Tools for Network Archaeology (internet protocol analysis)
Go to file
Neale Pickett eeddb3cb9a Replace "drop" with more general "slice" 2017-08-10 15:09:58 +00:00
.indent.pro May as well check in the indent profile too 2013-01-29 21:55:28 -07:00
COPYING.md Github markdownify 2017-07-09 17:17:48 +00:00
Makefile Replace "drop" with more general "slice" 2017-08-10 15:09:58 +00:00
README.md Replace "drop" with more general "slice" 2017-08-10 15:09:58 +00:00
_config.yml Set theme jekyll-theme-slate 2017-07-09 11:29:25 -06:00
dumbdecode dumbdecode emulator 2013-01-29 22:25:15 -07:00
hd.c Remove errant whitespace 2017-07-28 10:44:35 -06:00
hd.go fix offset counting with repeats 2013-07-23 16:53:51 -06:00
hex.c Provide examples for most commands, enhance pyesc, remove superfluous printfesc 2017-08-09 00:44:44 +00:00
pcap.c handle icmp 2013-02-11 15:50:30 -07:00
pcap.go Work on pcap.go 2014-03-17 14:32:54 -06:00
pcap.h Increase max frame size in pcap.h 2014-06-10 10:40:51 -06:00
pcat.c New skip utility 2017-08-08 23:55:05 +00:00
pmerge.c optimize pcat 2014-06-12 12:52:37 -06:00
puniq.c Reindent everything 2013-01-29 21:53:17 -07:00
pyesc.c Provide examples for most commands, enhance pyesc, remove superfluous printfesc 2017-08-09 00:44:44 +00:00
slice.c Replace "drop" with more general "slice" 2017-08-10 15:09:58 +00:00
stream.c version of hd in go 2013-07-23 16:30:38 -06:00
stream.h Make pcat work again 2017-06-16 11:48:05 -06:00
unhex.c Reindent everything 2013-01-29 21:53:17 -07:00
xor.c Make xor not explode with a single -x argument 2017-07-20 15:27:06 +00:00

README.md

The Fluffy Suite

Fluffy was begun in April 2011 in Tennessee, as a replacement for the aging "dirtbags.ip" codebase. It is comprised of multiple small standalone binaries, which are meant to be chained together, either on the command-line or from a shell script, to create a more powerful (and specific) piece of software.

Usually, a program expects input on stdin, and produces output on stdout. Flags are sparse by design.

Fluffy source code is purposefully spartan and easy to audit. Forks are encouraged, please let me know if you make one.

How To Build

curl -L https://github.com/dirtbags/fluffy/archive/master.tar.gz | tar xzvf -
cd fluffy-master
make DESTDIR=$HOME install

On an Ubuntu system, you may need to log out, and log back in, before the utilities are in your path.

On a non-Ubuntu system, you may need to edit your .bashrc to add $HOME/bin to your PATH environment variable.

Programs

hd: Hex Dump

Like the normal hd, but with unicode characters to represent all 256 octets, instead of using "." for unprintable characters.

$ printf "\0\x01\x02\x03\x30\x52\x9a" | hd
00000000  00 01 02 03 30 52 9a                              ┆·☺☻♥0RÜ┆
00000007

unhex: unescape hex

Reads ASCII hex codes on stdin, writes those octets to stdout.

$ echo 68 65 6c 6c 6f 0a | unhex
hello

xor: xor octets

Applies the given mask as an xor to input. The mask will be repeated, so for a 1-value mask, every octet is xored against that value. For a 16-value mask, the mask is applied to 16-octet chunks at a time.

The "-x" option treats values as hex.

$ printf 'hello' | xor 22; echo
~szzy
$ printf 'hello' | xor 0x16; echo
~szzy
$ printf 'hello' | xor -x 16; echo
~szzy
$ printf 'bbbbbb' | xor 1 0; echo
cbcbcb

slice: slice octet stream

Slices up input octet stream, similar to Python's slice operation.

~/src/fluffy $ printf '0123456789abcdef' | slice 2; echo
23456789abcdef
~/src/fluffy $ printf '0123456789abcdef' | slice 2 6; echo
2345
~/src/fluffy $ printf '0123456789abcdef' | slice 2 6 8; echo
234589abcdef
~/src/fluffy $ printf '0123456789abcdef' | slice 2 6 8 0xa
234589

pcat: print text representation of pcap file

Prints a (lossy) text representation of a pcap file to stdout.

This program is the keystone of the Fluffy Suite. By representing everything as text, programmers can use any number of standard Unix text processing tools, such as sed, awk, cut, grep, or head.

Output is tab-separated, of the format:

timestamp protocol options src dst payload

Frequently you are only interested in the payload, so you can run pcat like:

cat myfile.pcap | pcat | cut -f 6

Remember the unhex program, which will convert payloads to an octet stream, after you have done any maniuplations you want.

pmerge: merge pcap files

Takes a list of pcap files, assuming they are sorted by time (you would have to work hard to create any other kind), and merges them into a single sorted output.

puniq: omit repeated frames

Removes duplicate frames from input, writing to output.

hex: hex-encode input

The opposite of unhex: encoding all input into a single output line.

This differs from hexdump in the following ways:

  • All input is encoded into a single line of output
  • Does not output offsets
  • Does not output glyph representations of octets

In other words: you can feed hex output into unhex with no manipulations.

$ printf "hello\nworld\n" | hex
68 65 6c 6c 6f 0a 77 6f  72 6c 64 0a

pyesc: python escape input

Escapes input octets for pasting into a python "print" statement. Also suitable for use as a C string, a Go string, and many other languages' string literals.

$ printf "hello\nworld\n" | pyesc
hello\nworld\n