net.sniff - net.fuzz

This module is a network packet sniffer and fuzzer supporting both BPF syntax and regular expressions for filtering. It is also able to dissect several major protocols in order to harvest credentials.

Commands

net.sniff on

Start the packet sniffer.

net.sniff off

Stop the packet sniffer.

net.sniff stats

Print the packet sniffer session configuration and statistics.

net.fuzz on

Enable fuzzing for every sniffed packet containing the specified layers.

net.fuzz off

Disable fuzzing.

Parameters

parameterdefaultdescription
net.sniff.outputIf set, the sniffer will write captured packets to this pcap file.
net.sniff.sourceIf set, the sniffer will read from this pcap file instead of the current interface.
net.sniff.verbosefalseIf true, every captured and parsed packet will be sent to the events.stream for displaying, otherwise only the ones parsed at the application layer (sni, http, etc).
net.sniff.localfalseIf true it will consider packets from/to this computer, otherwise it will skip them.
net.sniff.filternot arpBPF filter for the sniffer.
net.sniff.regexpIf set, only packets with a payload matching this regular expression will be considered.
net.fuzz.layersPayloadComma separated types of layer to fuzz.
net.fuzz.rate1.0Rate in the [0.0,1.0] interval of packets to fuzz.
net.fuzz.ratio0.4Rate in the [0.0,1.0] interval of bytes to fuzz for each packet.
net.fuzz.silentfalseIf true it will not report fuzzed packets.

Examples

The local-sniffer.cap caplet will sniff, parse and print all packets on the local machine:

  1. events.clear
  2. set net.sniff.verbose false
  3. set net.sniff.local true
  4. # uncomment to skip ARP and DNS requests
  5. # set net.sniff.filter "not arp and not udp port 53"
  6. net.sniff on

Change 90% of mDNS incoming packets by fuzzing 40% of their payload (will reinject fuzzed packets):

  1. set net.sniff.verbose true
  2. set net.fuzz.rate 0.9
  3. set net.fuzz.ratio 0.4
  4. set net.fuzz.silent false
  5. set net.fuzz.layers Payload
  6. set net.sniff.filter "host 224.0.0.251 and port 5353"
  7. net.fuzz on

Change 100% of WiFi packets by fuzzing 70% of their Dot11InformationElement and Dot11Data layers:

  1. set net.sniff.verbose true
  2. set net.fuzz.rate 1.0
  3. set net.fuzz.ratio 0.7
  4. set net.fuzz.layers Dot11InformationElement, Dot11Data
  5. net.fuzz on