PACKIT(8)	Packet analysis and injection tool	PACKIT(8)


NAME
       Packit - Packet analysis and injection tool


SYNOPSIS
       Packet capture:
       packit  -m  capture [-cGHnvsX] [-i interface] [-r|-w file]
       expression

       Packet injection:
       packit -m inject [-t  protocol]	[-aAbcCdDeFjJkKlLmMnNoOp-
       PqQrRsSTuvwWxXy] [-i interface]


DESCRIPTION
       Packit  is  a network auditing tool. It's value is derived
       from its ability to customize, inject, monitor, and manip-
       ulate  IP  traffic.  By allowing you to define (spoof) all
       TCP, UDP, ICMP, IP, ARP, RARP and Ethernet header options,
       Packit  can  be	useful	in  testing  firewalls, intrusion
       detection systems, port scanning, simulating network traf-
       fic  and general TCP/IP auditing. Packit is also an excel-
       lent tool for learning TCP/IP.


PACKIT BASE OPTIONS
       -m mode
	    Select a runtime mode. Currently supported modes
	    are capture and inject. The default is inject.


PACKET CAPTURE OPTIONS
       Packet capture options are as follows:

       -c count
	    Specify the number of packets to capture

       -e   Display link-layer header data.

       -G   Display the timestamp in GMT rather than localtime.

       -i interface
	    Listen on interface. If unspecified, packit will  use
       the lowest
	    numbered  device  in  the 'up' state (excluding loop-
       back).

       -n   Don't resolve host addresses  to  names  but  resolve
       ports numbers.
	    Disables DNS lookups.

       -nn   Don't  resolve ports numbers to their protocol names
       but resolve
	    host addresses.

       -nnn Don't resolve host addresses or port numbers.

       -r file
	    Read packet data from  tcpdump  formated  binary  log
       file. (example:
	    a file created with -w)

       -s snaplen
	    Read  snaplen  bytes  of data from each packet rather
       than the
	    default of 68.

       -v  Enables verbose packet capture.

       -w file
	    Write the raw packets to file rather than  displaying
       time to
	    stderr.

       -X   Display hexadecimal & ascii dump of each packet up to
       snap
	    length bytes.

       expression
	    selects which packets  should  be  displayed.  If  no
       expression is
	    given,  all packets are displayed. See the tcpdump(1)
       man page for
	    more detailed information.


PACKET INJECTION
       Packet injection is used to define  and	inject	IP  based
       network	traffic	 onto your network.  You have the ability
       to define essentially any ARP, IP, TCP, UDP, ICMP and Eth-
       ernet  header  value.  This can be valuable in a number of
       ways, including	testing	 firewalls,  intrusion	detection
       systems, simulating traffic flow and general TCP/IP audit-
       ing.


CHOOSE YOUR PROTOCOL
       -t protocol
	    Specify the type of packet to inject. Supported  val-
       ues are: ARP,
	    TCP, UDP and ICMP. This option defaults to TCP.


PACKET INJECTION GENERAL
       This   section	documents  the	operational  command-line
       options.

       -c count
	    The value of count is the total number of packets  we
	    would like to inject (a count value of 0 means forver).

       -w interval
	    The	 number	 of  seconds to wait between sending each
       packet burst
	    (default: 1).

       -b burst rate
	    Specifies the  number  of  packets	to  inject  every
       interval (defined
	    by -w). (Maximum: 10000)

       -h
	    Host  response  mode. Enabling this option will print
       any packet
	    you inject and then wait (see -H for timeout) to  see
       if the remote
	    host responds.

       -H timeout
	    Specify  the  timeout  value (in seconds) to use with
       '-h'.
	    This value defaults to '1' second.

       -i interface
	    Specify  the  interface  to	 transmit  from,  if  the
       machine has
	    multiple interfaces.

       -v
	    Verbose  injection	mode.  Displays	 each  packet you
       inject. It
	    also has the same effect as	 in  capture  mode  while
       used with
	    the '-h' option.

       -p payload
	    This  option  defines  the	payload	 portion  of  the
       header.
	    Example: -p 'hello, this is my packet'

       -w interval
	    Specify the number of seconds to wait between  packet
       bursts.
	    This value defaults to '1' second.


IP HEADER OPTIONS
       This section documents the IP header command-line options.

       -s src address
	    The IP address the packet will appear to  come  from.
       If unspecified, packit will default to the IP address of
       the
	    lowest numbered device in the 'up'	state  (excluding
       loopback).

       -sR  Use a random source IP address.

       -d dst address
	    The	 IP address of the machine you would like to con-
       tact.

       -dR  Use a random destination IP address.

       -O type of service
	    TOS values are typically in hexidecimal format,  how-
       ever, packit
	    only accepts TOS values as integers.

	    Below are the 4 valid TOS bit values:

	    - Minimize delay: 16 (0x10)
	    - Maximize throughput: 8 (0x08)
	    - Maximize reliability: 4 (0x04)
	    - Minimize monetary cost: 2 (0x02)

       -n id number
	    The	 ID number is used to identify each datagram sent
       by a host.
	    It generally increments by	one  with  each	 datagram
       sent. This
	    value is random by default.

