.

E = Erase address list
    Causes SNIFF to forget all of the addresses in it's address list and
    to begin collection a new one.

M = Send multicast packet
    Sends a multicast packet (address: FF.FF.FF.FF.FF.FF) with ASCII text
    indicating the packet number ("This is packet 0-65535 ..."). Mainly a
    diagnostic tool to transmit our address to other copies of SNIFF.

R = Resets the 'total' 'shown' and '0-9send:' counters to 0.

T = Enters the trigger setup screen for filtering the packets captured.
    See later in this document for more information.

+/- = Set the number of lines displayed in the HEX/ASCII dump portion of
    the packet display... Useful to limit the display of large packets
    when you only need to see specific values near the beginning (common).

<> = Switch between the available capture modes (same as M= parameter)
    This is one place where Mode 1 (No packets) is useful ... to stop
    receiving packets while you stuffy something on the screen!

0-9 = Send a packet to the corresponding (0-9) ethernet address from the
    current address list. Packet is sent with type specified by S= option,
    and contains "This is packet n ..." where n is the total number of
    packets which have been sent so far.



TRIGGERING
----------
One of the most powerful features of SNIFF is it's ability to filter out
traffic you do not want to see by "triggering" on byte or bit patterns
within the packets.

To set triggering, press 'T' at the SNIFF main screen. This will open up
the triggering panel.

When the triggering panel opens, you will see 50 byte entries, which
represent the packet:

  Size (2 entries) **NOTE
  To address (6 entries)
  From address (6 entries)
  Type (2 entries)
  Data (34 entries)

**NOTE that the Size entries represent a 16 bit quantity (the size of
the packet, and it occurs in LITTLE ENDIAN ordering (the low byte is
at position 1, and the high byte is at position 2) ... Also note that
the Size is not actually part in the packet, and therefore DOES NOT
include the two bytes for the size, but DOES include the packet header
(to/from/type)... Ie: a given size value will be the number of data bytes
in the packet +14 (6 + 6 + 2).

Each entry can be configured to one of three possible states:

 - Don't Care           - Always match this byte
 - nnnnnnnn (xx) [c]    - Entire byte must match exactly
   nnn...=Bit pattern  xx=Hex value   x=ASCII value
 - bbbbbbbb             - 1/0 bits must match, ignore x (don't care) bits

You can position the cursor to any entry with the Up/Down/Right/Left/Home
or End keys. When positioned on an entry, you may change it's state with:
  F1  = Set this entry to "Don't care"
  0-F = Enter HEX value for exact match
  Space/Backspace = Begin editing bit pattern for 1/0/x bit match
    - Press '1' to match only 1 bits in this position
    - Press '0' to match only 0 bits in this position
    - Press 'x' to match any bit in this position
    - Press SPACE to advance to next bit with no change
    - Press BACKSPACE to backup to previous bit

The default state of all entries is "Don't care", which means that SNIFF
will match any packets received of the selected mode and type (See M= and
T= options). You may modify the entries to cause SNIFF to accept only
packets which have bytes/bits which match the entries in the positions that
you have selected.

SNIFF also supports "FALSE" logic triggering:

Under TRUE (normal) logic, SNIFF accepts any packets which match the trigger
conditions. Use this to view packets containing a specific command sequence
etc.

Under FALSE logic, SNIFF accepts only packets which DO NOT meet the trigger
conditions... Use this to ignore packets containing a specific command
sequence etc.

The F2 key toggles the triggering mode between TRUE and FALSE.



FILE FORMAT
-----------
When the packet information is saved to a file (F= command line option),
SNIFF writes the packets in the following format:

    Size - 2 bytes, little endian format
    To address - 6 bytes
    From address - 6 Bytes
    Type - 2 bytes
    Data (size-14 bytes)
    ... Additional packets to end of file ...

Note that the "Size" value includes the 14 byte header data (to/from/type),
but not the Size itself... In other words, the file space taken for each
packet in the file is Size+2 bytes.



SNIFFR
------
Included with SNIFF is SNIFFR, the "SNIFF Reader". This program will read
a SNIFF output file, and allow you to view and search the packet data within
it at your leasure.

SNIFFR is very simple and straightforward to use. Type SNIFFR ? for
information on the command line, and press F1 once you have activated
SNIFFR for information on the available command keys.



PACKET FORMAT
-------------
SNIFF monitors standard DIX (Dec/Intel/Xerox) ethernet and IEEE 802.2/3
packets, which are formatted as follows:

    To address (6 bytes)
    From address (6 bytes)
    DIX: Packet type (2 byte)  IEEE 802.2/3: Length (2 bytes)
    Packet data (variable length)

The "To address" is the 6 byte ethernet address of the receiving station.
If the high bit is set on this address, it is taken as a "Multicast" address,
and received by all stations ** Each station can use a bit mask to filter
multicast packets, by requiring that the multicast address have a bit set
which matches the filter. Unless you need to differentiate multicasts to
various stations, common practice is to send the address as all FF's, and
to set your receive mask to all FF's

The "From address" is the 6 byte ethernet address of the sending station.
(This should never have the high bit set).

The "Packet type" is used in DIX ethernet packets only, and is a unique
number which indicates the type of packet service. It is used to allow
different systems to share a common network without confusing each other
packets. Note that IEEE 802.2/3 packets use this area for the length (this
is redundant, since the hardware supplies the length), however to avoid
conflicts, DIX ethernet requires that the "Packet type" always be greater
than 0x05EE, the maximum length of an 802.2/3 packet.

"Packet data" is the actual data sent/received in the packet. (Note, as far
as the hardware is concerned, the user data actually starts with the "Packet
type").


Dunfield Development Services (DDS) offers software and firmware
development services specializing in systems and embedded applications.
For more information, visit: http://www.dunfield.com
