The interface of Network Utilities, main features.

The result of each utility can be copied to the clipboard. Use ling click for this and select needed option in context menu.

All addresses, which was get with network scanners - IP Discover and Subnet scanner can be paste on address text fields on other tools. Just use the long press until the list pops up.

Network Utilities allows you to work simultaneously in multiple tabs (though all at the same time), and you may rotate the device, open a dialogues with supporting tools and so on. For example - start sniffer, and work with any other tab, and then view the resulting dumps, returning to the sniffer tab.

In some utilities (Sniffer, for example), to save space on the display, the individual fields can be hidden in the portrait mode. This "missing" field will appear in landscape mode (after the rotation of the screen).

Some tools (IP calculator, DNS Lookup, Whois) are located in dialogs, which may be open from action bar.

In some utilities, text fields are located on the panel, and may be hidden, using the button in the left bottom corner.

The color gamut of the interface can be changed. Theme option located in the settings.

The program displays all hosts in the network, and also info about this hosts. Description of some options, which are available in the configuration dialog:

"Mode" sets the operating mode.

"Loops" means the number of passes (value greater than 1 will increase the likelihood of displaying all hosts, but will increase the operating time).

"Name timeout" - waiting for the response from the service of names.

"Reach timeout" - timeout for reaching the hosts (used only in the 'Read arp' mode). Some devices may not respond to the first request arp, therefore increasing the value of this parameter can improve the scan results, but will increase the time of reaching.

The scanner with a selectable range of addresses. It may be used for searching of hosts outside the network, to which is connected the device

To launch scan you need to enter the IP range. Other fields are not mandatory.

You can enter the list of ports for the scan, separating them by spaces. Example: 22 23 53 80

It possible to use the filter by ports. For example, if you want to find the web server in the network, you need to enter IP range, 80 port and set "with open ports" filter.

The program to view of the sockets and information about active connections. Also it may be launched for watching the connections in real time.

The programm is for check availability target host and checking speed of transfer package to target host.

This tool will allow you watch route to target host. Maybe set max ttl and timeout between send echo requests.

Port scanner. Needed for to scan of the ports.

Allowable range of ports for the scan 1-65535

You can leave empty the port numbers fields to use "Smart scan" function. In this case program checks the registered ports only (~1200 ports)

UDP scan will available in the "Root mode". It recommended to check small range (1-5 ports) when using UDP scan. Smart scan function is unavailable for "UDP" mode

Sniffer. Intended for getting dump of packets going through the specified network interface and their subsequent study.

The program allows view the contents of each dump, using the integrated HEX viewer (just click on the appropriate item in the list).

Sniffer allows to save and open pcap files. The saved pcap files may be opened with using other network analyzer. You may find them in the path
/sdcard/Android/data/com.myprog.netutils/sniffer/pcap

In the setting of sniffer you can switch between the wi-fi and mobile modes. Please note, when you receive mobile traffic, packets are captured in the network layer (without ethernet header), so in the beginning of each dump pasted the "fake" ethernet header (first 14 bytes). This needs for correctly works the save and open pcap file function.

'Buff size' option allows you to specify the size of the buffer (or remove the restriction). Upon reaching the specified size, the sniffer will stop automatically.

In the filter dialog you can make filters or use BPF editor for create own code (see bpf compiller section for learn more about BPF). Using the standrd (gui) filters you can filter the packets by protocol, ip addresses, port numbers and raw text. In the text fields you can specify a list of numbers, separated by spaces, and also specify ranges, separating the values with the symbol '-'.

At using Mobile mode you can not change default value in the "ETH proto" field in the filter dialog, because the in another case it will not works (NOTE: in mobile mode sniffer intercept packets without ethernet header).

Simplified syntax ("src host xxxx dst port y" for example) is currently not supported. The supported recording format is described below.

Any condition is a comparison of two operands. As operands can be used a sampling of the value from a packet, a numerical constant, or arithmetic expression. Over result of the comparison, can be performed not/or/and operations. Complex logical expressions with brackets are possible (everything is identical to the C language standard)

Sampling the value from packet (keywords and format):
ether[addr:size] - sampling the value from ethernet header
ip[addr:size] - sampling the value from ip header, with check to ip protocol
tcp[addr:size] - sampling the value from tcp header, with check to ip and tcp protocol
udp[addr:size] - sampling the value from UDP header, with check to ip and udp protocol
icmp[addr:size] - sampling the value from ICMP header, with check to ip and ICMP protocol
raw[addr:size] - sampling the value from header, which follows the IP header with check to IP protocol only.
Where:
addr - numeric constant, which sets the offset.
size - numeric constant, which sets the count of bytes for sampling. Available values - 1, 2, 4

For example, sampling of sender IP will looks like this:
ip[12:4]
The sampling of sender port number:
udp[0:2] - for udp, tcp[0:2] - for tcp, raw[0:2] if check to the protocol is not required

Numeric constant are considered decimal by default. Hex constant must have 0x prefix (example: 0xa)

Logical operations:
&& and
|| or
! not

Comparison operations:
== if equals
!= if not equals
< If less
> If greater
>= If greater or equals
<= If less or equals

Arithmetic operations:
- sub
+ add
* mul
/ div
| or
& and
<< shl
>> shr

Some examples:

ip[16:4]==0xc0a80101 && (udp[2:2] >= 1 && udp[2:2] <= 1024 || tcp[2:2] >= 1 && tcp[2:2] <= 1024)
In this case sniffer will intercept all UDP and TCP packets with destination port number 1-1024 and destination IP 192.168.1.1

ip[16:4]&0xffffff00 == 0xc0a80100&& ip[12:4]&0xffffff00 == 0xc0a80100
Now sniffer will display a packets, sender and receiver of which is in 192.168.1.0 network with a netmask 255.255.255.0

You can get more examples using save option in the standard filters tab (app creates bpf source at saving, which can be opened in the bpf editor)

Utility is for to create and send of arbitrary ethernet packet. It can be used for diagnostics, studying network protocols. In conjunction with the sniffer program can be used to simulate nearly any network utilities (to a certain extent, of course).

