BUTTSniffer is a packet sniffer and network monitor for Win95, Win98 and
also Windows NT 4.0.
It works as a standalone executable, and as plugin for Back Orifice. Want to
know what's really going on on your network segment? You need
It features the following:
- TCP Connection monitoring. Full and split screen. Text and Hexadecimal
- Password sniffing. Full phrasecatcher built in. Currently
supports HTTP basic authentication, FTP, Telnet, POP2 and POP3. Support pending
for IMAP2, RLogin, and possibly other protocols
- Packet filtering. Firewall style filtering lists. Exclude/include
ranges of IP addresses and ports.
- Multiple interface support. Can be started on any of the system's
network interfaces. Multiple instances of BUTTSniffer can be run at the same
- Interactive mode. Spawns a port that you can telnet to, and
displays an easy to use vt100 menu based user interface for remote sniffer
- War mode. War mode features include connection resetting. More
features to come!
- Win95, Win98, and Windows NT operating system support. Use it
both at home and at work!
11/28/1998 - Version 0.9.3 released.
11/2/1998 - Version 0.9.2 released.
10/9/1998 - Version 0.9.1a hotfix released.
10/7/1998 - Version 0.9.1 released.
10/5/1998 - Update on source code
availability: The final release 1.0 will be Partially Open Source.
Note that some of the material being released will be free, but
some material is proprietary. Due to the fact that some of the code was
written while working for a company with trade secrets (very few relating to
this project, but nonetheless I am under contract), I am unable to release
the source code fully. The source for the actual low level packet sniffer
falls under this restriction, and will be left out. So, in order to compile
the code, you will have to use a static link library that I will provide,
but the source code will not be available for the library at this time. It
may be opensourced at a later date.
10/2/1998 - BUTTSniffer Beta 0.9 released.
Archived Versions (old)
Version 0.9.3: Numerous bugs fixed, and a
major low level overhaul. The Windows NT support is greatly improved, with a
dynamically loading service, making it as convenient on Windows NT as on
Windows 98 and 95. Note that the service is a 'manual start' service, and if
the administrator runs the executable once, the service is installed, and
users of any privelege can run the executable after that point (just have to
get the sucker installed!) The packet driver code for both the Windows NT and 95/98
drivers was also debugged extensively. Next release should support different
encapsulations other than ethernet. Token ring first, PPP next (so I don't
keep dropping the dial-up user's connections). FDDI anyone? Anyway. Some
interface bugs were fixed, but in terms of new features, there has been
little added in this release. There is a new way to specify
interfaces by their 'number' as opposed to their 'name', which makes using
it on NT machines much simpler. Errors are also handled nicer in this
release. On a more humorous note, I figured out a good icon for the
executable version. More coming soon, but 0.9.4 may not be released until
mid-january due to other more important projects. What good would an NT Back
Orifice plugin be without...
Version 0.9.2: Upgraded to work with
Windows NT! Also added IP and port filtering for direct disk dump.
The NT version requires that the packet.sys driver be installed. To do this
go to your network control panel and under the 'protocols' tab, click add
and point it to the oemsetup.inf file. In future releases, the driver will
automatically be installed for you if it is run with administrative
priveleges. Note that Windows NT will ask you to reboot, but you don't have
to. The driver will automatically start the service without you needing to
do anything. Also, the packet32.dll isn't actually used by the executable,
and it will be removed in the next release. I just haven't gotten around to
hacking Microsoft's generic INF file very much yet. Packet32.dll/packet.sys
are based on some extremely FLAWED Microsoft packet driver code which I
painstakingly cleaned up. Any other versions of packet.sys out there should
probably be replaced with my version. Also, UDP code was added. But for what
you ask? That's for you to find out... The next release will primarily be
for cleanup and reducing the 'known bugs' count.
Version 0.9.1a: Hotfix to correct major
bug with DLL version. DLL version was not extracting and loading the sniffer
VXD correctly and was thus not putting the card into promiscuous mode.
Version 0.9.1: Minor cosmetic bugfixes. Added OS
version detection. Implemented IP and TCP packet generators and added
ethernet packet sending code. Added war mode connection delete option on
connection monitor. Added
war mode configuration option to 'Configure' menu.
Version 0.9: Initial release
Known crash condition on the Toshiba Libretto series of
mini-laptops (GPF on execution). Might be a problem with pcmcia ethernet
or something else. Not sure. Also, the code couldn't put a Gateway Telepath
33.6 modem/ethernet combo card into promiscuous mode. This is probably the
fault of Gateway's card driver for Windows, since the card worked fine
when used under Linux.
Terminating BUTTSniffer while running on a dialup adapter may
disconnect the modem. This is also a problem for many other network
monitoring tools. Anyone who knows why this happens should email me. I will
try to implement a workaround.
Connection reset may not be done exactly right. Connection drops, but
despite RST packets being sent to both sides, some operating systems
(Solaris in particular) don't recognize the connection as being dropped
right away. Works fine for Windows clients though... Will look into this in
more detail. Must have missed something.
Does not handle resizable telnet clients correctly (at all!). Also, the password
sniffer view doesn't handle longer usernames/passwords.
Telnet client must operate in 'character at a time' mode in order to
function properly in interactive mode. This really isn't a bug in
BUTTSniffer, but is a condition that must be handled on the client end. Most
telnet clients have no problem with this. Some, you have to flip a switch to
force the character at a time mode. I will see about getting telnet
negotiation to force this on all clients.
Low level support for more encapsulation types (PPP, Token Ring, etc)
Standalone version that runs without a console window
Writing better documentation and a FAQ
More war mode options including Session Hijacking, and various other things...
Keep watching here, as this page will be updated often.
New releases are always on the way!
For help on the standalone version, run the executable from
a console and the usage information will be displayed.
The syntax for the BUTTPlug functions are as follows:
Use the "Plugin Execute" command with the following two fields:
||Lists names of network interface devices
||<Interface Number> <Log File>
<Dump Type> [filter]
||Dumps packet data to disk. Valid dump types are:|
r: Raw Frames (dumps raw network traffic)
e: Encapsulation (dumps decoded packets with encapsulation information)
p: Full protocol (dumps fully decoded packets with protocol information)
Valid filters are:
A single number representing a port to be monitored (e.g. 80)
port range to be monitored (e.g. 141-1024)
A filename containing a list of IP and port filter rules
Read the 'readme.txt' for more information and examples.
Filters are only active on dump type 'p'.
||<Interface Number> <Port>
||Starts the interactive sniffer on the specified port. Telnet to this
port to use the sniffer. (use VT100 terminal type)|