       -T TTL
	    The	 TTL  value defines the upper limit on the number
       of routers
	    through which the  datagram	 may  pass.  The  default
       value is 128.


TCP HEADER OPTIONS
       This   section	documents  the	TCP  header  command-line
       options.

       -S src port
	    The port from which our source address is communicat-
       ing from. This
	    value is random by default.

       -D dst port
	    The port on the destination we would like to communi-
       cate on. This
	    value is 0 by default. You may also specify	 a  range
       of addresses
	    in the format: -D 1-1024.

       -f  Do not fragment this packet.

       -F tcp flags
	    There are 6 TCP header flag bits. They can be used in
       combination
	    with one another and are specified using the  follow-
       ing
	    identifiers:

	    - S : SYN (Synchronization sequence number)
	    - F : FIN (Sender is finished)
	    - A : ACK (Acknowledgement number is valid)
	    -  P  :  PSH  (Receiver  should push this data to the
       remote host)
	    - U : URG (The urgent pointer is valid)
	    - R : RST (Reset this connection)

	    As an example, to set the SYN and FIN bits use the
	    following: -F SF

       -q sequence number
	    The sequence number is a 32-bit  unsigned  (positive)
       number used
	    to	identify  the  byte  in a stream of data from the
       sending TCP
	    to the receiving TCP that the first byte of data rep-
       resents.

       -a ack number
	    The	 acknowledgement  (ack)	 number	 defines the next
       sequence
	    number that the sender of the ack expects to see.  It
       is
	    typically the sequence number + 1 during valid TCP
	    communication.  It	is  a  32-bit unsigned (positive)
       number.

       -W window size
	    The window size provides flow control. It is a 16-bit
	    number  that  defines  how many bytes the receiver is
       willing
	    to accept. The default value is 1500.

       -u urgent pointer
	    In valid TCP communication, the urgent pointer is
	    only useful if the URG flag is set. Used with the
	    sequence number, it points to the last byte of urgent
	    data.


UDP HEADER OPTIONS
       This   section	documents  the	UDP  header  command-line
       options.

       -S src port
	    The port from which our source address is communicat-
       ing from. This
	    value is random by default.

       -D dst port
	    The port on the destination we would like to communi-
       cate on. This
	    value is 0 by default. You may also specify	 a  range
       of addresses
	    in the format: -D 1:1024.


ICMP HEADER OPTIONS
       This   section  documents  the  ICMP  header  command-line
       options.

       -K type
	    Specify the ICMP type. See docs/ICMP.txt for  details
       on types.

       -C code
	    Specify  the ICMP code. See docs/ICMP.txt for details
       on codes.

       ECHO REQUEST / ECHO REPLY OPTIONS

       -N id number
	    Define the 16-bit ICMP  identification  number.  This
       value is
	    random by default.

       -Q sequence number
	    Define the 16-bit ICMP sequence number. This value is
       random
	    by default.

       UNREACHABLE / REDIRECT / TIME EXCEEDED OPTIONS

       -g gateway
	    Define the gateway in which to redirect  traffic  to.
       This option
	    is only used for ICMP redirects (type 5).

       -j address
	    Define the source address of the original packet.

       -J src port
	    Define the source port of the original packet.

       -l address
	    Define   the  destination  address	of  the	 original
       packet.

       -L dst port
	    Define the destination port of the original packet.

       -m time to live
	    Define the Time To Live of the original packet.  This
       option
	    defaults to 128.

       -M id
	    Define  the IP ID of the original packet. This option
       defaults
	    to random.

       -o type of service
	    Define the Type of Service of  the	original  packet.
       See the
	    -O option for the possible values.

       -P protocol
	    Define  the	 protocol  of  the  original packet. This
       option
	    defaults to UDP.

       MASK REQUEST / MASK REPLY OPTIONS

       -N id number
	    Define the 16-bit ICMP  identification  number.  This
       value is
	    random by default.

       -Q sequence number
	    Define the 16-bit ICMP sequence number. This value is
       random
	    by default.

       -G address mask
	    Define the address network mask.  The  default  value
       for this
	    option is:255.255.255.0.

       TIMESTAMP REQUEST / TIMESTAMP REPLY OPTIONS

       -N id number
	    Define  the	 16-bit	 ICMP identification number. This
       value is
	    random by default.

       -Q sequence number
	    Define the 16-bit ICMP sequence number. This value is
       random
	    by default.

       -y original timestamp
	    Define the 32-bit original timestamp. This value is 0
	    by default.

       -k recieved timestamp
	    Define the 32-bit recieved timestamp. This value is 0
	    by default.

       -z transmit timestamp
	    Define the 32-bit transmit timestamp. This value is 0
	    by default.


ARP HEADER OPTIONS
       This  section  documents	 the  ARP   header   command-line
       options.	 In my opinion, these options have the ability to
       do the most damage with the least  effort,  especially  on
       large cable and DSL networks. Use with caution.