The program allows you to configure and send (or save) a package of arbitrary protocol (formed since ethernet header). The configured packages will be saved in pcap, which can be found in the folder which use packet sniffer (Sniffer). After using the save feature in packet crafter, you can go to the tab 'Sniffer', to open the corresponding file and explore the saved packet.

Before sending you must configure each header, starting with the ethernet header. The program automatically offers "right values" and the most frequently changed fields are located in the top (ip address in the ip header, etc.). Even if you plan to send a packet with the default values of all the headers, before the first start (up to exit the application), you must open the configuration dialog for each title included in the package and save the values.

ARP spoofer. Designed to redirect traffic. In this embodiment, it is quite flexible program, with which you can:
1) Let the traffic node "victim" through your device
2) Run through your device not only the victim traffic, but also the traffic coming from the gateway to the victim (tick MITM, translated Man in the middle)
3) Break to the Internet on the victim's machine. You can disable routing (Forwarding) and let traffic through the victim himself. Can use MITM, so as not to let the same and the packets sent to "sacrifice" from the gateway
Before using ARP spoofer'a use IP list and / or ARP view, to fill the base addresses. In ARP spoofer'e tick interesuyuschihs you address and click Spoof. By default, you will impersonate the gateway, but you can manually enter the address on behalf of whom you want to send ARP responses. To do this, enter the desired aderes field Spoofing IP.

DNS spoofer. Once you have used the ARP spoofer and let the traffic "victim" thru your device, you can use DNS spoofer. The aim of this program is to intercept the victim's requests addressed to the DNS server and slip them in response to an IP address on behalf of DNS that you specify (and can specify the domain name). Before starting this tool, you need to create a table with domain names and corresponding addresses. If there is a query to a name that does not exist in the table, the program returns the current address received from the real DNS server, and if name is in the table, program returns the IP address that was specified. So, you can redirect the victim where you see fit

HTTP sniffer. Designed to intercept HTTP traffic coming from the victim, including the ability to filter by Cookies. Is is a small HTTP proxy which receives requests from the victim and displays GET and POST requests (the headers are displayed, you can view the contents by clicking on the desired item in the list), sends them to the server, receives a response, optionally changes it (in the case of SSL strip https links // will be substituted at http: //) and returns to the victim. Used together with ARP spoofer.
You can substitute page, going to the victim, to add this page to a domain of interest (dialogue Add page) and before running the sniffer tick on Fake pages.
JS Injection. You can implement your own JS code in html page, going to the "victim". To do this, tick the JS injection and write your JS code in the dialog box that opens. Tags do not need to write a script, the program will insert them for you. Once the code (for example, alert ('hello');).
In addition, you can save a dump request/response in pcap file (button Save). Each time a new file is created, which you can find in the folder /sdcard/Android/data/com.myprog.netutils/http_sniffer/pcap/. Just .pcap files stored before can be opened after using the Open. Let me just note that files created by my HTTP sniffer will be opened only to them (this does not apply to a packet sniffer).
You can send any request Count times, using a function in the viewer Send in query (menu-> Send in-> send).

Spoofer of the traffic. Used in conjunction with ARP Spoofer. At the moment, as a possible substitute for an entire page, and the image displayed on the page of arbitrary images. It is also possible the implementation of JS code into the page. When using the filter for the domain will be supplanted only pages/images requested from the server with the specified domain name.
The ability to "intermediate" operations on requests and responses: Besides harvested features you can use your own programs / scripts to spoof traffic. To their cause, activate the item "req scr" or "resp scr" and enter the command. When you activate this item, Network spoofer before sending the request / response will write it to disk on the way /sdcard/Android/data/com.myprog.netutils/network_spoofer/scr. Request file accordingly be request, response - response. After working team of the resulting (modified by your program) request/response will be read and sent on. Example command: echo Hello > /sdcard/Android/data/com.myprog.netutils/network_spoofer/scr/response. In this case victim see "Hello" label instead requested page. A quick note: the team may consist of a single line. If you want to perform a series of actions prescribed startup script/program.
Possible substitution downloaded a "victim" of files. To do this, use the function Fake files. In the opening dialog you have to select the file, the contents of which you will replace that downloads the victim, as well as, optionally, specify a file extension, which eventually will be downloaded from the "victim" (the field Ext). A quick note: this feature will operate only when you use File Transfer.
Possible problem: if the replacement is not working images, be sure to use a string rather than a method of obtaining the file path. Sometimes you may need to change the extension selected pictures to the "unknown", for example ".j" instead of ".jpeg".
Do not try to use this software in conjunction with HTTP Sniffer.

The program is designed to intercept TCP traffic. Used in conjunction with ARP spoofer. The application layer protocol does not matter, i.e. the tool can be used to study the traffic of an arbitrary application. Received queries from the application and responses from the server can be viewed by the built-in HEX viewer, for this you need to click on the desired element of the list.

Case study: when specifying port 80, the application can serve as an alternative to http sniffer. If you specify 443 ports and activate the ssl proxy option, the application will intercept https traffic.