.png)
4 months ago
14
Jomon is a network forensics and passive sniffer tool. It monitors all incoming/outgoing network traffic, without the use of libpcap, and the processes that are generating this traffic.
It supports packet filtering by writing BPF assembly directly or writing in a higher level tcpdump syntax (tcpdump syntax has very limited support for now).
It uses a minimal set of libraries, libncurses for the UI and libGeoIP for geolocation (optional). The BPF scanner/lexical analyzer is made with the help of re2c.
To for example catch all IPv4 packets with options, you can write
This works both as a display filter (use e or F9 in the ncurses ui) and capture filter (with the -f option on the command line). The equivalent assembly
can only be specified as a capture filter and read from file with the -F option on the command line.
In order to use the GeoIP databases from MaxMind you need to download them yourself. On Arch Linux the free databases are in the geoip-database and geoip-database-extra packages.
To disable libGeoIP
Display help
To install on Arch Linux
Need to have bash and gmake to build on FreeBSD
This project uses K&R style
Main screen decoded view
Main screen hexmode view
Connection list
Process view
Follow stream ascii mode
