DragonFly On-Line Manual Pages
iplog(8) DragonFly System Manager's Manual iplog(8)
NAME
iplog - TCP/IP traffic logger.
SYNOPSIS
iplog [options]
[-DFILNPRSTUVbcdefhkmnopqstvwxyz]
[-a <network,network2,...>]
[-g <group>]
[-i <interface1,...,interfaceN>]
[-l <logfile>]
[--pid-file=<file>]
[-u <user>]
[--tcp[=argument]]
[--udp[=argument]]
[--icmp[=argument]]
[--facility=syslog facility]
[--priority=syslog priority]
DESCRIPTION
iplog is a TCP/IP traffic logger. Currently, it is capable of logging
TCP, UDP and ICMP traffic. Adding support for other protocols should be
relatively easy. iplog's capabilities include the ability to detect
TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf"
attacks, bogus TCP flags (used by scanners to detect the operating
system in use), TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP
scans, and IP fragment attacks. iplog is able to run in promiscuous
mode and monitor traffic to all hosts on a network. iplog uses libpcap
to read data from the network and can be ported to any system that
supports pthreads and on which libpcap will function.
NOTATION
Throughout this document, required parameters will be denoted by
enclosing the parameter in angle brackets <like this>.
Optional parameters will be denoted by enclosing the parameter in
square brackets [like this].
The '|' character is used to express exclusive or. For example
[true|false] means you may give "true" or "false", but not both.
OPTIONS
--tcp=true (default)
Log TCP traffic.
--tcp=false
Do not log TCP traffic.
--udp=true (default)
Log UDP traffic.
--udp=false
Do not log UDP traffic.
--icmp=true (default)
Log ICMP traffic.
--icmp=false
Do not log ICMP traffic.
--facility=syslog facility
Use the specified facility for openlog(3).
--priority=syslog priority
Use the specified priority for syslog(3).
-D, --log-dest=true
Log the destination address of IP packets.
--log-dest=false (default)
Do not log the destination address of IP packets.
-F, --detect-udp-scan=true (default)
Detect and log UDP scans.
--detect-udp-scan=false
Neither detect nor log UDP scans.
--log-udp-scan
Same as --detect-udp-scan.
-I, --icmp-resolve=true (default)
Perform host name resolution for ICMP traffic.
-L, --stdout
Log to stdout.
--icmp-resolve=false
Do not perform host name resolution for ICMP traffic.
-N, --disable-resolver
Do not perform host name resolution for any traffic.
-P, --detect-ping-flood=true (default)
Detect ping (ICMP echo) flood attacks.
--detect-ping-flood=false
Do not detect ping flood attacks.
--log-ping-flood
Same as --detect-ping-flood.
-R, --restart
Restart iplog, if it is running.
-S, --detect-smurf=true (default)
Detect "smurf" attacks.
--detect-smurf=false
Do not detect "smurf" attacks.
--log-smurf
Same as --detect-smurf.
-T, --tcp-resolve=true (default)
Perform host name resolution for TCP traffic.
--tcp-resolve=false
Do not perform host name resolution for TCP traffic.
-U, --udp-resolve=true (default)
Perform host name resolution for UDP traffic.
--udp-resolve=false
Do not perform host name resolution for UDP traffic.
-V, --verbose=true
Verbose - Log packets with a bad checksum and packets with a
short header length.
--verbose=false (default)
Do not be verbose.
-a <network,network2,...>, --promisc=<network,network2,...>
Put all monitored interfaces into promiscuous mode and log
traffic destined to all hosts on the specified network(s).
-b, --detect-bogus=true (default)
Detect bogus TCP flags. Programs such as nmap and queso may set
these flags while trying to perform OS detection.
--detect-bogus=false
Do not detect bogus TCP flags.
--log-bogus
Same as --detect-bogus.
-c, --dns-cache=true (default)
Use a built-in DNS cache (allows host lookups to be faster).
--dns-cache=false
Do not use the built-in DNS cache.
