iplog man page on Mageia

Man page or keyword search:  
man Server   17783 pages
apropos Keyword Search (all sections)
Output format
Mageia logo
[printable version]

iplog(8)							      iplog(8)

NAME
       iplog - TCP/IP traffic logger.

SYNOPSIS
       iplog [options]

       [-DFILNPRSTUVbcdefhkmnopqstvwxyz]
       [-a <network,network2,...>]
       [-g <group>]
       [-i <interface1,...,interfaceN>]
       [-l <logfile>]
       [--pid-file=<file>]
       [-u <user>]
       [--tcp[=argument]]
       [--udp[=argument]]
       [--icmp[=argument]]
       [--facility=syslog facility]
       [--priority=syslog priority]

DESCRIPTION
       iplog  is  a TCP/IP traffic logger. Currently, it is capable of logging
       TCP, UDP and ICMP traffic. Adding support for other protocols should be
       relatively  easy.   iplog's  capabilities include the ability to detect
       TCP port scans, TCP  null  scans,  FIN  scans,  UDP  and	 ICMP  "smurf"
       attacks, bogus TCP flags (used by scanners to detect the operating sys‐
       tem in use), TCP SYN scans, TCP "Xmas" scans,  ICMP  ping  floods,  UDP
       scans,  and  IP	fragment attacks.  iplog is able to run in promiscuous
       mode and monitor traffic to all hosts on a network.  iplog uses libpcap
       to read data from the network and can be ported to any system that sup‐
       ports pthreads and on which libpcap will function.

NOTATION
       Throughout this	document,  required  parameters	 will  be  denoted  by
       enclosing the parameter in angle brackets <like this>.

       Optional	 parameters  will  be  denoted	by  enclosing the parameter in
       square brackets [like this].

       The '|' character  is  used  to	express	 exclusive  or.	  For  example
       [true|false] means you may give "true" or "false", but not both.

OPTIONS
       --tcp=true (default)
	      Log TCP traffic.

       --tcp=false
	      Do not log TCP traffic.

       --udp=true (default)
	      Log UDP traffic.

       --udp=false
	      Do not log UDP traffic.

       --icmp=true (default)
	      Log ICMP traffic.

       --icmp=false
	      Do not log ICMP traffic.

       --facility=syslog facility
	      Use the specified facility for openlog(3).

       --priority=syslog priority
	      Use the specified priority for syslog(3).

       -D, --log-dest=true
	      Log the destination address of IP packets.

       --log-dest=false (default)
	      Do not log the destination address of IP packets.

       -F, --detect-udp-scan=true (default)
	      Detect and log UDP scans.

       --detect-udp-scan=false
	      Neither detect nor log UDP scans.

       --log-udp-scan
	      Same as --detect-udp-scan.

       -I, --icmp-resolve=true (default)
	      Perform host name resolution for ICMP traffic.

       -L, --stdout
	      Log to stdout.

       --icmp-resolve=false
	      Do not perform host name resolution for ICMP traffic.

       -N, --disable-resolver
	      Do not perform host name resolution for any traffic.

       -P, --detect-ping-flood=true (default)
	      Detect ping (ICMP echo) flood attacks.

       --detect-ping-flood=false
	      Do not detect ping flood attacks.

       --log-ping-flood
	      Same as --detect-ping-flood.

       -R, --restart
	      Restart iplog, if it is running.

       -S, --detect-smurf=true (default)
	      Detect "smurf" attacks.

       --detect-smurf=false
	      Do not detect "smurf" attacks.

       --log-smurf
	      Same as --detect-smurf.

       -T, --tcp-resolve=true (default)
	      Perform host name resolution for TCP traffic.

       --tcp-resolve=false
	      Do not perform host name resolution for TCP traffic.

       -U, --udp-resolve=true (default)
	      Perform host name resolution for UDP traffic.

       --udp-resolve=false
	      Do not perform host name resolution for UDP traffic.

       -V, --verbose=true
	      Verbose  -  Log  packets	with a bad checksum and packets with a
	      short header length.

       --verbose=false (default)
	      Do not be verbose.

       -a <network,network2,...>, --promisc=<network,network2,...>
	      Put all monitored interfaces into promiscuous mode and log traf‐
	      fic destined to all hosts on the specified network(s).

       -b, --detect-bogus=true (default)
	      Detect bogus TCP flags.  Programs such as nmap and queso may set
	      these flags while trying to perform OS detection.

       --detect-bogus=false
	      Do not detect bogus TCP flags.

       --log-bogus
	      Same as --detect-bogus.

       -c, --dns-cache=true (default)
	      Use a built-in DNS cache (allows host lookups to be faster).

