Packit - network packet generator and capture tool
Packet capture:
packit -m capture [-cGHnvsX] [-i interface] [-r|-w file] expression
Packet injection:
packit -m inject [-t protocol] [-aAbcCdDeFgGhHjJkKlLmMnNoOpPqQrRsSTuUvwWxXyYzZ] [-i interface]
Packit is a network auditing tool. It's value is derived from its
ability to customize, inject, monitor, and manipulate IP traffic. By
allowing you to define (spoof) all TCP, UDP, ICMP, IP, ARP, RARP and
Ethernet header options, Packit can be useful to test firewalls, intrusion
detection systems, port scanning, simulating network traffic and general
TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP.
- -m mode
- Select a runtime mode. Currently supported modes are capture,
inject and trace. The default mode is inject.
Packet capture options are as follows:
- -c count
- Specify the number of packets to capture.
- -e
- Display link-layer header data.
- -G
- Display the timestamp in GMT rather than localtime.
- -i
interface
- Listen on interface. If unspecified, packit will use the
lowest numbered device in the 'up' state (excluding loopback).
- -n
- Do not resolve host addresses to names but resolve ports numbers. Disables
DNS lookups.
- -nn
- Do not resolve ports numbers to their protocol names but resolve
host addresses.
- -nnn
- Do not resolve host addresses or port numbers.
- -r
file
- Read packet data from tcpdump formatted binary log file. Example: a
file created with -w option.
- -s snaplen
- Read snaplen bytes of data from each packet rather than the default of
68.
- -v
- Enables verbose packet capture.
- -w
file
- Write the raw packets to file rather than displaying time to
stderr.
- -X
- Display hexadecimal & ascii dump of each packet up to snap length
bytes.
- expression
- Selects which packets should be displayed. If no expression is
given, all packets are displayed. This option is based in pcap library.
See the pcap-filter(7) manpage for more detailed information.
Packet injection is used to define and inject a
network traffic onto your network. You have the ability to define
essentially any ARP, IP, TCP, UDP, ICMP and Ethernet header value. This can
be valuable in a number of ways, including testing firewalls, intrusion
detection systems, simulating traffic flow and general TCP/IP auditing.
- -t
protocol
- Specify the type of packet to inject. Supported values are: ARP,
RARP, TCP, UDP and ICMP. This option defaults to TCP in inject mode
and to ICMP in trace mode.
This section documents the operational command-line options.
- -c count
- The value of count is the total number of packets we would like to
inject (a count value of 0 means forever).
- -b burst rate
- Specifies the number of packets to inject every interval (defined
by -w). A burst rate of 0 will send packets as quickly as
possible.
- -h
- Host response mode. Enabling this option will print any packet you
inject and then wait to see if the remote host responds. See
-H option for timeout.
- -H timeout
- Specify the timeout value (in seconds) to use with '-h'. This value
defaults to '1' second.
- -i
interface
- Specify the interface to transmit from, if the machine has multiple
interfaces.
- -v
- Verbose injection mode. Displays each packet you inject. It also
has the same effect as in capture mode while used with the
'-h' option.
- -p payload
- This option defines the payload portion of the header. Hex payload should
be prefixed with '0x' with each value separated by a whitespace. An ASCII
example: -p 'hello, this is my packet'. A Hex example: -p
'0x 70 61 63 6B 69 74'.
- -w
interval
- Specify the number of seconds to wait between packet bursts. This value
defaults to '1' second.
- -Z length
- Specify the size of the packet(s) to inject. The maximum
value is 65535.
This section documents the IP header command-line options.
- -s src
address
- The IP address the packet will appear to come from. If unspecified,
packit will default to the IP address of the lowest numbered device
in the 'up' state, excluding loopback.
- -sR
- Use a random source IP address.
- -d dst
address
- The IP address of the machine you would like to contact.
- -dR
- Use a random destination IP address.
- -o type of
service
- TOS values are typically in hexadecimal format, however, packit
only accepts TOS values as integers. Below are the 4 valid TOS bit
values:
- Minimize delay: 16 (0x10)
- Maximize throughput: 8 (0x08)
- Maximize reliability: 4 (0x04)
- Minimize monetary cost: 2 (0x02)
- -n ID
number
- The ID number is used to identify each datagram sent by a host. It
generally increments by one with each datagram sent. This value is random
by default.
