netlog 1.2 -- January 5, 1994 These directories contain a TCP and UDP traffic logging system. These programs are a part of the network security system used by Texas A&M University. It can be used for locating suspicious network traffic. The following programs are included: tcplogger - Log all TCP connections on a subnet udplogger - Log all UDP sessions on a subnet extract - Process log files created by tcplogger or udplogger netwatch - Realtime network monitor All three programs require an ANSI C compiler. Tcplogger and udplogger use the SunOS 4.x Network Interface Tap (nit) or SunOS 5.x Data Link Provider Interface (DLPI). To build the programs: 1) Edit the Makefile to select for SunOS 4.x or SunOS 5.x (Solaris) 2) just enter 'make' You will end up with binaries in the 'bin' directory. If you are using 'gcc', do not turn on optimization for tcplogger or udplogger. Also, if 'fix-includes' was not run, then you must use the '-traditional' flag. To be safe, use it anyway. The latest versions of these programs (sans netwatch) are available from: net.tamu.edu:/pub/security/TAMU net.tamu.edu == 128.194.177.1 * * * * * * 01/05/1994 Changes Included stripped 'netwatch'. The 'telnet' and 'ftp' modules are removed to prevent the use of 'netwatch' as a password grabber. Bug fixes to improve reliability. Added '-p' switch to all network monitoring tools which causes them to run in non-promiscuous mode, for use in monitoring on a single host. Reduces load on the monitoring machine. ------------------------------------------------------------------------ 10/31/1993 Changes Support for SunOS 5.x DLPI. Date/time handling in 'extract' corrected to properly handle daylight savings time and other little nits. Date/time output routines redone for performance. Couple of minor bug fixes. Hacked into extract, support for processing an ICMP log. Preliminary version of ICMP logger. Eats tons of disk space though. ------------------------------------------------------------------------ 08/23/1993 Changes Date handling improved in extract in regards to timezone. Also removed references to timelocal() and used ANSI mktime() (it isn't documented in SunOS 4, but it is there). 'extract' will now work on SunOS 5 (and probably other UN*X's). 'extract' now handles hostnames that resolve to multiple IP addresses. 'extract' now treats an unresolvable hostname as a nonfatal condition. It handles the failure in a semi-intelligent fashion based on the context of the failure. Added unbuffering flag (-U) to extract. This causes it to not buffer input, allowing: tcplogger -b | extract -U to be useful. 'udplogger' has a new option '-t' which specifies a timeout in seconds. This indicates how long to "remember" sessions before assuming they have completed. The default is 300 seconds. ------------------------------------------------------------------------ 06/18/1993 Changes Fixed bugs in extract dealing with dates (you couldn't specify the last day of the month). Added -n support to tcplogger and udplogger. In tcplogger, udplogger and extract, -n now disables port number name resolution as well. tcplogger and udplogger now use the first ethernet interface on the machine, instead of defaulting to "le0". Thanks to Dave Hess for sample code. Fixed bug in extract that prevented using both "print" and "next" on the same clause. It was only executing the first one... (bug, this was no bug... this was just silly... I only had it doing one command).