The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

Интерактивная система просмотра системных руководств (man-ов)

 ТемаНаборКатегория 
 
 [Cписок руководств | Печать]

iplog (8)
  • >> iplog (8) ( Linux man: Команды системного администрирования )
  •  

    NAME

    iplog - TCP/IP traffic logger.
    

     

    SYNOPSIS

    iplog [options]

    [-DFILNPRSTUVbcdefhkmnopqstvwxyz]
    [-a <network,network2,...>]
    [-g <group>]
    [-i <interface1,...,interfaceN>]
    [-l <logfile>]
    [--pid-file=<file>]
    [-u <user>]
    [--tcp[=argument]]
    [--udp[=argument]]
    [--icmp[=argument]]
    [--facility=syslog facility]
    [--priority=syslog priority]

     

    DESCRIPTION

    iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. Adding support for other protocols should be relatively easy. iplog's capabilities include the ability to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags (used by scanners to detect the operating system in use), TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. iplog is able to run in promiscuous mode and monitor traffic to all hosts on a network. iplog uses libpcap to read data from the network and can be ported to any system that supports pthreads and on which libpcap will function.

     

    NOTATION

    Throughout this document, required parameters will be denoted by enclosing the parameter in angle brackets <like this>.

    Optional parameters will be denoted by enclosing the parameter in square brackets [like this].

    The '|' character is used to express exclusive or. For example [true|false] means you may give "true" or "false", but not both.

     

    OPTIONS

    --tcp=true (default) Log TCP traffic.

    --tcp=false
    Do not log TCP traffic.

    --udp=true (default)
    Log UDP traffic.

    --udp=false
    Do not log UDP traffic.

    --icmp=true (default)
    Log ICMP traffic.

    --icmp=false
    Do not log ICMP traffic.

    --facility=syslog facility
    Use the specified facility for openlog(3).

    --priority=syslog priority
    Use the specified priority for syslog(3).

    -D, --log-dest=true
    Log the destination address of IP packets.

    --log-dest=false (default)
    Do not log the destination address of IP packets.

    -F, --detect-udp-scan=true (default)
    Detect and log UDP scans.

    --detect-udp-scan=false
    Neither detect nor log UDP scans.

    --log-udp-scan
    Same as --detect-udp-scan.

    -I, --icmp-resolve=true (default)
    Perform host name resolution for ICMP traffic.

    -L, --stdout
    Log to stdout.

    --icmp-resolve=false
    Do not perform host name resolution for ICMP traffic.

    -N, --disable-resolver
    Do not perform host name resolution for any traffic.

    -P, --detect-ping-flood=true (default)
    Detect ping (ICMP echo) flood attacks.

    --detect-ping-flood=false
    Do not detect ping flood attacks.

    --log-ping-flood
    Same as --detect-ping-flood.

    -R, --restart
    Restart iplog, if it is running.

    -S, --detect-smurf=true (default)
    Detect "smurf" attacks.

    --detect-smurf=false
    Do not detect "smurf" attacks.

    --log-smurf
    Same as --detect-smurf.

    -T, --tcp-resolve=true (default)
    Perform host name resolution for TCP traffic.

    --tcp-resolve=false
    Do not perform host name resolution for TCP traffic.

    -U, --udp-resolve=true (default)
    Perform host name resolution for UDP traffic.

    --udp-resolve=false
    Do not perform host name resolution for UDP traffic.

    -V, --verbose=true
    Verbose - Log packets with a bad checksum and packets with a short header length.

    --verbose=false (default)
    Do not be verbose.

    -a <network,network2,...>, --promisc=<network,network2,...>
    Put all monitored interfaces into promiscuous mode and log traffic destined to all hosts on the specified network(s).

    -b, --detect-bogus=true (default)
    Detect bogus TCP flags. Programs such as nmap and queso may set these flags while trying to perform OS detection.

    --detect-bogus=false
    Do not detect bogus TCP flags.

    --log-bogus
    Same as --detect-bogus.

    -c, --dns-cache=true (default)
    Use a built-in DNS cache (allows host lookups to be faster).

    --dns-cache=false
    Do not use the built-in DNS cache.

    -d, --ignore
    Ignore DNS traffic from hosts listed in /etc/resolv.conf.

    -e, --get-ident=true
    Perform ident (RFC 1413) lookups on connections destined to a listening port. This is only available on Linux.

    --get-ident=false (default)
    Do not perform ident lookups.

