tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.


ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.


a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.

Tcpdump prints out a description of the contents of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -r flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.


Old: 2000~ish

Excerpt from the web page:

dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

Very helpful network password traffic capture App.

Will accept live feed from a monitoring interface or process network capture file. While a bit dated, it works great for a quick tool to rip open passwords off the wire. It can also write the passwords to file or out to the screen.

Log4Trail File Monitoring

Log4Trail a java based file monitoring/sniffer tool mainly designed for system administrator to checked for files that is being modified eg. someone added new user to /etc/passwd.The application will prompt a pop up balloon from the system tray which notify the current log user. If you set the application to enable mailer and configure the mailer account with corresponding recipients(TO,CC,BCC) it can also sent you an email about the file changes [from checksum] and [to new checksum] using the SHA1 file checking algorithm.


Jasager is an implementation of Karma designed to run on OpenWrt on the Fon. It will probably run on most APs with Atheros wifi cards but it was designed with the Fon in mind as it is a nice small AP which gives it a lot of scope for use in penetration tests and other related fun.

A quick highlight of features:
•Web interface showing currently connected clients with their MAC address, IP address (if assigned) and the SSID they associated with
•The web interface allows control of all Karma features and can either run fully featured through AJAX enabled browsers or just as well through lynx
•Auto-run scripts on both association and IP assignment
•Full logging for later review
•Pluggable module system for easy extensibility
•Basic command line interface so you don't have to remember the different iwpriv commands


SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing.

SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6. For SSL and HTTPS connections, SSLsplit generates and signs forged X509v3 certificates on-the-fly, based on the original server certificate subject DN and subjectAltName extension. SSLsplit fully supports Server Name Indication (SNI) and is able to work with RSA, DSA and ECDSA keys and DHE and ECDHE cipher suites. SSLsplit can also use existing certificates of which the private key is available, instead of generating forged ones. SSLsplit supports NULL-prefix CN certificates and can deny OCSP requests in a generic way. SSLsplit removes HPKP response headers in order to prevent public key pinning.

% sslsplit -h
Usage: sslsplit [options...] [proxyspecs...]
-c pemfile use CA cert (and key) from pemfile to sign forged certs
-k pemfile use CA key (and cert) from pemfile to sign forged certs
-C pemfile use CA chain from pemfile (intermediate and root CA certs)
-K pemfile use key from pemfile for leaf certs (default: generate)
-t certdir use cert+chain+key PEM files from certdir to target all sites
matching the common names (non-matching: generate if CA)
-O deny all OCSP requests on all proxyspecs
-P passthrough SSL connections if they cannot be split because of
client cert auth or no matching cert and no CA (default: drop)
-g pemfile use DH group params from pemfile (default: keyfiles or auto)

Surf Jack

Session Hijacking tool

A tool which allows one to hijack HTTP connections to steal cookies - even ones on HTTPS sites! Works on both Wifi (monitor mode) and Ethernet.


Bluelog is a Bluetooth scanner/logger written with speed in mind. It is intended to be used as a site survey tool, concerned more about accurately detecting the number of discoverable Bluetooth devices than individual device specifics. Bluelog also includes the unique "Bluelog Live" mode, which puts discovered devices into a constantly updating live webpage which you can serve up with your HTTP daemon of choice.


This little tools is designed to get geolocalization information of a host, it get the information from two sources (maxmind and geoiptool). It's useful when doing forensics, log analisis, or just plain curiosity.

Syndicate content