Jomon is a network forensics and passive sniffer tool. It monitors all incoming/outgoing network traffic, without the use of libpcap, and the processes that are generating this traffic.
It supports packet filtering by writing BPF assembly directly or writing in a higher level tcpdump syntax (tcpdump syntax has very limited support for now).
It uses a minimal set of libraries, libncurses for the UI and libGeoIP for geolocation (optional). The BPF scanner/lexical analyzer is made with the help of re2c.
To for example catch all IPv4 packets with options, you can write
ip[0] & 0xf != 5
This works both as a display filter (use e or F9 in the ncurses ui) and capture filter (with the -f option on the command line). The equivalent assembly
ldh [12]
jeq #0x800, L1, L3
L1: ldb [14]
and #0xf
jeq #0x5, L3, L2
L2: ret #-1
L3: ret #0
can only be specified as a capture filter and read from file with the -F option on the command line.
$ ./configure
$ make
$ make install
In order to use the GeoIP databases from MaxMind you need to download them yourself. On Arch Linux the free databases are in the geoip-database and geoip-database-extra packages.
To disable libGeoIP
$ ./configure --disable-geoip
Display help
$ ./configure --help
To install on Arch Linux
$ pacman -S jomon
Need to have bash and gmake to build on FreeBSD
This project uses K&R style