URL: http://www.mtco.com/~whoop/ksniff/
 1 Nov 98
  - It's been a while since I have had free time, so I'll start off
cleaning up a few things.  Now the binary RPM properly contains the Tcl
scripts, and the program searches for the Tcls in the order:  current
directory, ~/.kde/share/apps/ksniff/tcls/,
$KDEDIR/share/apps/ksniff/tcls/.  Tcl scripts need to use the "execFile"
command rather than "source" to load other scripts to use the search
routine.
 9 Oct 98
  - Cleaned up warning from gcc -Wall.
 3 Oct 98
  - Added configure support (somewhat modeled from kdbg/kdelibs, since I
don't know much on making these :))  Let me know if it doesn't work for you
(patches to the *.in or *.am files would be nice too).
29 Sep 98
  - Added the filter dialog.
  - Renamed to KSniff .. still open to better names.
26 Sep 98
  - Added more to the DNS TCL script.  May change the "info" panel from a
QMultiLineEdit to a KHtmlView for more flexible displaying info from the
TCL scripts.
 - I switched my system from libc5 to glibc2.  But now it appears ldd
doesn't want to find my KDE libraries, so I added a -rpath line in the
Makefile.  You may want to take it out or change the directory if it works
OK on your system.
 5 Sep 98
  - Added TCL support (any interest in other scripting languages?).  When
you click on a packet, it runs ip.tcl.  List of available TCL functions
are in the three .tcl files.  addInfoLine is the most important, it adds
the given string to the info box on the right.
23 Aug 98
  - First release, put out to see if there's any interest
  - This is still a very early release of the program, things might not
work, might today and not tomorrow, etc.  I don't feel it has the
necessary features, etc. to be given a version number yet, so the releases
are just listed by date.

TODO:
  Filter->Define menu option does nothing right now, need to add a dialog
    to set the filter.
  The QMultiLineEdits don't seem to always re-adjust their horizontal
scrollbar properly (bug in Qt?).  If some line in a packet goes past the
right edge, then you move to another packet that doesn't go past, the
scollbar doesn't disappear.

Usage:
  First, you need to use sniffit with my plugins added in to print out the
network traces.  Sniffit is not specifically required, as this program
only reads the trace files and displays the info in a nice KDE program. As
long as the trace file is in the same format, it'll work.  If anyone makes
any other packet sniffer programs do this, let me know.  The format is
described later on in this README.
  Compile sniffit and ksniff.  I have Qt 1.40 on my system, previous
versions might/might not work (let me know if it works for any of you).  
I haven't really looked into if I use something that's 1.40 specific.  
The same applies to KDE, I am using stock 1.0 libs and all.  Maybe someday
I'll learn about making those nifty configure scripts.  If anyone wants to
get a jump start on that, feel free to :).  Just let me know when you do.
  Next, with everything compiled, sniff.  My plugins for sniffit look for
the environment variable SNIFF_LOG.  It can be set to any combination of
the following:
  out - output sent to stdout, be sure to redirect to a file.
  raw - output appended to the file net.raw.
  ip  - print pretty info about the ip packet.
  tcp - print pretty info about the tcp packet.
  udp - print pretty info about the udp packet.
The default if SNIFF_LOG is not set is "raw."  Any separater can be used,
I like a /, but it doesn't matter.

A sample command would be:
    setenv SNIFF_LOG raw/ip/udp
    sniffit -N -M 0 -F ppp0 -P tcp -P udp -s @

For what those options mean, read sniffit's docs.  After running for a
while, you'll have a file called net.raw.  Copy that to ksniff directory
and run.  It reads net.raw on startup, but other files can be opened from
the File menu.  Right now the filtering can only be set in the top of
ksniff.cpp.  I'll eventually add a nifty dialog to handle it (along with
an ability to have multiple filters).

If you find anything in this you like/dislike, let me know.
  whoop@mtco.com

File Format:
  The file format for the log file is very simple.  A line like "#0001:"
specifies the start of a packet and packet number (obviously).  The next
line and subsequent lines are the contents of the packet.  Each line
contains 16 bytes from the packet, echo displayed as two hex digits, with
an extra couple lines in the middle.  The characters on the far right are
just for me to look at. They're ignored by the program.  A blank line
defines the end of the packet.  From there until the next "#xxxx:" you can
have anything you like.  If you specify the ip/tcp/udp options in
SNIFF_LOG, it displays the info in the header.

Packet #1
IP: v4  HeaderLen: 20  Length: 52  ID: 3FC6  TTL: 64 Protocol: TCP
  : Flags: 2/Don't Fragment, Last Fragments (0000)  Header Checksum: FBA6
  : Source: 206.69.130.127 -> Destination: 170.140.4.6
#0001:
45 00 00 34 3F C6 40 00    40 06 FB A6 CE 45 82 7F   E..4?.@. @....E..
AA 8C 04 06 05 F6 1A 0B    2C 1D 0E 1C 56 A0 F1 67   ........ ,...V..g
80 10 7D E8 DC C7 00 00    01 01 08 0A 00 60 F4 8A   ..}..... .....`..
04 58 81 30


Packet #2
IP: v4  HeaderLen: 20  Length: 52  ID: 40BD  TTL: 64 Protocol: TCP
  : Flags: 2/Don't Fragment, Last Fragments (0000)  Header Checksum: FAAF
  : Source: 206.69.130.127 -> Destination: 170.140.4.6
#0002:
45 00 00 34 40 BD 40 00    40 06 FA AF CE 45 82 7F   E..4@.@. @....E..
AA 8C 04 06 05 F6 1A 0B    2C 1D 0E 1C 56 A0 F1 DC   ........ ,...V...
80 10 7D E8 DA 25 00 00    01 01 08 0A 00 60 F5 9E   ..}..%.. .....`..
04 58 82 49                                          .X.I