Rechercher une page de manuel
iplog
Langue: en
Version: 03 December 2000 (mandriva - 22/10/07)
Section: 8 (Commandes administrateur)
NAME
iplog - TCP/IP traffic logger.SYNOPSIS
iplog [options][-DFILNPRSTUVbcdefhkmnopqstvwxyz]
[-a <network,network2,...>]
[-g <group>]
[-i <interface1,...,interfaceN>]
[-l <logfile>]
[--pid-file=<file>]
[-u <user>]
[--tcp[=argument]]
[--udp[=argument]]
[--icmp[=argument]]
[--facility=syslog facility]
[--priority=syslog priority]
DESCRIPTION
iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP and ICMP traffic. Adding support for other protocols should be relatively easy. iplog's capabilities include the ability to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags (used by scanners to detect the operating system in use), TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. iplog is able to run in promiscuous mode and monitor traffic to all hosts on a network. iplog uses libpcap to read data from the network and can be ported to any system that supports pthreads and on which libpcap will function.NOTATION
Throughout this document, required parameters will be denoted by enclosing the parameter in angle brackets <like this>.Optional parameters will be denoted by enclosing the parameter in square brackets [like this].
The '|' character is used to express exclusive or. For example [true|false] means you may give "true" or "false", but not both.
OPTIONS
- --tcp=true (default) Log TCP traffic.
- --tcp=false
- Do not log TCP traffic.
- --udp=true (default)
- Log UDP traffic.
- --udp=false
- Do not log UDP traffic.
- --icmp=true (default)
- Log ICMP traffic.
- --icmp=false
- Do not log ICMP traffic.
- --facility=syslog facility
- Use the specified facility for openlog(3).
- --priority=syslog priority
- Use the specified priority for syslog(3).
- -D, --log-dest=true
- Log the destination address of IP packets.
- --log-dest=false (default)
- Do not log the destination address of IP packets.
- -F, --detect-udp-scan=true (default)
- Detect and log UDP scans.
- --detect-udp-scan=false
- Neither detect nor log UDP scans.
- --log-udp-scan
- Same as --detect-udp-scan.
- -I, --icmp-resolve=true (default)
- Perform host name resolution for ICMP traffic.
- -L, --stdout
- Log to stdout.
- --icmp-resolve=false
- Do not perform host name resolution for ICMP traffic.
- -N, --disable-resolver
- Do not perform host name resolution for any traffic.
- -P, --detect-ping-flood=true (default)
- Detect ping (ICMP echo) flood attacks.
- --detect-ping-flood=false
- Do not detect ping flood attacks.
- --log-ping-flood
- Same as --detect-ping-flood.
- -R, --restart
- Restart iplog, if it is running.
- -S, --detect-smurf=true (default)
- Detect "smurf" attacks.
- --detect-smurf=false
- Do not detect "smurf" attacks.
- --log-smurf
- Same as --detect-smurf.
- -T, --tcp-resolve=true (default)
- Perform host name resolution for TCP traffic.
- --tcp-resolve=false
- Do not perform host name resolution for TCP traffic.
- -U, --udp-resolve=true (default)
- Perform host name resolution for UDP traffic.
- --udp-resolve=false
- Do not perform host name resolution for UDP traffic.
- -V, --verbose=true
- Verbose - Log packets with a bad checksum and packets with a short header length.
- --verbose=false (default)
- Do not be verbose.
- -a <network,network2,...>, --promisc=<network,network2,...>
- Put all monitored interfaces into promiscuous mode and log traffic destined to all hosts on the specified network(s).
- -b, --detect-bogus=true (default)
- Detect bogus TCP flags. Programs such as nmap and queso may set these flags while trying to perform OS detection.
- --detect-bogus=false
- Do not detect bogus TCP flags.
- --log-bogus
- Same as --detect-bogus.
- -c, --dns-cache=true (default)
- Use a built-in DNS cache (allows host lookups to be faster).
- --dns-cache=false
- Do not use the built-in DNS cache.
- -d, --ignore
- Ignore DNS traffic from hosts listed in /etc/resolv.conf.
