radstock

Langue: en

Version: SEPTEMBER 2000 (mandriva - 01/05/08)

Section: 1 (Commandes utilisateur)

NAME

radstock - radius packet analyser

SYNOPSIS

radstock <-hVTDKLMNqp> <-i interface > <-c radius filter file > <-f dictionary > <-e radius filter > < pcap filter >

DESCRIPTION

radstock provides a convenient tool to analyse radius traffic, including the ability to display radius attributes and also to actively filter on them. radstock is written using the pcap libraries and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1). For details on writing pcap filters, please see these manual pages.

OPTIONS

-h
Display help/usage information.
-V
Display version information.
-i
Specify the interface to monitor.
-q
Be quiet; don't parse the radius packets. This option will only show the type of radius packet and the source and destinations (i.e. the top lines).
-e
Provides a radius filter on the command line. The exact format of these filters will be detailed below.
-f
Specify dictionary to be used rather than the default dictionary (/usr/local/etc/raddb/dictionary).
-c
Read the radius filter from radius filter file rather than the command line. If the file is a relative path, it is searched for using the RADIUS_PATH environment variable. If the filename is - then read the filter from stdin.
-p
Do not put the interface in promiscuous mode.
-T
Print the time that each packet was received
-D
Print the date and time that each packet was received
-K
Only display authentication packets
-L
Only display accounting packets
-M
Only show request packets (auth or acct)
-N
Only show response packets (auth or acct)
pcap filter
The default filter is 'udp port 1645'. To override this filter specify a new one here. For example if you only wanted to see traffic between your radius server and server 1.2.3.4, then you could specify the filter as 'port 1645 and host 1.2.3.4'. Radstock will only monitor udp traffic, so it is not necessary to specify this in your filter.

RADIUS FILTER

Radius filters are used to specify which radius packets are to be displayed. The filter defines a set of attributes to match, using a similar parser to the pcap filter. The simplist filter takes the form

<attribute> <operator> <value>

Where attribute is an attribute read from the radius dictionary. The value is handled differently for each specific attribute type. If the attribute type is either an ip address or a string, the value will be treated as a bounded POSIX regular expression. However, this regexp will have a '^' and '$' added at the beginning and end if they are not already present. If the attribute type is an integer, the value is expected to be either a number, or a value defined in the radius dictionary for that attribute. Both the attribute and value matches are case insensitive. When specifying string values, you may use single quotes as delimiters, to allow non alphanumeric characters in the value.

The following operators are valid: '=', '!=', '>', '>=', '<', and ip address matches.

In addition, there are two further operators. 'exists <attribute>' is used to match any packet with that attribute present. 'nexists <attribute> is used to match a packet that does not contain the given attribute.

Comparisions can be joined together with 'and' (&&), 'or' (||), 'not' (!), and the use of brackets.

Please be aware of a slight catch with the '!=' operator. If you specify the following filter:

acct-status-type != start

This filter actually means 'show me all packets where acct-status-type is present and is not equal to start'.

RADIUS FILTER EXAMPLES

To show only auth requests from the @dummy.org domain from Nas-IP-Address 1.2.3.4 use the following filter:

user-name = '.*@dummy.org' and nas-ip-address = 1.2.3.4

To show packets with which does not contain the attribute Ascend-Idle-Limit, use the following filter:

nexists ascend-idle-limit

A slightly more complex example, which includes the command line:

radstock -e "(user-name = bob or user-name = fred) and nas-port-id > 30" udp port 1812

SEE ALSO

pcap(3), tcpdump(8), regex(7)

AUTHOR

Paul Rhodes <withnail@users.sourceforge.net>