Documentation

Hello world!

Hello world, I am pksh, the Packet Shell, a hack of the tcsh for packets, bytes, hosts and protocols counters mainly implemented to include passive network monitoring functionalities into a shell.

So pksh is a shell. No, no! pksh is a pcap-based network sniffer, like the popular tcpdump and ntop. No, no again! pksh is both a shell, a network sniffer, a query language for network monitoring and finally a rendering engine to display in a form readable for humans and system administrators all traffic on LAN segments.

It aims to give on character-based terminals the same level of information ntop already provides via its embedded web interface.

Ok, let me explain. pksh is an enhanced version of the tcsh to include facilities to capture, analyze, collect network traffic and display data as tables on character-based terminals.

So pksh is four main applications at the same time:

• a shell with built-ins extensions to include network capabilities
• a pcap-based packet sniffer to look at packets on the network and collect network data
• a query language for bytes, packets, protocols and hosts
• a rendering engine to display all data collected as tables on character-based terminals

pksh can perform your daily job as your default and login shell just because all of the existing native tcsh functionalities are left unchanged.

Moreover, if and when you want to take a look at some traffic on your LAN segment, pksh has extensions that allow you to capture and show all the network data and network measurements you want.

All in a single program without leaving your native job enviroment!

This software was originally written by me, Rocco Carbone, late in 2001 just as part of an ongoing research project to investigate and improve ntop (http://www.ntop.org) as a programmable network packets engine, but it was never finished due to several reasons. Just browse through the motivation and history links if you are interested in the full story.

In a word you can have a vision of your network completely different from that provided by the ntop web daemon, without lossing in accuracy and usability.

Features

• The current release supports only the following types of data-links:
  • Local loopback
  • Ethernet (10 and up)
• Handle several network interfaces at the same time
• Start/stop a thread for packet capturing on each network interface enabled/disabled
• Implement full dynamic management of all available network interfaces (open/sniff/close)
• Handle a stack of most referenced network interfaces
• Provide foreach network interface:
  • Addressing and interface activity
  • Total packets and bytes counters (both RX and TX)
  • Packet size distribution
  • Global protocol distribution (Broadcast and Multicast packets and bytes counters too)
• Automatically update the $hosts variable all the time a rendering command is issued
• Implement hostname completion and globbing via the predefined $hosts shell variable in all rendering extensions just to allow you to issue commands such as:
  
  pksh@eth0> pkarp 192.168.TAB
  and have completed the list of all the hosts starting at given prefix,
  
  pksh@eth0> pkarp 192.168.*
  to show the ARP table for all the hosts matching the given prefix.
• Has a powerful rendering engine to add/remove columns in each rendering extension (the output of each command can be customized by deleting the default columns and adding only those of interest via command line options)
• Sort by each column to allow output tables displayed according to a given sort criteria
• Automatically download the tcsh sources from the Internet and apply patches via a configure shell script

Requirements

To be compiled and run on your system the pksh needs at least two extra packages providing the following functionalities:

• a portable framework for low-level network capturing facility using the pcap library
• a copy of the tcsh source code that is automatically patched via a shell scripts to include built-in extensions

I developed and run 'pksh' on my linux intel based box with:

• libpcap 1.0.0 Copyright (c) 1993, 1994, 1995, 1996, 1997
  The Regents of the University of California. All rights reserved.
  
  Latest libpcap, the Packet Capture Library, version can be found at:
  http://www.tcpdump.org/release/libpcap-1.0.0.tar.gz


• tcsh 6.16.00, Copyright (c) 1980, 1991
  The Regents of the University of California. All rights reserved.
  
  The most recent release of tcsh, the Tcsh, can be found at:
  ftp://ftp.funet.fi/pub/unix/shells/tcsh/tcsh-6.16.00.tar.gz

Platforms

Just to be clear, my development environment is on an Intel-based box running a testing Debian GNU/Linux distribution, so Linux is the only supported platform until gentle souls on the Internet provide their effort in porting activities. I have not this as primary goal.

Bugs

Luca Deri, the ntop's author, agreed with me to host the project on ntop web site in a short period, so I hope to enable soon the mailing lists for pksh. Currently bugs can be reported via email to the author Rocco Carbone.

References

• http://www.tcpdump.org
• http://www.tcsh.org
• http://www.ntop.org