##########################################<BR>
AIM Sniff Copyright (C) 2002 Shawn Grimes<BR>
##########################################<BR>
<BR>
**********************************************<BR>
Disclaimer: I provide this software as a public service to experienced<BR>
systems administrators who wish to protect their users from harassment<BR>
while using AIM and to demonstrate the need for encryption in instant <BR>
messenging programs.<BR>
**********************************************<BR>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<BR>
IMPORTANT NOTE:  Version 0.4 requires a different table structure<BR>
than earlier versions.  Be sure to check check the changes in table.struct<BR>
if you were the one person who tried one of the early versions.<BR>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<BR>
<BR>
1. License Information<BR>
2. Program Description<BR>
3. Sample Config File<BR>
4. Dependencies<BR>
5. Installation Procedure<BR>
<BR>
##########<BR>
1. License Information<BR>
##########<BR>
This program is free software; you can redistribute it and/or modify it under <BR>
the terms of the GNU General Public License as published by the Free Software <BR>
Foundation; version 2 of the License.<BR>
This program is distributed in the hope that it will be useful, but WITHOUT ANY <BR>
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A<BR>
PARTICULAR PURPOSE. See the GNU General Public License for more details.<BR>
You should have received a copy of the GNU General Public License along with <BR>
this program; if not, write to the: <BR>
	Free Software Foundation, Inc.<BR>
	59 Temple Place, Suite 330<BR>
	Boston, MA 02111-1307 USA<BR>
<BR>
You may also contact me directly with any questions at: <BR>
grimessh@users.sourceforge.net<BR>
<BR>
##########<BR>
2.  Program Description<BR>
##########<BR>
AIM Sniff is a utility for monitoring and archiving AOL Instant Messenger <BR>
messages across a network.  You can either do a live dump (actively sniff the <BR>
network) or read a PCAP file and parse the file for IM messages.  You also have<BR>
the option of dumping the information to a MySQL database or STDOUT. <BR>
<BR>
Also part of AIM Sniff is smbInfo.pl which is used to match IM handles with NT <BR>
domain user names.  This portion of the project is probably still a bit buggy <BR>
or lacking error checking.<BR>
<BR>
Another part of AIM Sniff will be a web page front end to view and generate <BR>
reports of captured AIM conversations.  This will include the ability to see <BR>
all conversations from an IP address, AIM handle, NT Username, conversations <BR>
between certain time periods.  It will allow administrators to see how often <BR>
users are chatting to monitor for abuse.  You can also use AIM Sniff to monitor<BR>
for cases of harassment or warez trading.<BR>
<BR>
SWITCHES:<BR>
-C=filename <-Get AIM Sniff options from a config file<BR>
-r=filename <-Read a PCAP file instead of doing a live capture<BR>
-c=integer <-The number of packets to read before quitting<BR>
-d=dev <-The device to capture packets from<BR>
-f='filter string' <-String to filter on enclosed in single quotes<BR>
(DEFAULT: 'tcp and port 5190') -- Should only have to be specified if you think AIM is running on a different port<BR>
-p <-Place the device into promiscuous mode<BR>
-to=integer <-Read timeout in ms<BR>
--SMB <-Turn SMB lookups 'on' to get NT domain usernames with AIM logins, Off by defaul<BR>
--nodb <-Do not dump to a DB, only dump to STDOUT<BR>
--quiet <-Do not print anything but errors to STDOUT <BR>
--getHandles <-Do not do anything with PCAP but populate the fromHandle field in the logs table (Can be used with -C above)<BR>
<BR>
<BR>
##########<BR>
3.  Sample Config File<BR>
##########<BR>
dumpfile=/home/aimsniff/aim.dump<BR>
packetCount=10<BR>
dev=eth0<BR>
filter='tcp and port 5190'<BR>
promisc=1<BR>
timeout=1000<BR>
SMB=1<BR>
nodb=1<BR>
quiet=1<BR>
host=mysql.server.com<BR>
user=aimuser<BR>
password=password<BR>
<BR>
<BR>
<BR>
##########<BR>
4.  Dependencies<BR>
##########<BR>
Requires Samba to perform SMB lookup features.<BR>
<BR>
Requires the following perl modules:<BR>
Net::Pcap<BR>
NetPacket::Ethernet<BR>
NetPacket::IP<BR>
NetPacket::TCP<BR>
Unicode::String<BR>
DBI<BR>
DBD::mysql<BR>
<BR>
<BR>
##########<BR>
5.  Installation Procedure<BR>
##########<BR>
First, install the above dependencies and run 'aimSniff.pl --nodb' to make sure <BR>
you have all the necessary dependencies.<BR>
<BR>
If you plan to use the database dump feature, you'll have to load the table.struct <BR>
file into mysql.  To do this run the following command 'mysql < table.struct'.  This<BR>
will create a database named "aim" with all the right tables.<BR>
Now you can create a user that has rights to this database by running mysql and<BR>
issuing:<BR>
'GRANT ALL ON aim.* TO username@hostname IDENTIFIED BY 'password';'<BR>
For more info on granting access to a user see the MySQL documentation.<BR>
<BR>
After all this, you should modify the aimsniff.pl file to reflect your database <BR>
information edit the config file.  <BR>
<BR>
You can run 'aimsniff.pl -h' to see a list of switches and options.<BR>
<BR>
<BR>
I've updated the web frontend considerably in this version but I haven't really <BR>
packaged it for easy installation but let me try to explain how to install it:<BR>
First copy aimsniff.cgi to your cgi-bin directory:<BR>
'cp ./aimsniff.cgi /home/httpd/cgi-bin/'<BR>
Make it executable:<BR>
'chmod 755 /home/httpd/cgi-bin/'<BR>
Now copy the images to some location accessible by your website:<BR>
'cp ./*.gif /home/httpd/html/aimsniff/'<BR>
Now edit the aimsniff.cgi file to reflect where you put the files and the info <BR>
for your MySQL db.<BR>
<BR>
Hopefully that will do it, I'm working on the web stuff and I'm not as fluent in<BR>
*nix web development as I would like so please bear with me.<BR>

<BR>
Enjoy and happy sniffing.<BR>