BUTTSniffer Prerelease 0.9.3
Public Beta Release


BUTTSniffer is a packet sniffer and network monitor for Win95, Win98 and also Windows NT 4.0. It works as a standalone executable, and as plugin for Back Orifice. Want to know what's really going on on your network segment? You need BUTTSniffer.

It features the following:

  • TCP Connection monitoring. Full and split screen. Text and Hexadecimal views.
  • Password sniffing. Full phrasecatcher built in. Currently supports HTTP basic authentication, FTP, Telnet, POP2 and POP3. Support pending for IMAP2, RLogin, and possibly other protocols
  • Packet filtering. Firewall style filtering lists. Exclude/include ranges of IP addresses and ports.
  • Multiple interface support. Can be started on any of the system's network interfaces. Multiple instances of BUTTSniffer can be run at the same time.
  • Interactive mode. Spawns a port that you can telnet to, and displays an easy to use vt100 menu based user interface for remote sniffer access.
  • War mode. War mode features include connection resetting. More features to come!
  • Win95, Win98, and Windows NT operating system support. Use it both at home and at work!


11/28/1998 - Version 0.9.3 released.

11/2/1998 - Version 0.9.2 released.

10/9/1998 - Version 0.9.1a hotfix released.

10/7/1998 - Version 0.9.1 released.

10/5/1998 - Update on source code availability: The final release 1.0 will be Partially Open Source. Note that some of the material being released will be free, but some material is proprietary. Due to the fact that some of the code was written while working for a company with trade secrets (very few relating to this project, but nonetheless I am under contract), I am unable to release the source code fully. The source for the actual low level packet sniffer falls under this restriction, and will be left out. So, in order to compile the code, you will have to use a static link library that I will provide, but the source code will not be available for the library at this time. It may be opensourced at a later date.

10/2/1998 - BUTTSniffer Beta 0.9 released.


Version 0.9.3

Archived Versions (old)


Version 0.9.3: Numerous bugs fixed, and a major low level overhaul. The Windows NT support is greatly improved, with a dynamically loading service, making it as convenient on Windows NT as on Windows 98 and 95. Note that the service is a 'manual start' service, and if the administrator runs the executable once, the service is installed, and users of any privelege can run the executable after that point (just have to get the sucker installed!) The packet driver code for both the Windows NT and 95/98 drivers was also debugged extensively. Next release should support different encapsulations other than ethernet. Token ring first, PPP next (so I don't keep dropping the dial-up user's connections). FDDI anyone? Anyway. Some interface bugs were fixed, but in terms of new features, there has been little added in this release. There is a new way to specify interfaces by their 'number' as opposed to their 'name', which makes using it on NT machines much simpler. Errors are also handled nicer in this release. On a more humorous note, I figured out a good icon for the executable version. More coming soon, but 0.9.4 may not be released until mid-january due to other more important projects. What good would an NT Back Orifice plugin be without...

Version 0.9.2: Upgraded to work with Windows NT! Also added IP and port filtering for direct disk dump. The NT version requires that the packet.sys driver be installed. To do this go to your network control panel and under the 'protocols' tab, click add and point it to the oemsetup.inf file. In future releases, the driver will automatically be installed for you if it is run with administrative priveleges. Note that Windows NT will ask you to reboot, but you don't have to. The driver will automatically start the service without you needing to do anything. Also, the packet32.dll isn't actually used by the executable, and it will be removed in the next release. I just haven't gotten around to hacking Microsoft's generic INF file very much yet. Packet32.dll/packet.sys are based on some extremely FLAWED Microsoft packet driver code which I painstakingly cleaned up. Any other versions of packet.sys out there should probably be replaced with my version. Also, UDP code was added. But for what you ask? That's for you to find out... The next release will primarily be for cleanup and reducing the 'known bugs' count.

Version 0.9.1a: Hotfix to correct major bug with DLL version. DLL version was not extracting and loading the sniffer VXD correctly and was thus not putting the card into promiscuous mode.

Version 0.9.1: Minor cosmetic bugfixes. Added OS version detection. Implemented IP and TCP packet generators and added ethernet packet sending code. Added war mode connection delete option on connection monitor. Added war mode configuration option to 'Configure' menu.

Version 0.9: Initial release

Known Bugs:

  • Known crash condition on the Toshiba Libretto series of mini-laptops (GPF on execution). Might be a problem with pcmcia ethernet or something else. Not sure. Also, the code couldn't put a Gateway Telepath 33.6 modem/ethernet combo card into promiscuous mode. This is probably the fault of Gateway's card driver for Windows, since the card worked fine when used under Linux.

  • Terminating BUTTSniffer while running on a dialup adapter may disconnect the modem. This is also a problem for many other network monitoring tools. Anyone who knows why this happens should email me. I will try to implement a workaround.

  • Connection reset may not be done exactly right. Connection drops, but despite RST packets being sent to both sides, some operating systems (Solaris in particular) don't recognize the connection as being dropped right away. Works fine for Windows clients though... Will look into this in more detail. Must have missed something.

  • Does not handle resizable telnet clients correctly (at all!). Also, the password sniffer view doesn't handle longer usernames/passwords.

  • Telnet client must operate in 'character at a time' mode in order to function properly in interactive mode. This really isn't a bug in BUTTSniffer, but is a condition that must be handled on the client end. Most telnet clients have no problem with this. Some, you have to flip a switch to force the character at a time mode. I will see about getting telnet negotiation to force this on all clients.

  • Planned Improvements:

  • Low level support for more encapsulation types (PPP, Token Ring, etc)
  • Standalone version that runs without a console window
  • Writing better documentation and a FAQ
  • More war mode options including Session Hijacking, and various other things...
  • Notes:

    Keep watching here, as this page will be updated often. New releases are always on the way!

    For help on the standalone version, run the executable from a console and the usage information will be displayed.

    The syntax for the BUTTPlug functions are as follows:

    Use the "Plugin Execute" command with the following two fields:
    Command Args Description
    buttsniff.dll:_List (none) Lists names of network interface devices
    buttsniff.dll:_Dump <Interface Number> <Log File> <Dump Type> [filter] Dumps packet data to disk. Valid dump types are:
  • r: Raw Frames (dumps raw network traffic)
  • e: Encapsulation (dumps decoded packets with encapsulation information)
  • p: Full protocol (dumps fully decoded packets with protocol information)
    Valid filters are:
  • A single number representing a port to be monitored (e.g. 80)
  • port range to be monitored (e.g. 141-1024)
  • A filename containing a list of IP and port filter rules
    Read the 'readme.txt' for more information and examples.
    Filters are only active on dump type 'p'.
  • buttsniff.dll:_Interactive <Interface Number> <Port> Starts the interactive sniffer on the specified port. Telnet to this port to use the sniffer. (use VT100 terminal type)

    Send comments to dildog@l0pht.com.

    BUTTSniffer is Copyright (C) 1998, Cult of the Dead Cow
    BUTTSniffer is redistributable. No portion of the BUTTSniffer
    source code may be used without permission of the author unless
    otherwise marked in the distribution.
    Send email for licensing details.