iplog
is a TCP/IP traffic logger. Currently, it is capable of logging
TCP, UDP and ICMP traffic. Adding support for other protocols
should be relatively easy.
iplog's
capabilities include the ability to detect TCP port scans, TCP null scans,
FIN scans, UDP and ICMP "smurf" attacks,
bogus TCP flags (used by scanners to detect the operating system in use),
TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP
fragment attacks.
iplog
is able to run in promiscuous mode and monitor traffic to all hosts
on a network.
iplog
uses libpcap to read data from the network and can be ported
to any system that supports pthreads and on which libpcap will function.
NOTATION
Throughout this document, required parameters will be denoted by enclosing the parameter in angle brackets <like this>.
Optional parameters will be denoted by enclosing the parameter in square brackets [like this].
The '|' character is used to express exclusive or. For example [true|false] means you may give "true" or "false", but not both.
Do not perform host name resolution for ICMP traffic.
-N, --disable-resolver
Do not perform host name resolution for any traffic.
-P, --detect-ping-flood=true (default)
Detect ping (ICMP echo) flood attacks.
--detect-ping-flood=false
Do not detect ping flood attacks.
--log-ping-flood
Same as --detect-ping-flood.
-R, --restart
Restart
iplog,
if it is running.
-S, --detect-smurf=true (default)
Detect "smurf" attacks.
--detect-smurf=false
Do not detect "smurf" attacks.
--log-smurf
Same as --detect-smurf.
-T, --tcp-resolve=true (default)
Perform host name resolution for TCP traffic.
--tcp-resolve=false
Do not perform host name resolution for TCP traffic.
-U, --udp-resolve=true (default)
Perform host name resolution for UDP traffic.
--udp-resolve=false
Do not perform host name resolution for UDP traffic.
-V, --verbose=true
Verbose - Log packets with a bad checksum and packets with a short header length.
--verbose=false (default)
Do not be verbose.
-a <network,network2,...>, --promisc=<network,network2,...>
Put all monitored interfaces into promiscuous mode and log traffic destined to all hosts on the specified network(s).
-b, --detect-bogus=true (default)
Detect bogus TCP flags. Programs such as nmap and queso may set these flags while trying to perform OS detection.
--detect-bogus=false
Do not detect bogus TCP flags.
--log-bogus
Same as --detect-bogus.
-c, --dns-cache=true (default)
Use a built-in DNS cache (allows host lookups to be faster).
--dns-cache=false
Do not use the built-in DNS cache.
-d, --ignore
Ignore DNS traffic from hosts listed in
/etc/resolv.conf.
-e, --get-ident=true
Perform ident (RFC 1413) lookups on connections destined to a listening port. This is only available on Linux.
--get-ident=false (default)
Do not perform ident lookups.
-f, --detect-fin-scan=true (default)
Detect TCP FIN scans (a "stealth scan" used by nmap and other scanners).
--detect-fin-scan=false
Do not detect TCP FIN scans.
--log-fin-scan
Same as --detect-fin-scan.
-q, --detect-syn-scan=true (default)
Detect TCP SYN scans (a "stealth scan" used by nmap and other scanners).
--detect-syn-scan=false
Do not detect TCP SYN scans.
--log-syn-scan
Same as --detect-syn-scan.
-g <group|GID>, --group=<group|GID>
Run with the specified group or GID.
-h, --help
Print a summary of available options and exit.
-i <interface(s)>, --interface=<interface(s)>
Listen on only the specified interfaces. This option takes a comma-delimited list of interfaces. By default,
iplog
will listen on any interfaces that are up, except loopback.
-k, --kill
Kill
iplog,
if it is running.
-l <logfile>, --logfile=<logfile>
Log to the specified file instead of logging via
syslog(3)
--pid-file=<file>
Use <file> as the pid file.
This option should be used when starting
iplog
as a user who doesn't have write access to /var/run.
This option must be used with the -k and -R options when an instance of
iplog
is running that was started with the --pid-file option. Also note the
--pid-file option must be given before the -k and -R options.
-m, --scans-only=true
Only log scans and floods. Do not log other traffic.
-n, --detect-null-scan=true (default)
Detect null scans (a "stealth scan" used by nmap and other scanners).
--detect-null-scan=false
Do not detect null scans.
--log-null-scan
Same as --detect-null-scan.
-o, --no-fork
Run in the foreground.
-p, --detect-portscan=true (default)
Detect port scans (connect(2) scans and SYN (half open) scans).
--detect-portscan=false
Do not detect port scans.
--log-portscan
Same as --detect-portscan.
-s, --detect-syn-flood=true (default)
Stop resolving IP addresses (until the flood ends) if a SYN flood is detected.
--detect-syn-flood=false
Do not stop resolving IP addresses if a SYN flood is detected.
-t, --detect-traceroute=true (default)
Detect (and log) traceroute.
--detect-traceroute=false
Do not detect traceroute.
--log-traceroute
Same as --detect-traceroute.
-u <user|UID>, --user=<user|UID>
Run as the user or with the UID specified.
-v, --version
Print version information and exit.
-w, --log-ip
Log the IP addresses as well as the hostnames of hosts that are looked up.
-x, --detect-xmas-scan=true (default)
Detect Xmas scans (a "stealth" scan used by nmap and other scanners).
--detect-xmas-scan=false
Do not detect Xmas scans.
--log-xmas-scan
Same as --detect-xmas-scan.
-y, --detect-frag=true
Detect fragment attacks.
--detect-frag=false
Do not detect fragment attacks.
--log-frag
Same as --detect-frag.
-z, --fool-nmap=true
Attempt to fool programs, such as nmap and queso, that perform remote OS detection. As a side effect, this option will also cause most of nmap's "stealth" scans to fail.
WARNING
This option is dangerous and can set off network traffic storms.
