LANTERN
NAME
lantern - sniff network traffic
SYNOPSIS
lantern
[
-bCdehkpstv
] [
-c
count
] [
-D
file
] [
-g
egid
]
[
-i
interface
] [
-IR
list
] [
-r
regex
] [
-u
euid
]
DESCRIPTION
LANtern
is an ethernet frame and packet analyzer for Linux, written with simplicity and ease-of-use in mind.
OPTIONS
- -b
-
Dump filter code in human readable form and exit.
- -bb
-
Dump filter code as a C array and exit.
- -c
-
Exit after receiving count packets.
- -C
-
Don't cache addresses whose hostnames don't resolve. Normally,
LANtern
will keep a list of all the addresses whose hostnames don't resolve so they won't be looked up over the
network again.
- -d
-
Don't resolve hostnames.
- -D
-
Set
LANtern
as a daemon. Fork, detach from controlling terminal, and log to file.
- -e
-
Print source and destination MAC addresses for packets.
- -g
-
Change the effective group ID to egid when we don't need root privileges anymore.
Default: 1000. See -u.
- -h
-
Print a help/usage screen with an overview of the options.
- -i
-
Sniff on interface. Default: eth0.
- -I
-
Filter protocol(s) in list. When multiple protocols are in list,
separate them with a comma.
-
- Supported Protocols
-
- nondix
-
Non-DIX frames
- arp
-
ARP packets
- rarp
-
Reverse ARP packets
- mpls
-
MPLS packets
- ip
-
IP packets
- ah
-
IPsec AH packets
- esp
-
IPsec ESP packets
- icmp
-
ICMP packets
- igmp
-
IGMP packets
- ospf
-
OSPF packets
- tcp
-
TCP packets
- udp
-
UDP packets
- udplite
-
UDP-Lite packets
- -k
-
Filter packets in userland (only a valid option if compiled with kernel-filtering support).
- -p
-
Don't put the listening interface into promiscuous mode. If it's all ready in promiscuous
mode, then unset it.
- -r
-
Only print packets that match the POSIX regular expression regex. Currently only
matches against TCP, UDP, and UDP-Lite packets. Whether the
LANtern
uses basic or extended regular expressions is decided at compile time; if you look at
LANtern's
help screen (-h), the description of the -r flag will say if it's basic or extended.
- -R
-
Opposite of -I. Filter all but protocol(s) in list. See -I for protocol list.
- -s
-
Print short hostnames (stops at first period unless the hostname is only a period).
- -t
-
Don't print timestamp for packets.
- -tt
-
Print unformatted timestamp for packets. Default: ISO 8601 format: "YYYY-MM-DD hh:mm:ss"
- -u
-
Same as -g, but with effective user ID. The euid is set back to zero when we need to
uninitialize the interface and close the socket on exit.
EXAMPLES
If you want to fork() into the background and only log ARP packets passing through
eth1:
-
# lantern -D arp.log -i eth1 -R arp
If you have udp duplicate problems on your LAN:
-
# lantern -I udp,udplite
NOTES
You must have root privileges to run
LANtern.
If the listening interface is down,
LANtern
will attempt to bring it up; then bring it back down on exit.
If multiple -I and/or -R options are used, the last one has the effect.
If the socket is created with AF_INET/SOCK_PACKET and the promiscuity of the interface is
changed, it will be restored on exit.
The packet information is printed to stdout, everything else (banner, error messages, etc.)
is printed to stderr.
SIGNALS
The following signals cause normal program termination:
-
SIGHUP
SIGINT
SIGQUIT
SIGTERM
LANtern
will also catch SIGSEGV (segfault) and exit normally.
COPYRIGHT AND OTHER INFORMATION
LANtern
is released under the MIT license, so you can modify it all you want without being
"required" to submit your changes like with the GPL. But if you want to send me some
enchancements or new features to be added to the main distribution, please do. Email
is the preferred way (see AUTHOR section).
BUGS
I don't know of any bugs so email me if you find any.
AUTHOR
Kris Katterjohn
<kjak@users.sourceforge.net>
WEBSITE
http://the-lantern.sourceforge.net
This document was created by man2html using the manual pages.
October 10, 2005