- -T TTL
- The TTL value defines the upper limit on the number of devices through
which the datagram may pass to reach it's destination. The default value
is 128.
- -V IP protocol
number
- Specify the IP protocol associated with this packet (RAWIP only).
The default value is 255.
This section documents the TCP header command-line options.
- -S src port
- The port from which our source address is communicating from. This value
is random by default.
- -D dst port
- The port on the destination we would like to communicate on. In
inject mode this value is 0 by default while in trace mode this
value is random by default. You may also specify a range of addresses in
the format: -D 1:1024.
- -f
- Do not fragment this packet.
- -F tcp flags
- There are 6 TCP header flag bits. They can be used in combination with one
another and are specified using the following identifiers:
- S : SYN (Synchronization sequence number)
- F : FIN (Sender is finished)
- A : ACK (Acknowledgement number is valid)
- P : PSH (Receiver should push this data to the remote host)
- U : URG (The urgent pointer is valid)
- R : RST (Reset this connection)
As an example, to set the SYN and FIN bits use the following:
-F SF
- -q sequence
number
- The sequence number is a 32-bit unsigned (positive) number used to
identify the byte in a stream of data from the sending TCP to the
receiving TCP that the first byte of data represents.
- -a ack number
- The acknowledgement (ack) number defines the next sequence number that the
sender of the ack expects to see. It is typically the sequence number + 1
during valid TCP communication. It is a 32-bit unsigned (positive)
number.
- -W window
size
- The window size provides flow control. It is a 16-bit number that defines
how many bytes the receiver is willing to accept. The default value is
1500.
- -u urgent
pointer
- In valid TCP communication, the urgent pointer is only useful if the URG
flag is set. Used with the sequence number, it points to the last byte of
urgent data.
This section documents the UDP header command-line options. UDP is
the default IP protocol for TRACE mode.
- -S src
port
- The port from which our source address is communicating from. This value
is random by default.
- -D dst
port
- The port on the destination we would like to communicate on. In
inject mode this value is 0 by default while in trace mode this
value is random by default. You may also specify a range of addresses in
the format: -D 1:1024.
This section documents the ICMP header command-line options.
- -K type
- Specify the ICMP type. See docs/ICMP.txt for details on types. On Debian
systems this file can be found at
/usr/share/doc/packit/ICMP.txt.
- -C code
- Specify the ICMP code. See docs/ICMP.txt for details on codes. On Debian
systems this file can be found at
/usr/share/doc/packit/ICMP.txt.
- -N id number
- Define the 16-bit ICMP identification number. This value is random by
default.
- -Q sequence
number
- Define the 16-bit ICMP sequence number. This value is random by
default.
- -g gateway
- Define the gateway in which to redirect traffic to. This option is only
used for ICMP redirects (type 5).
- -j address
- Define the source address of the original packet.
- -J src port
- Define the source port of the original packet.
- -l address
- Define the destination address of the original packet.
- -L dst port
- Define the destination port of the original packet.
- -m time to
live
- Define the Time To Live of the original packet. This option defaults to
128.
- -M id
- Define the IP ID of the original packet. This option defaults to
random.
- -O type of
service
- Define the Type of Service of the original packet. See the -o
option for the possible values.
- -P
protocol
- Define the protocol of the original packet. This option defaults to
UDP.
- -N id
number
- Define the 16-bit ICMP identification number. This value is random by
default.
- -Q sequence
number
- Define the 16-bit ICMP sequence number. This value is random by
default.
- -G address
mask
- Define the address network mask. The default value for this option is
255.255.255.0.
This section documents the ARP/RARP header command-line options.
These options have the ability to do the most damage with the least effort,
especially on large cable and DSL networks. Use with caution.
Packit only supports ARP/RARP protocol addresses in IPv4
format
- -A operation
type
- Define the ARP / RARP / IRARP operation type. The valid options are as
follows:
- 1 : ARP Request (Default for ARP packages)
- 2 : ARP Reply
- 3 : Reverse ARP Request (Default for RARP packages)
- 4 : Reverse ARP Reply
- 5 : Inverse ARP Request
- 6 : Inverse ARP Reply
- -y target IP
address
- The IP address of the target host.
- -yR
- Use a random target host IP address.
- -Y target ethernet
address
- The Ethernet (hardware) address of the target host.