       --dns-cache=false
	      Do not use the built-in DNS cache.

       -d, --ignore
	      Ignore DNS traffic from hosts listed in /etc/resolv.conf.

       -e, --get-ident=true
	      Perform ident (RFC 1413) lookups on connections  destined	 to  a
	      listening port.  This is only available on Linux.

       --get-ident=false (default)
	      Do not perform ident lookups.

       -f, --detect-fin-scan=true (default)
	      Detect  TCP  FIN	scans (a "stealth scan" used by nmap and other
	      scanners).

       --detect-fin-scan=false
	      Do not detect TCP FIN scans.

       --log-fin-scan
	      Same as --detect-fin-scan.

       -q, --detect-syn-scan=true (default)
	      Detect TCP SYN scans (a "stealth scan" used by  nmap  and	 other
	      scanners).

       --detect-syn-scan=false
	      Do not detect TCP SYN scans.

       --log-syn-scan
	      Same as --detect-syn-scan.

       -g <group|GID>, --group=<group|GID>
	      Run with the specified group or GID.

       -h, --help
	      Print a summary of available options and exit.

       -i <interface(s)>, --interface=<interface(s)>
	      Listen  on  only	the specified interfaces.  This option takes a
	      comma-delimited list of interfaces.  By default, iplog will lis‐
	      ten on any interfaces that are up, except loopback.

       -k, --kill
	      Kill iplog, if it is running.

       -l <logfile>, --logfile=<logfile>
	      Log to the specified file instead of logging via syslog(3)

       --pid-file=<file>
	      Use <file> as the pid file.

	      This  option  should  be	used when starting iplog as a user who
	      doesn't have write access to /var/run.

	      This option must be used with the -k  and	 -R  options  when  an
	      instance	 of  iplog  is	running	 that  was  started  with  the
	      --pid-file option.  Also note  the  --pid-file  option  must  be
	      given before the -k and -R options.

       -m, --scans-only=true
	      Only log scans and floods.  Do not log other traffic.

       -n, --detect-null-scan=true (default)
	      Detect null scans (a "stealth scan" used by nmap and other scan‐
	      ners).

       --detect-null-scan=false
	      Do not detect null scans.

       --log-null-scan
	      Same as --detect-null-scan.

       -o, --no-fork
	      Run in the foreground.

       -p, --detect-portscan=true (default)
	      Detect port scans (connect(2) scans and SYN (half open) scans).

       --detect-portscan=false
	      Do not detect port scans.

       --log-portscan
	      Same as --detect-portscan.

       -s, --detect-syn-flood=true (default)
	      Stop resolving IP addresses (until the  flood  ends)  if	a  SYN
	      flood is detected.

       --detect-syn-flood=false
	      Do not stop resolving IP addresses if a SYN flood is detected.

       -t, --detect-traceroute=true (default)
	      Detect (and log) traceroute.

       --detect-traceroute=false
	      Do not detect traceroute.

       --log-traceroute
	      Same as --detect-traceroute.

       -u <user|UID>, --user=<user|UID>
	      Run as the user or with the UID specified.

       -v, --version
	      Print version information and exit.

       -w, --log-ip
	      Log  the IP addresses as well as the hostnames of hosts that are
	      looked up.

       -x, --detect-xmas-scan=true (default)
	      Detect Xmas scans (a "stealth" scan used by nmap and other scan‐
	      ners).

       --detect-xmas-scan=false
	      Do not detect Xmas scans.

       --log-xmas-scan
	      Same as --detect-xmas-scan.

       -y, --detect-frag=true
	      Detect fragment attacks.

       --detect-frag=false
	      Do not detect fragment attacks.

       --log-frag
	      Same as --detect-frag.

       -z, --fool-nmap=true
	      Attempt  to  fool programs, such as nmap and queso, that perform
	      remote OS detection.  As a side effect, this  option  will  also
	      cause most of nmap's "stealth" scans to fail.

       WARNING
	      This option is dangerous and can set off network traffic storms.

       --fool-nmap=false (default)
	      Do not attempt to fool nmap's OS detection.

FILES
       /etc/iplog.conf
	      The iplog configuration file.

BUGS
       Report any bugs to odin@numb.org

AUTHOR
       Ryan McCabe <odin@numb.org>

AVAILABILITY
       The primary distribution site for iplog is http://ojnk.sourceforge.net

MIRROR LIST
       ftp://ojnk.sourceforge.net/pub/ojnk/iplog
       http://www.numb.org/~odin

SEE ALSO
       iplog.conf(5) tcpdump(1) syslog(3) openlog(3) pcap(3) nmap(8)

iplog 2.2.3		       03 December 2000			      iplog(8)
[top]

List of man pages available for Mageia

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net