This wiki contains informations about the old version of packet-o-matic as well as the new version called pom-ng.

Packet-o-matic NG aka pom-ng is the new generation of packet-o-matic. It is a complete rewrite based on the previous version with improved architectural design and packet processing. Notable new features are multi-input support and multi-thread processing.

• Installation : Step by step intstallation procedure
• Getting started : Beginner's guide to pom-ng
• Core : Documentation pom-ng's core including command line parameters and global parameters
• Events : List of all events that can be generated
• Lua : Lua API documentation
• Features wishlist : List of features that need to be implemented

Here is a list of available modules.

• dvb_c : Read MPEG-TS packets from a DVB-C card aka digital TV card
• dvb_device : Read MPEG-TS packets from a DVB device, used only for specific cards with proprietary drivers
• dvb_s : Read MPEG-TS packets from a DVB-S device aka satellite card
• kismet_drone : Connect to a Kismet drone.
• pcap_dir : Read packets from pcap files in a directory
• pcap_file : Read packets from a pcap file
• pcap_interface : Read packets from a network card

• file : Save parsed payloads into files
• log_txt : Save events into plain text files according a template
• log_xml : Save events into XML files
• pcap_file : Save packets into pcap files
• tap : Dumps packets to a virtual tap interface

• 80211 : Parse 802.11 aka wireless frames
• arp : Parse ARP packets
• dns : Parse DNS packets
• docsis : Parse DOCSIS aka cable modems packets
• docsis_mgmt : Parse DOCSIS management packets
• ethernet : Parse ethernet frames
• gre : Parse GRE packets
• http : Parse the HTTP protocol
• icmp : Parse ICMP packets
• icmp6 : Parse ICMPv6 packets
• ipv4 : Parse IP (version 4) packets
• ipv6 : Parse IPv6 packets
• mpeg_dvb_mpe : Parse DVB MPE (Multi Protocol Encapsulation) packets found in MPEG traffic
• mpeg_sect : Parse MPEG section packets
• mpeg_ts : Parse MPEG-TS packets as defined in ISO/IEC 13818-1 or ITU-T Rec. H.222.0
• ppp : Parse PPP packets
• ppp_chap: Parse PPP-CHAP packets
• ppp_pap: Parse PPP-PAP packets
• pppoe : Parse PPPoE packets
• radiotap : Parse radiotap packets used for encapsulating wireless (802.11) frames
• smtp : Parse the SMTP protocol
• tcp : Parse TCP packets
• tftp : Parse TFTP packets
• udp : Parse UDP datagrams
• vlan : Parse VLAN aka 802.1q packets

• arp : Analyze ARP packets
• dns : Analyze DNS packets
• docsis : Analyze DOCSIS packets
• gif : Analyze GIF images
• http : Analyze HTTP connections
• http_post : Analyze HTTP POST payloads (form-urlencoded)
• jpeg : Analyze JPEG images
• multipart : Analyzer MIME multipart payloads
• png : Analyze PNG images
• ppp_chap : Analyze PPP-CHAP events
• ppp_pap: Analyze PPP-PAP events
• rfc822 : Analyzer RFC822 messages
• smtp : Analyze SMTP connections
• tftp : Analyze TFTP packets

• postgres : PostgreSQL backend
• sqlite : SQLite backend

The below is only applicable to the old version called “packet-o-matic” and not pom-ng !

• Installation : All you need to know to install packet-o-matic
• Getting started : Quick steps to have it up and running
• Command reference : All the commands explained
• Rules syntax : Explains the rules syntax
• Tips and tricks : Some useful things to know
• Configuration examples : Some configuration examples
• XML-RPC interface : Documentation of the XML-RPC interface
• Datastore usage and configuration : Document how datastore works
• DVB/ATSC cards : List of DVB/ATSC cards which were tested

The input modules are modules used to capture packets and process them. The following inputs are currently implemented :

• docsis : Read a DOCSIS stream from a DVB-C or ATSC card
• pcap : Read packets from a network card or pcap files

The target modules are modules used to process the packets and provide the desired output. The following targets are currently implemented :

• display : Show packet information
• dump_payload : Dump raw connection payload into separate files
• http : Dump content or log HTTP connections
• inject : Reinject packets on an interface
• irc : Dump IRC connection into separate files with irssi-like log format
• msn : Dump MSN conversations and various files
• null : Does nothing, used for debugging
• pcap : Save packets into pcap files useable for example by tcpdump and wireshark
• pop : Dump emails and login information from POP3 connections
• rtp : Dump VoIP traffic (RTP streams) into wave files
• tap : Create a virtual interface and send all the packets to it
• tcpkill : Send TCP RST packets to kill TCP connections
• tftp : Dump tftp traffic into files

The match modules are modules used to identify the packets content and match fields in their headers. The following match are currently implemented :

• 80211 : Match wireless 802.11 frames
• docsis : Match DOCSIS frames
• docsis_mgmt : Match DOCSIS management frames
• ethernet : Match ethernet frames
• icmp : Match ICMP packets
• icmpv6 : Match ICMPv6 packets
• ipv4 : Match IPv4 packets commonly known as IP
• ipv6 : Match IPv6 packets, the next generation of the IP protocol
• linux_cooked : Match linux_cooked frames that are produced when sniffing special interfaces like PPP interfaces
• ppi : Match PPI headers (CACE wireless headers)
• ppp : Match PPP packets
• pppoe : Match PPP over Ethernet (PPPoE) packets
• prism : Match prism2/AVS wireless headers
• radiotap : Match radiotap wireless headers
• rtp : Match RTP packets used in VoIP for both voice and video
• tcp : Match TCP segments
• undefined : Used internally to specify that the next layer has an unknown type
• udp : Match UDP datagrams
• vlan : Match 802.1Q frames aka VLAN frames

The helper modules are useful and sometimes mandatory to reassemble some streams. The following helper modules are implemented :

• docsis : Allow dynamic resizing of the payload in DOCSIS headers
• ipv4 : Reassemble IPv4 fragments into a single packet
• ipv6 : Allow dynamic resizing of the payload in IPv6 headers
• pppoe : Allow dynamic resizing of the payload in PPPoE packets
• rtp : Perform RTP reordering
• tcp : Perform TCP reassembly and reordering

The connection tracking modules (aka conntrack) are used to identify to what connection a packet belongs and to store informations about this connection and retrieve them later.

• ipv4 : Track IPv4 connections
• ipv6 : Track IPv6 connections
• rtp : Track RTP connections
• udp : Track UDP connections
• tcp : Track TCP connections

The datastore modules allow targets to save data in databases.

• mysql : Handle MySQL databases
• postgres : Handle PostgreSQL databases
• sqlite : Handle SQLite databases