BUTTSniffer Documentation
Version 0.9.3
Copyright (C) 1998, Cult of the Dead Cow
Written by DilDog (dildog@l0pht.com)
http://www.cultdeadcow.com/~dildog/BUTTSniffer

See the webpage for current information on the progress
of this software.

Currently, only filter documentation is here,
more to be added as development progresses.
                                           

BUTTSniffer Filters
-------------------

About IP and Port Filtering

BUTTSniffer supports IP and Port filtering on the sniffed information. There
are a number of ways to invoke port filtering. One is from the interactive
mode through the configure menu option, the other is through the direct disk
dump option (EXE "-d" option, or DLL, function _Dump()). Either way, the
filtering is the same, but with slightly different syntax obviously.

To supply the direct disk dumper with a filter, you can use any of the
following syntaxes:

(replace <interface> with an interface name returned from '-l' or _List())


        EXE: buttsniff -d <interface> c:\foo.dmp p 80
        DLL: _Dump                   <interface> c:\foo.dmp p 80
        This syntax logs only port 80 to a file 'foo.dmp'.


        EXE: buttsniff -d <interface> c:\foo.dmp p 60-100
        DLL: _Dump                   <interface> c:\foo.dmp p 60-100
        This syntax logs only ports 60 through 100 to a file 'foo.dmp'.


        EXE: buttsniff -d <interface> c:\foo.dmp p fnord.fil
        DLL: _Dump                   <interface> c:\foo.dmp p fnord.fil

        This syntax reads in a file names 'fnord.fil' and uses the
        filtering rules in the file to filter based on IP and port.

Note that there is no way to filter specific IP addresses unless you
use the 'filter file' option (third example above).

The filtering only works on dump type 'p' at this time. In the future,
there may be IP filtering on the command line, and possibly on the 'i'
dump type, and possibly ethernet filtering on all options if demand is strong.

The syntax of a filter file is simply a series of lines with a single filter
rule per line. Filter rules are parsed 'top to bottom', and ALL filter rules
are parsed before a decision is made on whether or not to reject a packet.
A filter rule can take one of the following forms:

IP Rules:
{+-}a.b.c.d      Where a,b,c, and d are numbers representing an IP address.
                 if a,b,c, or d are '*', that particular field is matched
                 for all possible numbers. + indicates inclusion, - exclusion.

                 examples:

                 +192.168.55.* matches everything in the 199.168.55
                 subdomain and includes in the list of things to be sniffed.

                 -*.*.*.* matches all IP addresses and excludes them from
                 the list of things to be sniffed.

Port Rules:

{+-}port
{+-}loport-hiport    Where 'port','loport' and 'hiport' are single numbers
                     in the range 0-65535. If both loport and hiport are
                     specified, hiport must be greater than or equal to loport

                     examples:

                     +80 includes every packet that is coming from or to port
                     80 in the list of things to be sniffed.

                     -0-65535 excludes a packet destined for any port from the
                     list of things to be sniffed.

An empty rule file is taken to mean that you want to collect EVERYTHING.

Here are a few practical examples:

To capture the telnet sessions from/to the machine 10.0.0.5, use this file:

-*.*.*.*
+10.0.0.5
-0-65535
+23

To capture the information going to/from all non-priveleged ports on
the 10.0.0 subnet, use the following:

-*.*.*.*
+10.0.0.*
-0-1023

To capture all of the packets that are NOT going or from the 10.0.0 subnet
use the following:

-10.0.0.*



Got it? Good. Now don't ask me any questions, unless you think you've found
a bug.

Also, if a rule is malformed in a filter file, that rule will be IGNORED.

Files such as this:

-*.*.*.*
+mydog'sbutt
-0-65535
+80

End up being parsed like this:
-*.*.*.*
-0-65535
+80


As for the interactive mode sniffing, the format is the same as the file,
except you're given a nice little form to type your rules into. One caveat,
is that when you are entering a single port rule, such as "+80", you must
enter it as "80 - 80 <INCLUDE>" in the interactive system. Also note the
use of <Include> and <Exclude> toggles instead of the + and -.

Bow to the Cow, bizatches.


