The K Desktop Environment

Next Previous Table of Contents

 

4.5 Event Commands

KSnuffle provides events which can trigger the execution of commands. Associated with each sniffer are up to 6 events. These are displayed on the Event Commands page.

Click for full size image

Each event is a packet filter, and is constructed in the same way as the main packet filter. Note, however, that unlike triggers, events are only applied to packets which have been passed by the main filter and the start and stop triggers. Associated with an event is a command which is executed whenever the event matches a packet. The command text is substituted as listed below, and is then executed asynchronously in a sub-shell.

%Sa IP address of packet source
%Sn Host name of packet source or IP address if not known
%Sp Packet source port
%Ss Packet source service name or port if not known
%Da IP address of packet destination
%Dn Host name of packet destination or IP address if not known
%Dp Packet destination port
%i Decoded packet information field
%s Decoded packet size field
%Ds Packet destination service name or port if not known
%[...] ... is used as a format string to strftime(3) and applied to the packet time
%t Microsecond part of packet time

Care should be exercised is the use of this facility, to prevent a potentially huge number of events. For instance, an event which eMails root each time a packet is sent to the telnet port on a particular machine is probably not sensible, as a eMail will be generated for every such packet. Better would be to execute the command only on a TCP/IP open packet; see the tcpdump(8) manual page for details.

Next Previous Table of Contents