angst - an active sniffer
angst [active_sniffing_method] [active_sniffing_options]
angst is an active sniffer that provides methods for
aggressive sniffing on switched local area network environ
angst dumps into a file the payload of all the TCP packets
received on the specified ports. Moreover, it implements
methods for active sniffing. angst currently provides two
active sniffing methods. The first monitors ARP requests,
and after enabling IP forwarding on the local host, sends
ARP replies mapping all IPs to the local MAC address. The
second method floods the local network with random MAC
addresses (like macof v1.1 by Ian Vitek), causing switches
to send packets to all ports.
ACTIVE SNIFFING METHODS
-a Man-in-the-middle ARP method. This method monitors
ARP requests, and after enabling IP forwarding on
the local host, sends ARP replies mapping all IPs
to the local MAC address.
-f Flood random MAC addresses method. This method
floods the local network with random MAC addresses,
causing switches to send packets to all ports.
ACTIVE SNIFFING OPTIONS
-d Don't try to enable IP forwarding on the local
host. Note that in order for the man-in-the-middle
ARP method to work, IP forwarding must be enabled
on the local host.
Specify the seconds between each flooding for flood
method, or the seconds between the injection of the
fake ARP replies.
Specify the number of packets to flood, for flood
-h Output a help message that describes in brief the
usage of each option.
-p Don't put the selected interface into promiscuous
-v Display the version number and exit.
Specify which interface to use.
Specify the filename to log the payload of the cap
tured TCP packets.
Specify the port numbers you want to monitor. The
numbers must be comma separated, and by using them
the filter expression is constructed.
Note that there are default values for all the command
line arguments. In order to keep things cleaner, you can
not specify a filter expression as a command line option.
In order to monitor other ports than the default ones (21,
23, 110, 143) you have to specify them with the -e switch.
Moreover, in order for the man-in-the-middle ARP method to
work, IP forwarding must be enabled on the local host.
The -d switch is useful when you want to enable IP for
warding yourself, and not let angst to do it for you.
angst is thoroughly tested on OpenBSD. Also, I have com
piled and tested it on FreeBSD and NetBSD. Moreover,
angst compiles and runs on Linux, but I have not tested it
For example, to use the man-in-the-middle ARP active
sniffing method and to monitor just the ports 23 and 25:
angst -a -e 23,25
In order to flood the local network with 100 random MAC
addresses every 10 seconds, and to resolve IP addresses,
using the ne0 interface:
angst -f -s 10 -c 100 -r -i ne0
Another example is to use the man-in-the-middle ARP method
and inject the fake ARP replies every 8 seconds, also log
the payload of the captured packets to the file misc.log:
angst -a -s 8 -l misc.log
tcpdump(8), macof(8), pcap(3), libnet(3)
Patroklos Argyroudis <argp at domain bsd.gr>
angst cannot yet catch the stupid user mistake of supply
ing two or more same port numbers to monitor with the -e
switch. That's why it shows the final filter expression
when the -e switch is used. Also, there is no checking
for the validity of the filter expression, so the supplied
input to the -e switch must be comma separated numbers.
Although the latest version of angst is very stable and
thoroughly tested (at least on OpenBSD), is still consid
ered to be in beta development phase. If you find a bug,
please contact me at the above email address.