-d, --ignore
Ignore DNS traffic from hosts listed in /etc/resolv.conf.
-e, --get-ident=true
Perform ident (RFC 1413) lookups on connections destined to a
listening port. This is only available on Linux.
--get-ident=false (default)
Do not perform ident lookups.
-f, --detect-fin-scan=true (default)
Detect TCP FIN scans (a "stealth scan" used by nmap and other
scanners).
--detect-fin-scan=false
Do not detect TCP FIN scans.
--log-fin-scan
Same as --detect-fin-scan.
-q, --detect-syn-scan=true (default)
Detect TCP SYN scans (a "stealth scan" used by nmap and other
scanners).
--detect-syn-scan=false
Do not detect TCP SYN scans.
--log-syn-scan
Same as --detect-syn-scan.
-g <group|GID>, --group=<group|GID>
Run with the specified group or GID.
-h, --help
Print a summary of available options and exit.
-i <interface(s)>, --interface=<interface(s)>
Listen on only the specified interfaces. This option takes a
comma-delimited list of interfaces. By default, iplog will
listen on any interfaces that are up, except loopback.
-k, --kill
Kill iplog, if it is running.
-l <logfile>, --logfile=<logfile>
Log to the specified file instead of logging via syslog(3)
--pid-file=<file>
Use <file> as the pid file.
This option should be used when starting iplog as a user who
doesn't have write access to /var/run.
This option must be used with the -k and -R options when an
instance of iplog is running that was started with the
--pid-file option. Also note the --pid-file option must be
given before the -k and -R options.
-m, --scans-only=true
Only log scans and floods. Do not log other traffic.
-n, --detect-null-scan=true (default)
Detect null scans (a "stealth scan" used by nmap and other
scanners).
--detect-null-scan=false
Do not detect null scans.
--log-null-scan
Same as --detect-null-scan.
-o, --no-fork
Run in the foreground.
-p, --detect-portscan=true (default)
Detect port scans (connect(2) scans and SYN (half open) scans).
--detect-portscan=false
Do not detect port scans.
--log-portscan
Same as --detect-portscan.
-s, --detect-syn-flood=true (default)
Stop resolving IP addresses (until the flood ends) if a SYN
flood is detected.
--detect-syn-flood=false
Do not stop resolving IP addresses if a SYN flood is detected.
-t, --detect-traceroute=true (default)
Detect (and log) traceroute.
--detect-traceroute=false
Do not detect traceroute.
--log-traceroute
Same as --detect-traceroute.
-u <user|UID>, --user=<user|UID>
Run as the user or with the UID specified.
-v, --version
Print version information and exit.
-w, --log-ip
Log the IP addresses as well as the hostnames of hosts that are
looked up.
-x, --detect-xmas-scan=true (default)
Detect Xmas scans (a "stealth" scan used by nmap and other
scanners).
--detect-xmas-scan=false
Do not detect Xmas scans.
--log-xmas-scan
Same as --detect-xmas-scan.
-y, --detect-frag=true
Detect fragment attacks.
--detect-frag=false
Do not detect fragment attacks.
--log-frag
Same as --detect-frag.
-z, --fool-nmap=true
Attempt to fool programs, such as nmap and queso, that perform
remote OS detection. As a side effect, this option will also
cause most of nmap's "stealth" scans to fail.
WARNING
This option is dangerous and can set off network traffic storms.
--fool-nmap=false (default)
Do not attempt to fool nmap's OS detection.
FILES
/usr/local/etc/iplog.conf
The iplog configuration file.
BUGS
Report any bugs to odin@numb.org
AUTHOR
Ryan McCabe <odin@numb.org>
AVAILABILITY
The primary distribution site for iplog is http://ojnk.sourceforge.net
MIRROR LIST
ftp://ojnk.sourceforge.net/pub/ojnk/iplog
http://www.numb.org/~odin
SEE ALSO
iplog.conf(5) tcpdump(1) syslog(3) openlog(3) pcap(3) nmap(8)
iplog 2.2.3 03 December 2000 iplog(8)