Packetman: packet analyser				      26th October 1993
--------------------------				      -----------------

Packetman is a retrospective Ethernet packet analyser. This tool allows
the capture and analysis of an Ethernet packet trace.

Installation and use:

    o At present only binaries are available and you must be root to execute.

    o An /etc/ethers file (or "ypcat ethers") is highly recommended as this
    information is used to identify each active device.  If you do not have an
    ethers(3) file you may create one yourself or use a program like
    getethers(8) (harbor.ecn.purdue.edu:/pub/davy/getethers1.6.tar.Z) to
    generate a list of hostnames/addresses.

    o Also recommended are two files which are used for username/uid and
    groupname/gid translations, which take place in RPC and NFS decoding.

    If these files do not exist then packetman will attempt matches dynamically
    using getpwuid and getgrgid. Note that this may be substantially slower
    and also less accurate. The files are derivatives of ./passwd and
    ./groups and can be created with the following command:

    ypcat passwd|cut -d: -f1,3|sed s/:/\ /g|sort -n +1 > filename
    (or cat /etc/passwd)

    and

    ypcat group|cut -d: -f1,3|sed s/:/\ /g|sort -n +1 > filename
    (or cat /etc/group)

    The names of these files are set in the .ad file are currently set to
    ./passwd and ./group.

Changes since previous version (1.0):
------------------------------------

    o Improvements have been made to the X interface to make packetman easier
    to use. These improvements include:

	- Repositioning of several widgets to make it easier to use.

	- Events are now processed whilst a capture is in progress - this
	allows the user to stop a capture at anytime.

	- The counter now works properly.

	- In the capture dialog, clicking on START with no number will
	default to capturing the maximum amount of packets (currently 10000).

    o Packetman now load/saves files in sniffer format. The code for this
    was taken from TCPVIEW, so if it works properly there, then it works
    properly here (and it seems to).

    o Several more protocols have been added, these corresponding to the
    ones used most frequently here at Curtin:

	- NFS (version 2)
	- NIS (version 2)
	- Mount (version 1)
	- Yppasswd (version 1)
	- Portmapper (version 2)
	- ICMP

    Both the call and reply messages in the RPC protocols are decoded. The
    reply messages being matched to the calls by the message ids. The RPC
    header information is also fully decoded. All four auth types (none, unix
    short and DES) are recognised, though only unix authentication is split
    into its constituent parts (as it is all we use here I had nothing to
    test short or DES on).

    o A better filtering mechanism has been implemented.  Its not perfect,
    and it relies on /etc/ethers to resolve hostnames, but its better than
    the previous version :-)

    o The decoding of protocols with large packet sizes such as NFS has
    meant that the snap length for nit is set at 0 (infinity). Unfortunately
    this results in dropped packets when using SunOS. The Ultrix packet
    filter has no problems, however.

    o The "pcap" library (or tcpdump 3.0 fame) is now used as the packet
    capturing mechanism.  This makes no difference from the user point of
    view, but it means that portability has much improved. 
    

Known Bugs:
-----------

    o There must be heaps so try your best to bring it down. I would
    expect some RPC protocols to fail, as I can only test the decoding
    of the procedures in a protocol that I have seen.

Future Directions:
------------------

    o More protocols must be added as well as the other versions of the RPC
    protocols already implemented. For example NFS version 3.

    o Filtering needs more work.

    o Many of the interesting packets are fragged, so it may be a good idea
    to assemble fragged packets.

    o Change the load/save dialogs to proper file selection widgets.

    o Implementation of protocol decoding modules via ASN.1 specifications
      (ambitious).

Please send any comments/suggestions/bug reports to:

    netman@cs.curtin.edu.au

--
Netman Development Group
Mike Schulze and Craig Farrell
Department of Computer Science
Curtin University                                          Ph: +61 9 351 7666
Perth, Western Australia                                  Fax: +61 9 351 2819
