BUTTSniffer is a packet sniffer and network monitor for Win95 and Win98. It works as a standalone executable, and as plugin for Back Orifice. Want to know what's really going on on your network segment? You need BUTTSniffer.It features the following:
- TCP Connection monitoring. Full and split screen. Text and Hexadecimal views.
- Password sniffing. Full phrasecatcher built in. Currently supports HTTP basic authentication, FTP, Telnet, POP2 and POP3. Support pending for IMAP2, RLogin, and possibly other protocols
- Packet filtering. Firewall style filtering lists. Exclude/include ranges of IP addresses and ports.
- Multiple interface support. Can be started on any of the system's network interfaces. Multiple instances of BUTTSniffer can be run at the same time.
- Interactive mode. Spawns a port that you can telnet to, and displays an easy to use vt100 menu based user interface for remote sniffer access.
- War mode. War mode features include connection resetting. More features to come!
10/9/1998 - Version 0.9.1a hotfix released.10/7/1998 - Version 0.9.1 released.
10/5/1998 - Update on source code availability: The final release 1.0 will be Partially Open Source. Note that some of the material being released will be free, but some material is proprietary. Due to the fact that some of the code was written while working for a company with trade secrets (very few relating to this project, but nonetheless I am under contract), I am unable to release the source code fully. The source for the actual low level packet sniffer falls under this restriction, and will be left out. So, in order to compile the code, you will have to use a static link library that I will provide, but the source code will not be available for the library at this time. It may be opensourced at a later date.
10/2/1998 - BUTTSniffer Beta 0.9 released.
Version 0.9.1a
BUTTSniff-0.9.1a.zip (Both of the following files)
BUTTSniff.exe (Standalone version)
BUTTSniff.dll (Back Orifice BUTTPlug version)Version 0.9.1
BUTTSniff-0.9.1.zipVersion 0.9
BUTTSniff-0.9.zip
Version 0.9.1a: Hotfix to correct major bug with DLL version. DLL version was not extracting and loading the sniffer VXD correctly and was thus not putting the card into promiscuous mode.Version 0.9.1: Minor cosmetic bugfixes. Added OS version detection. Implemented IP and TCP packet generators and added ethernet packet sending code. Added war mode connection delete option on connection monitor. Added war mode configuration option to 'Configure' menu.
Version 0.9: Initial release
Terminating BUTTSniffer while running on a dialup adapter may disconnect the modem. This is also a problem for many other network monitoring tools. Anyone who knows why this happens should email me. I will try to implement a workaround.
Sometimes connections that close while in interactive mode do not update the connections list unless you hit escape and go back in.
UDP not handled in interactive mode currently. Support is pending
Connection reset may not be done exactly right. Connection drops, but despite RST packets being sent to both sides, some operating systems (Solaris in particular) don't recognize the connection as being dropped right away. Works fine for Windows clients though... Will look into this in more detail. Must have missed something.
Does not handle resizable telnet clients correctly (at all!). Also, the password sniffer view doesn't handle longer usernames/passwords.
Telnet client must operate in 'character at a time' mode in order to function properly in interactive mode. This really isn't a bug in BUTTSniffer, but is a condition that must be handled on the client end. Most telnet clients have no problem with this. Some, you have to flip a switch to force the character at a time mode. I will see about getting telnet negotiation to force this on all clients.
I noticed that the "Connection monitor" was showing the connections in the list, but not displaying the connection data when you hit enter and monitor the data itself. This only happened on a system once, and I can not reproduce it on other systems for some reason. Anyone having this problem should email me with their system specs/os version/etc.
Windows NT support. Standalone version that runs without a console window Writing better documentation and a FAQ More war mode options including Session Hijacking, and various other things... Packet filtering option for non-interactive disk dump logging.
Keep watching here, as this page will be updated often. New releases are always on the way!Send comments to dildog@l0pht.com.BUTTSniffer requires Win95 or Win98, and will not work on Windows NT
For help on the standalone version, run the executable from a console and the usage information will be displayed.
The syntax for the BUTTPlug functions are as follows:
Use the "Plugin Execute" command with the following two fields:
Command Args Description buttsniff.dll:_List (none) Lists names of network interface devices buttsniff.dll:_Dump <Device Name> <Log File> <Dump Type> Dumps packet data to disk. Valid dump types are:
e: Full ethernet frames undecoded
i: Decoded IP packets
p: Full protocol level decoding
buttsniff.dll:_Interactive <Device Name> <Port> Starts the interactive sniffer on the specified port. Telnet to this port to use the sniffer. (use VT100 terminal type)
BUTTSniffer is Copyright (C) 1998, Cult of the Dead Cow
BUTTSniffer is redistributable. No portion of the BUTTSniffer
source code may be used without permission of the author unless
otherwise marked in the distribution.
Send email for licensing details.