LINUX, SECURITY, TOOLS, CLI, NETWORK

Jomon a Network Forensic and Passive Sniffer Tool

Jomon is a tool for network forensics and passive network sniffing written in C . It doesn’t use libpcap (the standard packet capture library used in tools like Wireshark and tcpdump), which makes it lightweight and flexible for network analysis. It supports packet filtering in two ways:

  • by writing BPF assembly directly
  • by writing in a higher-level tcpdump syntax (very limited support at the moment).

Jomon Ping Example Screenshot

Install on Ubuntu 22.04

Perquisite

I had to install a few missing dependencies on my system to build and compile Jomon.

  • libcurses - Provide the libraries to build text-based UIs in the terminal.
    • sudo apt-get install libncurses5-dev libncursesw5-dev
  • libgeoip - Allows the software to perform IP geolocation.
    • sudo apt-get -y install libgeoip-dev
  • re2c - Generates efficient C code for parsing, which can be used for packet analysis, protocol decoding, or other text-processing functions.
    • sudo apt-get -y install re2c
GeoIP database

The GeoIP databases from MaxMind are optional, but I’ve already used them, so I thought I’d build Jomon with GeoIP. I’ve already got a Maxmind account where I downloaded the GeoIP Lite databases a while back, but it looks like only the newer MMDB database files are available now. Fortunately, there’s a tool that can convert CSV files, which you can download from MaxMind, to the GeoIP legacy DAT db format.

You’ll need to store the .dat files in this directory: /usr/share/GeoIP/.

Build and Install

  • Go to your source files directory, e.g.:
    cd ~/src
  • Download Git repository:
    git clone https://github.com/jo-lund/jomon.git
  • Build:
    cd jomon
    ./configure
    make
    sudo make install

The make install command will place the compiled jomon binary in /usr/local/bin/. You can check this with which jomon.

Usage

Basic Key Commands

  • Basic sniffing on an interface:
    jomon -i eth0
  • Capture specific traffic (e.g., TCP only):
    jomon -i eth0 -f "tcp"
  • Read a pcap file for forensic analysis:
    jomon -r capture.pcap
  • Use BPF filter in capture:
    jomon -i eth0 -f "ip[0] & 0xf != 5"

Filters

One of the key things about Jomon is that it lets you filter network traffic really effectively using Berkeley Packet Filters (BPF). This means you can capture or display only the packets you’re interested in, which cuts down on the amount of data you have to analyse. You can use high-level BPF syntax for both capture and display filtering.

Capture filters

These are used to restrict the packets that are actually captured from the network. If a packet doesn’t match the capture filter, it’ll be ignored and not stored or analysed. You can set capture filters using the -f option in Jomon’s command line. Or you can load more complex assembly filters from a file using the -F option.

  • Example for capturing IPv4 packets with options
    jomon -f "ip[0] & 0xf != 5"

Filter explanation:

  • ip[0]: Refers to the first byte of the IP header.
  • & 0xf: This extracts the last 4 bits of the first byte, which corresponds to the IP header length.
  • != 5: This means we are capturing packets where the header length is not equal to 5 (i.e. packets with options because a standard IPv4 header has a length of 5).
    This is useful for detecting IPv4 packets that have additional options set.
Display filters

These are added after packets have been captured to help you control what you see in the output. They don’t affect what’s captured, but they just filter what you can see in the Jomon ncurses interface. You can use these filters by pressing F9 or by using the e command.

  • Start Jomon with jomon
  • Use the display filter with F9
  • Set filter to ip[0] & 0xf != 5

Examples

Sniffer
  • Basic Usage for Sniffing:
    • To start capturing traffic on a specific network interface use the -i option:
      jomon -i eth0
    • You can use the display filter in the ncurses UI and filter traffic visually by pressing F9 to enter display filters.
  • Capture without Promiscuous Mode:
    • By default, Jomon puts the network interface into promiscuous mode, meaning it captures all traffic passing through the network interface, even if it’s not addressed to your machine.
    • If you want to capture only traffic addressed to your machine, use the -p option:
      jomon -i eth0 -p
  • Specifying Buffer Size:
    • You can adjust the capture buffer size (in KiB) using the -b option to avoid missing packets on high-traffic networks
    • This sets an 8MB buffer for capturing traffic:
      jomon -i eth0 -b 8192
  • Filtering Traffic During Capture:
    • You can specify a tcpdump-style filter (very limited support at the moment) with the -f option to capture only specific traffic, such as all TCP packets:
      jomon -i eth0 -f "tcp"
  • Capture Only UDP Packets with a Specific Source Port
    • e.g 53 for DNS
      jomon -i eth0 -f "udp[0:2] = 53"
      • udp[0:2] means that we are interested in the first two bytes of the UDP header.
      • = 53 is checking whether the value of the two bytes being examined is equal to 53.
      • In the context of UDP, port numbers are typically represented in a 16-bit (2-byte) field
  • Capture Only TCP Packets with a Specific Destination Port
    • e.g., 80 for HTTP
      jomon -i eth0 -f "tcp[2:2] = 80"
  • Capture ICMP Echo Requests
    • ICMP echo requests are used for pinging. This filter captures only ICMP echo request packets:
      jomon -i eth0 -f "icmp[0] = 8"
      • icmp[0] refers to the ICMP type field.
      • 8 is the value for ICMP echo requests.
Network Forensics
  • Reading and Analyzing a pcap File:
    • If you have a previously captured file (in pcap format), you can load it into Jomon for analysis:
      jomon -r capture.pcap
    • This replays and analyzes the traffic captured in the file.
  • Applying Filters for Forensics:
    • You can apply BPF filters to focus on specific traffic patterns or suspicious behavior.
    • For example, to filter for packets with non-standard IPv4 options:
      jomon -f "ip[0] & 0xf != 5" -r capture.pcap
    • Another example, to filter IPv4 packets with a specific TTL (Time-To-Live) value (e.g. 64)
      jomon -f "ip[8] = 64" -r capture.pcap
    • Last example, to filter traffic from a specific MAC address (e.g. 00:11:22:33:44:55)
      jomon -f "ether[6:6] = 0x001122334455" -r capture.pcap
  • Dump Filter as BPF Assembly:
    • If you’re more advanced and want to see how the filter works at the assembly level, you can use the -d option to dump the filter as BPF assembly code:
      jomon -d -f "tcp"