- -e, --get-ident=true
- Perform ident (RFC 1413) lookups on connections destined to a listening port. This is only available on Linux.
- --get-ident=false (default)
- Do not perform ident lookups.
- -f, --detect-fin-scan=true (default)
- Detect TCP FIN scans (a "stealth scan" used by nmap and other scanners).
- --detect-fin-scan=false
- Do not detect TCP FIN scans.
- --log-fin-scan
- Same as --detect-fin-scan.
- -q, --detect-syn-scan=true (default)
- Detect TCP SYN scans (a "stealth scan" used by nmap and other scanners).
- --detect-syn-scan=false
- Do not detect TCP SYN scans.
- --log-syn-scan
- Same as --detect-syn-scan.
- -g <group|GID>, --group=<group|GID>
- Run with the specified group or GID.
- -h, --help
- Print a summary of available options and exit.
- -i <interface(s)>, --interface=<interface(s)>
- Listen on only the specified interfaces. This option takes a comma-delimited list of interfaces. By default, iplog will listen on any interfaces that are up, except loopback.
- -k, --kill
- Kill iplog, if it is running.
- -l <logfile>, --logfile=<logfile>
- Log to the specified file instead of logging via syslog(3)
- --pid-file=<file>
- Use <file> as the pid file.
This option should be used when starting iplog as a user who doesn't have write access to /var/run.
This option must be used with the -k and -R options when an instance of iplog is running that was started with the --pid-file option. Also note the --pid-file option must be given before the -k and -R options.
- -m, --scans-only=true
- Only log scans and floods. Do not log other traffic.
- -n, --detect-null-scan=true (default)
- Detect null scans (a "stealth scan" used by nmap and other scanners).
- --detect-null-scan=false
- Do not detect null scans.
- --log-null-scan
- Same as --detect-null-scan.
- -o, --no-fork
- Run in the foreground.
- -p, --detect-portscan=true (default)
- Detect port scans (connect(2) scans and SYN (half open) scans).
- --detect-portscan=false
- Do not detect port scans.
- --log-portscan
- Same as --detect-portscan.
- -s, --detect-syn-flood=true (default)
- Stop resolving IP addresses (until the flood ends) if a SYN flood is detected.
- --detect-syn-flood=false
- Do not stop resolving IP addresses if a SYN flood is detected.
- -t, --detect-traceroute=true (default)
- Detect (and log) traceroute.
- --detect-traceroute=false
- Do not detect traceroute.
- --log-traceroute
- Same as --detect-traceroute.
- -u <user|UID>, --user=<user|UID>
- Run as the user or with the UID specified.
- -v, --version
- Print version information and exit.
- -w, --log-ip
- Log the IP addresses as well as the hostnames of hosts that are looked up.
- -x, --detect-xmas-scan=true (default)
- Detect Xmas scans (a "stealth" scan used by nmap and other scanners).
- --detect-xmas-scan=false
- Do not detect Xmas scans.
- --log-xmas-scan
- Same as --detect-xmas-scan.
- -y, --detect-frag=true
- Detect fragment attacks.
- --detect-frag=false
- Do not detect fragment attacks.
- --log-frag
- Same as --detect-frag.
- -z, --fool-nmap=true
- Attempt to fool programs, such as nmap and queso, that perform remote OS detection. As a side effect, this option will also cause most of nmap's "stealth" scans to fail.
- WARNING
- This option is dangerous and can set off network traffic storms.
- --fool-nmap=false (default)
- Do not attempt to fool nmap's OS detection.
FILES
- /etc/iplog.conf
- The iplog configuration file.
BUGS
Report any bugs to odin@numb.orgAUTHOR
Ryan McCabe <odin@numb.org>AVAILABILITY
The primary distribution site for iplog is http://ojnk.sourceforge.netMIRROR LIST
ftp://ojnk.sourceforge.net/pub/ojnk/iplog
http://www.numb.org/~odin
SEE ALSO
iplog.conf(5) tcpdump(1) syslog(3) openlog(3) pcap(3) nmap(8)Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre