is a TCP/IP traffic logger. Currently, it is capable of logging
TCP, UDP and ICMP traffic. Adding support for other protocols
should be relatively easy.
capabilities include the ability to detect TCP port scans, TCP null scans,
FIN scans, UDP and ICMP "smurf" attacks,
bogus TCP flags (used by scanners to detect the operating system in use),
TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP
is able to run in promiscuous mode and monitor traffic to all hosts
on a network.
uses libpcap to read data from the network and can be ported
to any system that supports pthreads and on which libpcap will function.
Throughout this document, required parameters will be denoted by enclosing the parameter in angle brackets <like this>.
Optional parameters will be denoted by enclosing the parameter in square brackets [like this].
The '|' character is used to express exclusive or. For example [true|false] means you may give "true" or "false", but not both.
Do not perform host name resolution for ICMP traffic.
Do not perform host name resolution for any traffic.
-P, --detect-ping-flood=true (default)
Detect ping (ICMP echo) flood attacks.
Do not detect ping flood attacks.
Same as --detect-ping-flood.
if it is running.
-S, --detect-smurf=true (default)
Detect "smurf" attacks.
Do not detect "smurf" attacks.
Same as --detect-smurf.
-T, --tcp-resolve=true (default)
Perform host name resolution for TCP traffic.
Do not perform host name resolution for TCP traffic.
-U, --udp-resolve=true (default)
Perform host name resolution for UDP traffic.
Do not perform host name resolution for UDP traffic.
Verbose - Log packets with a bad checksum and packets with a short header length.
Do not be verbose.
-a <network,network2,...>, --promisc=<network,network2,...>
Put all monitored interfaces into promiscuous mode and log traffic destined to all hosts on the specified network(s).
-b, --detect-bogus=true (default)
Detect bogus TCP flags. Programs such as nmap and queso may set these flags while trying to perform OS detection.
Do not detect bogus TCP flags.
Same as --detect-bogus.
-c, --dns-cache=true (default)
Use a built-in DNS cache (allows host lookups to be faster).
Do not use the built-in DNS cache.
Ignore DNS traffic from hosts listed in
Perform ident (RFC 1413) lookups on connections destined to a listening port. This is only available on Linux.
Do not perform ident lookups.
-f, --detect-fin-scan=true (default)
Detect TCP FIN scans (a "stealth scan" used by nmap and other scanners).
Do not detect TCP FIN scans.
Same as --detect-fin-scan.
-q, --detect-syn-scan=true (default)
Detect TCP SYN scans (a "stealth scan" used by nmap and other scanners).
Do not detect TCP SYN scans.
Same as --detect-syn-scan.
-g <group|GID>, --group=<group|GID>
Run with the specified group or GID.
Print a summary of available options and exit.
-i <interface(s)>, --interface=<interface(s)>
Listen on only the specified interfaces. This option takes a comma-delimited list of interfaces. By default,
will listen on any interfaces that are up, except loopback.
if it is running.
-l <logfile>, --logfile=<logfile>
Log to the specified file instead of logging via
Use <file> as the pid file.
This option should be used when starting
as a user who doesn't have write access to /var/run.
This option must be used with the -k and -R options when an instance of
is running that was started with the --pid-file option. Also note the
--pid-file option must be given before the -k and -R options.
Only log scans and floods. Do not log other traffic.
-n, --detect-null-scan=true (default)
Detect null scans (a "stealth scan" used by nmap and other scanners).
Do not detect null scans.
Same as --detect-null-scan.
Run in the foreground.
-p, --detect-portscan=true (default)
Detect port scans (connect(2) scans and SYN (half open) scans).
Do not detect port scans.
Same as --detect-portscan.
-s, --detect-syn-flood=true (default)
Stop resolving IP addresses (until the flood ends) if a SYN flood is detected.
Do not stop resolving IP addresses if a SYN flood is detected.
-t, --detect-traceroute=true (default)
Detect (and log) traceroute.
Do not detect traceroute.
Same as --detect-traceroute.
-u <user|UID>, --user=<user|UID>
Run as the user or with the UID specified.
Print version information and exit.
Log the IP addresses as well as the hostnames of hosts that are looked up.
-x, --detect-xmas-scan=true (default)
Detect Xmas scans (a "stealth" scan used by nmap and other scanners).
Do not detect Xmas scans.
Same as --detect-xmas-scan.
Detect fragment attacks.
Do not detect fragment attacks.
Same as --detect-frag.
Attempt to fool programs, such as nmap and queso, that perform remote OS detection. As a side effect, this option will also cause most of nmap's "stealth" scans to fail.
This option is dangerous and can set off network traffic storms.