- -YR
- Usage a random target host Ethernet address.
- -x sender IP
address
- The IP address of the sender host.
- -xR
- Use a random sender host IP address.
- -X sender ethernet
address
- The Ethernet (hardware) address of the sender host.
- -XR
- Usage a random sender host Ethernet address.
This section documents the Ethernet header command-line
options.
- -e src ethernet
address
- The Ethernet (hardware) address the packet will appear to come from. If
not defined, the original Ethernet address will be used.
- -eR
- Use a random source Ethernet address. If you define this, you will most
likely need to define the destination Ethernet header value as well. When
using either -e or -E, you enable link level packet
injection and the destination cannot be auto-defined while injecting in
this manner.
- -E dst ethernet
address
- The Ethernet (hardware) of the next routable interface which the
packet will cross while making it's way to the destination.
- -ER
- Use a random destination Ethernet address. The following two rules should
be followed if you actually want the destination to receive the packets
you're sending:
- 1.
- If the destination exists beyond your default route (gateway), the
destination Ethernet address should be set to the default routes Ethernet
address. This can typically be found by using the arp(8)
command.
- 2.
- If the destination exists on your subnet, the destination Ethernet address
should be set to its Ethernet address. This can typically be found by
using the arp(8) command.
Print all TCP communications that doesn't revolve around SSH (port
22):
# packit -m cap 'tcp and not port 22'
Print the start and end packets (the SYN and FIN packets) of each TCP
conversation that involves a non-local host, don't resolve addresses and
display hex/ascii dump of the packet:
# packit -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet'
Write the first 10 ICMP packets captured to a file:
# packit -m cap -c 10 -w /tmp/mylog 'icmp'
Inject 10 ICMP type 8 (echo request) packets from host '3.1.33.7'
to host '192.168.0.1' and watch for a response:
# packit -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h
Inject an ICMP type 18 (mask reply) packet with an ICMP id of 211 and an address
mask of 255.255.255.0:
# packit -t icmp -K 18 -d 127.0.0.1 -N 211 -G 255.255.255.0
Inject 5 TCP packets from random hosts to 'www.example.com' with the SYN flag
set, a window size of 666, a random source Ethernet address, a destination
Ethernet address of 00:53:00:0f:00:0d, with a payload of "HI JOHN",
displaying each packet injected.
# packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 00:53:00:0f:00:0d -p 'HI JOHN' -v
or simplifying the MAC address:
# packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 0:53:0:f:00:d -p 'HI JOHN' -v
Inject a total of 1000 TCP packets in 20 packet per second bursts from
192.168.0.1 on port 403 to 192.168.0.20 on port 80 with the SYN and RST flags
set, a sequence number of 12345678910 and a source Ethernet address of
0:0:0:0:0:0:
# packit -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80 -F SR -q 12345678910 -c 1000 -b 20 -e 0:0:0:0:0:0
Inject a TCP packets from 10.22.41.6 to 172.16.1.3 on ports ranging from 1-1024
with the SYN flag set and display each packet we send:
# packit -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v
Inject a broadcast ARP reply stating that 4.3.2.1 is at 00:53:00:01:02:03. Also,
spoof the source Ethernet address for a little more authenticity and supply
the payload in hex:
# packit -t arp -A 2 -x 4.3.2.1 -X 5:4:3:2:1:0 -e 00:53:00:01:02:03 -p '0x 70 61 63 6B 69 74'
Appear as a DNS response by using a UDP source port of 53
(DNS):
# packit -m trace -t UDP -d 192.168.2.35 -S 53
Appear as HTTP traffic by using TCP port 80:
# packit -m trace -t TCP -d www.google.com -S 80 -FS
- Due to limitations in some versions of *BSD, specifying arbitrary Ethernet
and/or ARP header data may not be supported.
- ARP capture data is incomplete.
- Please send bug reports, questions, requests, fixes and pull requests to
https://github.com/eribertomota/packit/issues
The original author of packit is Darren Bounds. The current
project maintainer is Joao Eriberto Mota Filho. There are other new authors.
Please, see AUTHORS file in source code. To help in development, see
CONTRIBUTING.md. On Debian systems, these files will be available at
/usr/share/doc/packit/.
The latest version of Packit can be found at
https://github.com/eribertomota/packit