GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  IPLOG (8)

NAME

iplog - TCP/IP traffic logger.

CONTENTS

Synopsis
Description
Notation
Options
Files
Bugs
Author
Availability
Mirror List
See Also

SYNOPSIS

iplog [options]

[-DFILNPRSTUVbcdefhkmnopqstvwxyz]
[-a <network,network2,...>]
[-g <group>]
[-i <interface1,...,interfaceN>]
[-l <logfile>]
[--pid-file=<file>]
[-u <user>]
[--tcp[=argument]]
[--udp[=argument]]
[--icmp[=argument]]
[--facility=syslog facility]
[--priority=syslog priority]

DESCRIPTION

iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. Adding support for other protocols should be relatively easy. iplog’s capabilities include the ability to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags (used by scanners to detect the operating system in use), TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. iplog is able to run in promiscuous mode and monitor traffic to all hosts on a network. iplog uses libpcap to read data from the network and can be ported to any system that supports pthreads and on which libpcap will function.

NOTATION

Throughout this document, required parameters will be denoted by enclosing the parameter in angle brackets <like this>.

Optional parameters will be denoted by enclosing the parameter in square brackets [like this].

The ’|’ character is used to express exclusive or. For example [true|false] means you may give "true" or "false", but not both.

OPTIONS

--tcp=true (default) Log TCP traffic.

--tcp=false
  Do not log TCP traffic.

--udp=true (default)
  Log UDP traffic.

--udp=false
  Do not log UDP traffic.

--icmp=true (default)
  Log ICMP traffic.

--icmp=false
  Do not log ICMP traffic.

--facility=syslog facility
  Use the specified facility for openlog(3).

--priority=syslog priority
  Use the specified priority for syslog(3).

-D, --log-dest=true
  Log the destination address of IP packets.

--log-dest=false (default)
  Do not log the destination address of IP packets.

-F, --detect-udp-scan=true (default)
  Detect and log UDP scans.

--detect-udp-scan=false
  Neither detect nor log UDP scans.

--log-udp-scan
  Same as --detect-udp-scan.

-I, --icmp-resolve=true (default)
  Perform host name resolution for ICMP traffic.

-L, --stdout
  Log to stdout.

--icmp-resolve=false
  Do not perform host name resolution for ICMP traffic.

-N, --disable-resolver
  Do not perform host name resolution for any traffic.

-P, --detect-ping-flood=true (default)
  Detect ping (ICMP echo) flood attacks.

--detect-ping-flood=false
  Do not detect ping flood attacks.

--log-ping-flood
  Same as --detect-ping-flood.

-R, --restart
  Restart iplog, if it is running.

-S, --detect-smurf=true (default)
  Detect "smurf" attacks.

--detect-smurf=false
  Do not detect "smurf" attacks.

--log-smurf
  Same as --detect-smurf.

-T, --tcp-resolve=true (default)
  Perform host name resolution for TCP traffic.

--tcp-resolve=false
  Do not perform host name resolution for TCP traffic.

-U, --udp-resolve=true (default)
  Perform host name resolution for UDP traffic.

--udp-resolve=false
  Do not perform host name resolution for UDP traffic.

-V, --verbose=true
  Verbose - Log packets with a bad checksum and packets with a short header length.

--verbose=false (default)
  Do not be verbose.

-a <network,network2,...>, --promisc=<network,network2,...>
  Put all monitored interfaces into promiscuous mode and log traffic destined to all hosts on the specified network(s).

-b, --detect-bogus=true (default)
  Detect bogus TCP flags. Programs such as nmap and queso may set these flags while trying to perform OS detection.

--detect-bogus=false
  Do not detect bogus TCP flags.

--log-bogus
  Same as --detect-bogus.

-c, --dns-cache=true (default)
  Use a built-in DNS cache (allows host lookups to be faster).

--dns-cache=false
  Do not use the built-in DNS cache.

-d, --ignore
  Ignore DNS traffic from hosts listed in /etc/resolv.conf.