       Packit only supports ARP protocol addresses in IPv4 format

       -A operation type
	    Define the ARP / RARP /  IRARP  operation  type.  The
       valid options
	    are as follows:

	    - 1 : ARP Request
	    - 2 : ARP Reply
	    - 3 : Reverse ARP Request
	    - 4 : Reverse ARP Reply
	    - 5 : Inverse ARP Request
	    - 6 : Inverse ARP Reply

       -r target address
	    The IP address of the target host.

       -rR  Use a random target host IP address.

       -R target ethernet address
	    The ethernet (hardware) address of the target host.

       -RR  Usage a random target host ethernet address.

       -s target address
	    The IP address of the sender host.

       -sR  Use a random sender host IP address.

       -S sender ethernet address
	    The ethernet (hardware) address of the sender host.

       -SR  Usage a random sender host ethernet address.


ETHERNET HEADER OPTIONS
       This  section  documents	 the Ethernet header command-line
       options.

       -e src ethernet address
	    The	 ethernet  (hardware)  address	the  packet  will
       appear to come
	    from.

       -eR  Use a random source ethernet address.

	    If	you  define  this,  you	 will most likely need to
       define the
	    destination ethernet header value as well. When using
       either -e or
	    -E, you enable link level packet injection and enable
       link level
	    packet injection and the destination cannot be  auto-
       defined while
	    injecting in this manner.

       -E dst ethernet address
	    The	 ethernet  (hardware) of the next routable inter-
       face the packet
	    will cross while making it's way to the  destination.

       -ER  Use a random destination ethernet address.

       The following two rules should be followed if you actually
       want the destination to receive	to  receive  the  packets
       you're sending:

       1)    If	 the destination exists beyond your default route
       (gateway),
	    the destination ethernet address should be set to the
       default
	    routes  address  should  be set to the default routes
       ethernet
	    address. This can typically be  found  by  using  the
       arp(8) command.

       2)    If the destination exists on your subnet, the desti-
       nation
	    ethernet  address  should  be  set	to  its	 ethernet
       address. This
	    can typically be found by using the arp command.


PACKET CAPTURE EXAMPLES
       To  print  all  TCP  communications  that  doesn't revolve
       around SSH (port 22).
	    packit -m cap 'tcp and not port 22'

       To print the start and end packets (the SYN and FIN  pack-
       ets)  of	 each  TCP conversation that involves a non-local
       host, don't resolve addresses and display  hex/ascii  dump
       of the packet.

	    packit  -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin)
       != 0
		   and not src and dst net localnet'

       To write the first 10 ICMP packets captured to a file.

	    packit -m cap -c 10 -w /tmp/mylog 'icmp'


PACKET INJECTION EXAMPLES
       IMPORTANT: The ethernet address 'f:00:d:f:00:d'	in  these
       examples	 is a mock representation of the ethernet address
       of my default route. In order for these examples	 to  work
       properly,  you  would  need  to	change it to your correct
       default route ethernet address.

       Inject 10 ICMP type 8 (echo  request)  packets  from  host
       '3.1.33.7' to host '192.168.0.1' and watch for a response.

	    packit -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h

       Inject an ICMP type 18 (mask reply) packet with an ICMP id
       of 211 and an address mask of 255.255.255.0.

	    packit   -t	 icmp  -K  18  -d  127.0.0.1  -N  211  -G
       255.255.255.0

       Inject	5   TCP	  packets   from    random    hosts    to
       'www.microsoft.com'  with  the SYN flag set, a window size
       of 666, a random source ethernet	 address,  a  destination
       ethernet	 address  of f:00:d:f:00:d, with a payload of "HI
       BILL", displaying each packet injected.

	    packit -sR -d www.microsoft.com -F S -c 5 -W 666
		   -eR -E f:00:d:f:00:d -p 'HI BILL' -v

       Inject a total of 1000 TCP packets in 20 packet per second
       bursts  from  192.168.0.1  on  port 403 to 192.168.0.20 on
       port 80 with the SYN and RST flags set, a sequence  number
       of   12345678910	  and	a   source  ethernet  address  of
       0:0:0:0:0:0.

	    packit -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80
		   -F  SR  -q  12345678910  -c	1000  -b  20   -e
       0:0:0:0:0:0

       Inject  a  TCP  packets	from  10.22.41.6 to 172.16.1.3 on
       ports ranging from 1-1024 with the SYN flag set	and  dis-
       play each packet we send.

	    packit -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v

       Inject  a  broadcast  ARP reply stating that 4.3.2.1 is at
       5:4:3:2:1:0. Also, spoof the source ethernet adddress  for
       a little more authenticity.

	    packit  -t	arp  -A	 2  -x	4.3.2.1 -X 5:4:3:2:1:0 -e
       5:4:3:2:1:0


SEE ALSO
       pcap(3), bpf(4), libnet(3), tcpdump(1)


BUGS
       Due to limitations in some versions  of	*BSD,  specifying
       arbitrary  ethernet and/or ARP header data may not be sup-
       ported.

       ARP capture data is incomplete.

       Like this man page, packit is still very much  a	 work  in
       progress.   Please send bug reports, questions or requests
       to dbounds@intrusense.com.


AUTHOR
       Darren Bounds <dbounds@intrusense.com>

       The latest version can be found at:
	      http://packit.sourceforge.net
