lantern - sniff network traffic
is an ethernet frame and packet analyzer for Linux, written with simplicity and ease-of-use in mind.
Dump filter code in human readable form and exit.
Dump filter code as a C array and exit.
Exit after receiving count packets.
Don't cache addresses whose hostnames don't resolve. Normally,
will keep a list of all the addresses whose hostnames don't resolve so they won't be looked up over the
Don't resolve hostnames.
as a daemon. Fork, detach from controlling terminal, and log to file.
Print source and destination MAC addresses for packets.
Change the effective group ID to egid when we don't need root privileges anymore.
Default: 1000. See -u.
Print a help/usage screen with an overview of the options.
Sniff on interface. Default: eth0.
Filter protocol(s) in list. When multiple protocols are in list,
separate them with a comma.
- Supported Protocols
Reverse ARP packets
IPsec AH packets
IPsec ESP packets
Filter packets in userland (only a valid option if compiled with kernel-filtering support).
Don't put the listening interface into promiscuous mode. If it's all ready in promiscuous
mode, then unset it.
Only print packets that match the POSIX regular expression regex. Currently only
matches against TCP, UDP, and UDP-Lite packets. Whether the
uses basic or extended regular expressions is decided at compile time; if you look at
help screen (-h), the description of the -r flag will say if it's basic or extended.
Opposite of -I. Filter all but protocol(s) in list. See -I for protocol list.
Print short hostnames (stops at first period unless the hostname is only a period).
Don't print timestamp for packets.
Print unformatted timestamp for packets. Default: ISO 8601 format: "YYYY-MM-DD hh:mm:ss"
Same as -g, but with effective user ID. The euid is set back to zero when we need to
uninitialize the interface and close the socket on exit.
If you want to fork() into the background and only log ARP packets passing through
# lantern -D arp.log -i eth1 -R arp
If you have udp duplicate problems on your LAN:
# lantern -I udp,udplite
You must have root privileges to run
If the listening interface is down,
will attempt to bring it up; then bring it back down on exit.
If multiple -I and/or -R options are used, the last one has the effect.
If the socket is created with AF_INET/SOCK_PACKET and the promiscuity of the interface is
changed, it will be restored on exit.
The packet information is printed to stdout, everything else (banner, error messages, etc.)
is printed to stderr.
The following signals cause normal program termination:
will also catch SIGSEGV (segfault) and exit normally.
COPYRIGHT AND OTHER INFORMATION
is released under the MIT license, so you can modify it all you want without being
"required" to submit your changes like with the GPL. But if you want to send me some
enchancements or new features to be added to the main distribution, please do. Email
is the preferred way (see AUTHOR section).
I don't know of any bugs so email me if you find any.
This document was created by man2html using the manual pages.
October 10, 2005