-e, --get-ident=true
  Perform ident (RFC 1413) lookups on connections destined to a listening port. This is only available on Linux.

--get-ident=false (default)
  Do not perform ident lookups.

-f, --detect-fin-scan=true (default)
  Detect TCP FIN scans (a "stealth scan" used by nmap and other scanners).

--detect-fin-scan=false
  Do not detect TCP FIN scans.

--log-fin-scan
  Same as --detect-fin-scan.

-q, --detect-syn-scan=true (default)
  Detect TCP SYN scans (a "stealth scan" used by nmap and other scanners).

--detect-syn-scan=false
  Do not detect TCP SYN scans.

--log-syn-scan
  Same as --detect-syn-scan.

-g <group|GID>, --group=<group|GID>
  Run with the specified group or GID.

-h, --help
  Print a summary of available options and exit.

-i <interface(s)>, --interface=<interface(s)>
  Listen on only the specified interfaces. This option takes a comma-delimited list of interfaces. By default, iplog will listen on any interfaces that are up, except loopback.

-k, --kill
  Kill iplog, if it is running.

-l <logfile>, --logfile=<logfile>
  Log to the specified file instead of logging via syslog(3)

--pid-file=<file>
  Use <file> as the pid file.

This option should be used when starting iplog as a user who doesn’t have write access to /var/run.

This option must be used with the -k and -R options when an instance of iplog is running that was started with the --pid-file option. Also note the --pid-file option must be given before the -k and -R options.

-m, --scans-only=true
  Only log scans and floods. Do not log other traffic.

-n, --detect-null-scan=true (default)
  Detect null scans (a "stealth scan" used by nmap and other scanners).

--detect-null-scan=false
  Do not detect null scans.

--log-null-scan
  Same as --detect-null-scan.

-o, --no-fork
  Run in the foreground.

-p, --detect-portscan=true (default)
  Detect port scans (connect(2) scans and SYN (half open) scans).

--detect-portscan=false
  Do not detect port scans.

--log-portscan
  Same as --detect-portscan.

-s, --detect-syn-flood=true (default)
  Stop resolving IP addresses (until the flood ends) if a SYN flood is detected.

--detect-syn-flood=false
  Do not stop resolving IP addresses if a SYN flood is detected.

-t, --detect-traceroute=true (default)
  Detect (and log) traceroute.

--detect-traceroute=false
  Do not detect traceroute.

--log-traceroute
  Same as --detect-traceroute.

-u <user|UID>, --user=<user|UID>
  Run as the user or with the UID specified.

-v, --version
  Print version information and exit.

-w, --log-ip
  Log the IP addresses as well as the hostnames of hosts that are looked up.

-x, --detect-xmas-scan=true (default)
  Detect Xmas scans (a "stealth" scan used by nmap and other scanners).

--detect-xmas-scan=false
  Do not detect Xmas scans.

--log-xmas-scan
  Same as --detect-xmas-scan.

-y, --detect-frag=true
  Detect fragment attacks.

--detect-frag=false
  Do not detect fragment attacks.

--log-frag
  Same as --detect-frag.

-z, --fool-nmap=true
  Attempt to fool programs, such as nmap and queso, that perform remote OS detection. As a side effect, this option will also cause most of nmap’s "stealth" scans to fail.
WARNING
  This option is dangerous and can set off network traffic storms.

--fool-nmap=false (default)
  Do not attempt to fool nmap’s OS detection.

FILES

/usr/local/etc/iplog.conf
  The iplog configuration file.

BUGS

Report any bugs to odin@numb.org

AUTHOR

Ryan McCabe <odin@numb.org>

AVAILABILITY

The primary distribution site for iplog is http://ojnk.sourceforge.net

MIRROR LIST

ftp://ojnk.sourceforge.net/pub/ojnk/iplog
http://www.numb.org/~odin

SEE ALSO

iplog.conf(5) tcpdump(1) syslog(3) openlog(3) pcap(3) nmap(8)
Search for    or go to Top of page |  Section 8 |  Main Index


iplog 2.2.3 IPLOG (8) 03 December 2000

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.