In passive wiretapping, packets are analyzed after begin reassembled in flow, this operation, present in every kind of PASSIVE network analyzer (IDS, sniffer, trojan, stats generator) is called "protocol reassembly". In order to obtain an information, the number of reassebly has to be done in equal complexity of the transmissions layer.
If you are anlyzing "ftp protocol" you have only the binary data trasmitted to be collected and dumped: the passive third party have record the packet flow, save in the correct order and extract the transmitted file.

If you are sniffing HTTP traffic, you have to track all the IP involved in the transmission, all the TCP stream, the applicative meaning, detect cached element not transmitted, reassembly HTML and javascript, execute javascript and, now, the third party will view precisely what the web client has visualized. In short = more layer bring more complexity. the goals of the sniffer has been unroll this complexity wishing to reach, with the lest possibile effort, to obtain the data.

This project aims to exploit the unreliability of the passive protocol reassembly: because the network data is not enought to assure a correct reassembly, a legit use of the network protocol will strongly disrupt the existing software.

A third party will fall in some "ambiguity" when reading passive packets: will never be 100% sure that a packet will be accepted or rejected by the peers under monitoring. using and abusing of this unreliability will bring the wrong rebuilding of the transmission.

be a modular framework useful for easy development and usage of technology able to disrupt passive protocol reassembly at every layer. the release 0.4 only bring attack at IP and TCP/UDP layer, in the next release we plan an escalation.

exploiting the swiftness of the network supports, the differencies of every ISP configuration and (not yet implemented) of the Operating System TCP/IP stack differencies, sniffjoke put the sniffers under the difficult option of: drop every packets that have something weird, in order to follow the growning bandwidth and the demaning hardware requests, or to improve analysis, expeding CPU and time, and implictly increase the costs per megabit. this will demotivate massive sniffing from evil entities.