Command line utility able to intercept specific network traffic between two hosts on a local network, and records the caught packets into a .pcap dump file.
Uses arp spoofing to catch packets between the two targets.
Only works on IPv4 local networks.
Compile with make. This will generate the spoofy executable.
$ spoofy [options] <target_1_ipv4> <target_2_ipv4> [filter_rule]
-d run as daemon.
Logs process output into a file named sniffer.log. You can change the name by editing the DAEMON_LOG_FILE macro in includes/main.h and re-compiling.
-f <dump_file> name of the pcap formatted where the capture will be saved.
Default is capture_n.pcap.
-s use a different MAC address while spoofing the two targets (avoid having two ip addresses linked to the same MAC address)
Two targets defined by their ip addresses <target_1_ipv4> and <target_2_ipv4>. These addresses have to be on the same local network.
The filter rule is used to filter which intercepted packets have to be recorded into the .pcap dump file.
Rules are constructed using the following logical operators:
or, and, not
You can use parenthesis ( and ) to specify priority.
Available capture filters:
ip - Only capture IPv4 packets
arp - Only capture ARP frames
icmp - Only capture ICMP packets, implies ip
udp - Only capture UDP datagrams, implies ip
tcp - Only capture TCP segments, implies ip
ether src <MAC_address> - Only capture frames coming from given ethernet source
ether dst <MAC_address> - Only capture frames intended for given ethernet destination
ether <MAC_address> - Only capture frames intended for or sent by given ethernet address
src <IPv4_address> - Only capture packets coming from given source, implies ip
dst <IPv4_address> - Only capture packets intended for given destination, implies ip
host <IPv4_address> - Only capture packets intended for or sent by given ip address, implies ip
port src <port_number> - Only capture packets coming from given port source, implies ip and (tcp or udp)
port dst <port_number> - Only capture packets intended for given port destination, implies ip and (tcp or udp)
port <port_number> - Only capture packets intended for or sent by given port, implies ip and (tcp or udp)
Default rule is ip
1 - Capture DNS packets (udp and source or destination port 53):
udp and port 53
Which is the same as:
udp and (port src 53 or port dst 53)
2 - Capture ICMP packets coming from 10.0.0.1 or from 10.0.0.2
icmp and (src 10.0.0.1 or src 10.0.0.2)
3 - Capture ARP frames from/to de:de:de:ab:ab:ab
arp and ether de:de:de:ab:ab:ab
Captured packets are stored into a .pcap file.
This file can be opened with tools like Wireshark or Tcpdump to be analysed, or with the utility compiled in the dissect/ repertory for a quick overview.
First sends ARP requests to get targets MAC addresses.
Then try to poison a target with different methods, test the efficiency of a method using ICMP ping requests.
The different way of poisoning are:
- Using a forged arp announcement
- Using a forged arp reply
- Using a forged arp request
It prefers arp announcements poisoning over arp replies - some devices can react poorly to gratuitous arp reply.
If no answer is received from a target for the ICMP ping request, the default strategy is to poison the target with arp replies.
When the application is stopped (it received the SIGKILL or SIGTERM - crtl-c signals), it will send forged arp replies to reset the arp cache of the targets to normal.
Should work on Unix systems, was tested on MacOS Sierra 10.12.5 and on Linux kernel 5.3.7.