Skip to content

jo-lund/jomon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,147 Commits
bpf
bpf
 
 
bsd
bsd
 
 
compat
compat
 
 
decoder
decoder
 
 
linux
linux
 
 
scripts
scripts
 
 
tests
tests
 
 
ui
ui
 
 
.gitignore
.gitignore
 
 
BUGS
BUGS
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
alloc.h
alloc.h
 
 
attributes.h
attributes.h
 
 
configure
configure
 
 
debug.c
debug.c
 
 
debug.h
debug.h
 
 
error.c
error.c
 
 
error.h
error.h
 
 
file.c
file.c
 
 
file.h
file.h
 
 
geoip.c
geoip.c
 
 
geoip.h
geoip.h
 
 
hash.h
hash.h
 
 
hashmap.c
hashmap.c
 
 
hashmap.h
hashmap.h
 
 
interface.c
interface.c
 
 
interface.h
interface.h
 
 
jomon.h
jomon.h
 
 
list.c
list.c
 
 
list.h
list.h
 
 
main.c
main.c
 
 
mempool.c
mempool.c
 
 
mempool.h
mempool.h
 
 
misc.h
misc.h
 
 
process.h
process.h
 
 
queue.h
queue.h
 
 
rbtree.c
rbtree.c
 
 
rbtree.h
rbtree.h
 
 
ringbuffer.c
ringbuffer.c
 
 
ringbuffer.h
ringbuffer.h
 
 
signal.c
signal.c
 
 
signal.h
signal.h
 
 
stack.c
stack.c
 
 
stack.h
stack.h
 
 
string.c
string.c
 
 
string.h
string.h
 
 
system_information.h
system_information.h
 
 
terminal.c
terminal.c
 
 
terminal.h
terminal.h
 
 
timer.c
timer.c
 
 
timer.h
timer.h
 
 
util.c
util.c
 
 
util.h
util.h
 
 
vector.c
vector.c
 
 
vector.h
vector.h
 
 
wrapper.h
wrapper.h
 
 

Repository files navigation

Jomon

Screenshot

Jomon is a network forensics and passive sniffer tool. It monitors all incoming/outgoing network traffic, without the use of libpcap, and the processes that are generating this traffic.

It supports packet filtering by writing BPF assembly directly or writing in a higher level tcpdump syntax (tcpdump syntax has very limited support for now).

It uses a minimal set of libraries, libncurses for the UI and libGeoIP for geolocation (optional). The BPF scanner/lexical analyzer is made with the help of re2c.

BPF

To for example catch all IPv4 packets with options, you can write

ip[0] & 0xf != 5

This works both as a display filter (use e or F9 in the ncurses ui) and capture filter (with the -f option on the command line). The equivalent assembly

    ldh    [12]
    jeq    #0x800, L1, L3
L1: ldb    [14]
    and    #0xf
    jeq    #0x5, L3, L2
L2: ret    #-1
L3: ret    #0

can only be specified as a capture filter and read from file with the -F option on the command line.

Build and installation

$ ./configure
$ make
$ make install

In order to use the GeoIP databases from MaxMind you need to download them yourself. On Arch Linux the free databases are in the geoip-database and geoip-database-extra packages.

To disable libGeoIP

$ ./configure --disable-geoip

Display help

$ ./configure --help

Arch Linux

To install on Arch Linux

$ pacman -S jomon

FreeBSD

Need to have bash and gmake to build on FreeBSD

Code style

This project uses K&R style

Screenshots

Main screen decoded view main-screen-dec

Main screen hexmode view main-screen-hex2

Connection list connection-list

Process view process2

Follow stream ascii mode ascii-mode

About

A network forensics and sniffer tool

Topics

linux freebsd pcap assembler sniffer tui ncurses network-analysis packet-capture bpf

Resources

Readme

License

MIT license
Activity

Stars

35 stars

Watchers

3 watching

Forks

3 forks
Report repository

Releases

8 tags

Packages

No packages published

Languages