    -f, --detect-fin-scan=true (default)
    Detect TCP FIN scans (a "stealth scan" used by nmap and other scanners).

    --detect-fin-scan=false
    Do not detect TCP FIN scans.

    --log-fin-scan
    Same as --detect-fin-scan.

    -q, --detect-syn-scan=true (default)
    Detect TCP SYN scans (a "stealth scan" used by nmap and other scanners).

    --detect-syn-scan=false
    Do not detect TCP SYN scans.

    --log-syn-scan
    Same as --detect-syn-scan.

    -g <group|GID>, --group=<group|GID>
    Run with the specified group or GID.

    -h, --help
    Print a summary of available options and exit.

    -i <interface(s)>, --interface=<interface(s)>
    Listen on only the specified interfaces. This option takes a comma-delimited list of interfaces. By default, iplog will listen on any interfaces that are up, except loopback.

    -k, --kill
    Kill iplog, if it is running.

    -l <logfile>, --logfile=<logfile>
    Log to the specified file instead of logging via syslog(3)

    --pid-file=<file>
    Use <file> as the pid file.

    This option should be used when starting iplog as a user who doesn't have write access to /var/run.

    This option must be used with the -k and -R options when an instance of iplog is running that was started with the --pid-file option. Also note the --pid-file option must be given before the -k and -R options.

    -m, --scans-only=true
    Only log scans and floods. Do not log other traffic.

    -n, --detect-null-scan=true (default)
    Detect null scans (a "stealth scan" used by nmap and other scanners).

    --detect-null-scan=false
    Do not detect null scans.

    --log-null-scan
    Same as --detect-null-scan.

    -o, --no-fork
    Run in the foreground.

    -p, --detect-portscan=true (default)
    Detect port scans (connect(2) scans and SYN (half open) scans).

    --detect-portscan=false
    Do not detect port scans.

    --log-portscan
    Same as --detect-portscan.

    -s, --detect-syn-flood=true (default)
    Stop resolving IP addresses (until the flood ends) if a SYN flood is detected.

    --detect-syn-flood=false
    Do not stop resolving IP addresses if a SYN flood is detected.

    -t, --detect-traceroute=true (default)
    Detect (and log) traceroute.

    --detect-traceroute=false
    Do not detect traceroute.

    --log-traceroute
    Same as --detect-traceroute.

    -u <user|UID>, --user=<user|UID>
    Run as the user or with the UID specified.

    -v, --version
    Print version information and exit.

    -w, --log-ip
    Log the IP addresses as well as the hostnames of hosts that are looked up.

    -x, --detect-xmas-scan=true (default)
    Detect Xmas scans (a "stealth" scan used by nmap and other scanners).

    --detect-xmas-scan=false
    Do not detect Xmas scans.

    --log-xmas-scan
    Same as --detect-xmas-scan.

    -y, --detect-frag=true
    Detect fragment attacks.

    --detect-frag=false
    Do not detect fragment attacks.

    --log-frag
    Same as --detect-frag.

    -z, --fool-nmap=true
    Attempt to fool programs, such as nmap and queso, that perform remote OS detection. As a side effect, this option will also cause most of nmap's "stealth" scans to fail.
    WARNING
    This option is dangerous and can set off network traffic storms.

    --fool-nmap=false (default)
    Do not attempt to fool nmap's OS detection.

     

    FILES

    /etc/iplog.conf
    The iplog configuration file.

     

    BUGS

    Report any bugs to odin@numb.org

     

    AUTHOR

    Ryan McCabe <odin@numb.org>

     

    AVAILABILITY

    The primary distribution site for iplog is http://ojnk.sourceforge.net

     

    MIRROR LIST


    ftp://ojnk.sourceforge.net/pub/ojnk/iplog
    http://www.numb.org/~odin

     

    SEE ALSO

    iplog.conf(5) tcpdump(1) syslog(3) openlog(3) pcap(3) nmap(8)


     

    Index

    NAME
    SYNOPSIS
    DESCRIPTION
    NOTATION
    OPTIONS
    FILES
    BUGS
    AUTHOR
    AVAILABILITY
    MIRROR LIST
    SEE ALSO


    Поиск по тексту MAN-ов: 




    Партнёры:
    PostgresPro
    Inferno Solutions
    Hosting by Hoster.ru
    Хостинг:

    Закладки на сайте
    Проследить за страницей
    Created 1996-2024 by Maxim Chirkov
    Добавить, Поддержать, Вебмастеру