This is an old revision of the document!
Table of Contents
Packet-o-matic wiki
This wiki contains informations about the old version of packet-o-matic as well as the new version called pom-ng.
Packet-o-matic NG
Packet-o-matic NG aka pom-ng is the new generation of packet-o-matic. It is a complete rewrite based on the previous version with improved architectural design and packet processing. Notable new features are multi-input support and multi-thread processing.
General
- Installation : Step by step intstallation procedure
- Getting started : Beginner's guide to pom-ng
- Core : Documentation pom-ng's core including command line parameters and global parameters
- Events : List of all events that can be generated
- Lua : Lua API documentation
- Features wishlist : List of features that need to be implemented
Modules
Here is a list of available modules.
Input
- dvb_c : Read MPEG-TS packets from a DVB-C card aka digital TV card
- dvb_device : Read MPEG-TS packets from a DVB device, used only for specific cards with proprietary drivers
- dvb_s : Read MPEG-TS packets from a DVB-S device aka satellite card
- kismet_drone : Connect to a Kismet drone.
- pcap_dir : Read packets from pcap files in a directory
- pcap_file : Read packets from a pcap file
- pcap_interface : Read packets from a network card
Output
Protocol
- 80211 : Parse 802.11 aka wireless frames
- arp : Parse ARP packets
- dns : Parse DNS packets
- docsis : Parse DOCSIS aka cable modems packets
- docsis_mgmt : Parse DOCSIS management packets
- ethernet : Parse ethernet frames
- gre : Parse GRE packets
- http : Parse the HTTP protocol
- icmp : Parse ICMP packets
- icmp6 : Parse ICMPv6 packets
- ipv4 : Parse IP (version 4) packets
- ipv6 : Parse IPv6 packets
- mpeg_dvb_mpe : Parse DVB MPE (Multi Protocol Encapsulation) packets found in MPEG traffic
- mpeg_sect : Parse MPEG section packets
- mpeg_ts : Parse MPEG-TS packets as defined in ISO/IEC 13818-1 or ITU-T Rec. H.222.0
- ppp : Parse PPP packets
- ppp_chap: Parse PPP-CHAP packets
- ppp_pap: Parse PPP-PAP packets
- pppoe : Parse PPPoE packets
- radiotap : Parse radiotap packets used for encapsulating wireless (802.11) frames
- smtp : Parse the SMTP protocol
- tcp : Parse TCP packets
- tftp : Parse TFTP packets
- udp : Parse UDP datagrams
- vlan : Parse VLAN aka 802.1q packets
Analyzer
- arp : Analyze ARP packets
- dns : Analyze DNS packets
- docsis : Analyze DOCSIS packets
- gif : Analyze GIF images
- http : Analyze HTTP connections
- http_post : Analyze HTTP POST payloads (form-urlencoded)
- jpeg : Analyze JPEG images
- multipart : Analyzer MIME multipart payloads
- png : Analyze PNG images
- ppp_chap : Analyze PPP-CHAP events
- ppp_pap: Analyze PPP-PAP events
- rfc822 : Analyzer RFC822 messages
- smtp : Analyze SMTP connections
- tftp : Analyze TFTP packets
Datastore
Packet-o-matic (old version)
The below is only applicable to the old version called “packet-o-matic” and not pom-ng !
General
- Installation : All you need to know to install packet-o-matic
- Getting started : Quick steps to have it up and running
- Command reference : All the commands explained
- Rules syntax : Explains the rules syntax
- Tips and tricks : Some useful things to know
- Configuration examples : Some configuration examples
- XML-RPC interface : Documentation of the XML-RPC interface
- Datastore usage and configuration : Document how datastore works
- DVB/ATSC cards : List of DVB/ATSC cards which were tested
Modules
Input modules
The input modules are modules used to capture packets and process them. The following inputs are currently implemented :
Target
The target modules are modules used to process the packets and provide the desired output. The following targets are currently implemented :
- display : Show packet information
- dump_payload : Dump raw connection payload into separate files
- http : Dump content or log HTTP connections
- inject : Reinject packets on an interface
- irc : Dump IRC connection into separate files with irssi-like log format
- msn : Dump MSN conversations and various files
- null : Does nothing, used for debugging
- pcap : Save packets into pcap files useable for example by tcpdump and wireshark
- pop : Dump emails and login information from POP3 connections
- rtp : Dump VoIP traffic (RTP streams) into wave files
- tap : Create a virtual interface and send all the packets to it
- tcpkill : Send TCP RST packets to kill TCP connections
- tftp : Dump tftp traffic into files
Match
The match modules are modules used to identify the packets content and match fields in their headers. The following match are currently implemented :
- 80211 : Match wireless 802.11 frames
- docsis : Match DOCSIS frames
- docsis_mgmt : Match DOCSIS management frames
- ethernet : Match ethernet frames
- icmp : Match ICMP packets
- icmpv6 : Match ICMPv6 packets
- ipv4 : Match IPv4 packets commonly known as IP
- ipv6 : Match IPv6 packets, the next generation of the IP protocol
- linux_cooked : Match linux_cooked frames that are produced when sniffing special interfaces like PPP interfaces
- ppi : Match PPI headers (CACE wireless headers)
- ppp : Match PPP packets
- pppoe : Match PPP over Ethernet (PPPoE) packets
- prism : Match prism2/AVS wireless headers
- radiotap : Match radiotap wireless headers
- rtp : Match RTP packets used in VoIP for both voice and video
- tcp : Match TCP segments
- undefined : Used internally to specify that the next layer has an unknown type
- udp : Match UDP datagrams
- vlan : Match 802.1Q frames aka VLAN frames
Helper
The helper modules are useful and sometimes mandatory to reassemble some streams. The following helper modules are implemented :
- docsis : Allow dynamic resizing of the payload in DOCSIS headers
- ipv4 : Reassemble IPv4 fragments into a single packet
- ipv6 : Allow dynamic resizing of the payload in IPv6 headers
- pppoe : Allow dynamic resizing of the payload in PPPoE packets
- rtp : Perform RTP reordering
- tcp : Perform TCP reassembly and reordering
Connection tracking
The connection tracking modules (aka conntrack) are used to identify to what connection a packet belongs and to store informations about this connection and retrieve them later.