Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
iplog(8)		    System Manager's Manual		      iplog(8)

NAME
       iplog - TCP/IP traffic logger.

SYNOPSIS
       iplog [options]

       [-DFILNPRSTUVbcdefhkmnopqstvwxyz]
       [-a <network,network2,...>]
       [-g <group>]
       [-i <interface1,...,interfaceN>]
       [-l <logfile>]
       [--pid-file=<file>]
       [-u <user>]
       [--tcp[=argument]]
       [--udp[=argument]]
       [--icmp[=argument]]
       [--facility=syslog facility]
       [--priority=syslog priority]

DESCRIPTION
       iplog  is  a TCP/IP traffic logger. Currently, it is capable of logging
       TCP, UDP	and ICMP traffic. Adding support for other protocols should be
       relatively  easy.   iplog's  capabilities include the ability to	detect
       TCP port	scans, TCP null	scans, FIN scans, UDP  and  ICMP  "smurf"  at-
       tacks, bogus TCP	flags (used by scanners	to detect the operating	system
       in use),	TCP SYN	scans, TCP "Xmas" scans, ICMP ping floods, UDP	scans,
       and  IP fragment	attacks.  iplog	is able	to run in promiscuous mode and
       monitor traffic to all hosts on a network.  iplog uses libpcap to  read
       data  from  the	network	 and can be ported to any system that supports
       pthreads	and on which libpcap will function.

NOTATION
       Throughout this document, required parameters will be  denoted  by  en-
       closing the parameter in	angle brackets <like this>.

       Optional	 parameters  will  be  denoted	by  enclosing the parameter in
       square brackets [like this].

       The '|' character  is  used  to	express	 exclusive  or.	  For  example
       [true|false] means you may give "true" or "false", but not both.

OPTIONS
       --tcp=true (default)
	      Log TCP traffic.

       --tcp=false
	      Do not log TCP traffic.

       --udp=true (default)
	      Log UDP traffic.

       --udp=false
	      Do not log UDP traffic.

       --icmp=true (default)
	      Log ICMP traffic.

       --icmp=false
	      Do not log ICMP traffic.

       --facility=syslog facility
	      Use the specified	facility for openlog(3).

       --priority=syslog priority
	      Use the specified	priority for syslog(3).

       -D, --log-dest=true
	      Log the destination address of IP	packets.

       --log-dest=false	(default)
	      Do not log the destination address of IP packets.

       -F, --detect-udp-scan=true (default)
	      Detect and log UDP scans.

       --detect-udp-scan=false
	      Neither detect nor log UDP scans.

       --log-udp-scan
	      Same as --detect-udp-scan.

       -I, --icmp-resolve=true (default)
	      Perform host name	resolution for ICMP traffic.

       -L, --stdout
	      Log to stdout.

       --icmp-resolve=false
	      Do not perform host name resolution for ICMP traffic.

       -N, --disable-resolver
	      Do not perform host name resolution for any traffic.

       -P, --detect-ping-flood=true (default)
	      Detect ping (ICMP	echo) flood attacks.

       --detect-ping-flood=false
	      Do not detect ping flood attacks.

       --log-ping-flood
	      Same as --detect-ping-flood.

       -R, --restart
	      Restart iplog, if	it is running.

       -S, --detect-smurf=true (default)
	      Detect "smurf" attacks.

       --detect-smurf=false
	      Do not detect "smurf" attacks.

       --log-smurf
	      Same as --detect-smurf.

       -T, --tcp-resolve=true (default)
	      Perform host name	resolution for TCP traffic.

       --tcp-resolve=false
	      Do not perform host name resolution for TCP traffic.

       -U, --udp-resolve=true (default)
	      Perform host name	resolution for UDP traffic.

       --udp-resolve=false
	      Do not perform host name resolution for UDP traffic.

       -V, --verbose=true
	      Verbose  -  Log  packets	with a bad checksum and	packets	with a
	      short header length.

       --verbose=false (default)
	      Do not be	verbose.

       -a <network,network2,...>, --promisc=<network,network2,...>
	      Put all monitored	interfaces into	promiscuous mode and log traf-
	      fic destined to all hosts	on the specified network(s).

       -b, --detect-bogus=true (default)
	      Detect bogus TCP flags.  Programs	such as	nmap and queso may set
	      these flags while	trying to perform OS detection.

       --detect-bogus=false
	      Do not detect bogus TCP flags.

       --log-bogus
	      Same as --detect-bogus.

       -c, --dns-cache=true (default)
	      Use a built-in DNS cache (allows host lookups to be faster).

       --dns-cache=false
	      Do not use the built-in DNS cache.

       -d, --ignore
	      Ignore DNS traffic from hosts listed in /etc/resolv.conf.

       -e, --get-ident=true
	      Perform ident (RFC 1413) lookups on connections  destined	 to  a
	      listening	port.  This is only available on Linux.

       --get-ident=false (default)
	      Do not perform ident lookups.

       -f, --detect-fin-scan=true (default)
	      Detect  TCP  FIN	scans (a "stealth scan"	used by	nmap and other
	      scanners).

       --detect-fin-scan=false
	      Do not detect TCP	FIN scans.

       --log-fin-scan
	      Same as --detect-fin-scan.

       -q, --detect-syn-scan=true (default)
	      Detect TCP SYN scans (a "stealth scan" used by  nmap  and	 other
	      scanners).

       --detect-syn-scan=false
	      Do not detect TCP	SYN scans.

       --log-syn-scan
	      Same as --detect-syn-scan.

       -g <group|GID>, --group=<group|GID>
	      Run with the specified group or GID.

       -h, --help
	      Print a summary of available options and exit.

       -i <interface(s)>, --interface=<interface(s)>
	      Listen  on  only	the specified interfaces.  This	option takes a
	      comma-delimited list of interfaces.  By default, iplog will lis-
	      ten on any interfaces that are up, except	loopback.

       -k, --kill
	      Kill iplog, if it	is running.

       -l <logfile>, --logfile=<logfile>
	      Log to the specified file	instead	of logging via syslog(3)

       --pid-file=<file>
	      Use <file> as the	pid file.

	      This  option  should  be	used when starting iplog as a user who
	      doesn't have write access	to /var/run.

	      This option must be used with the	-k and -R options when an  in-
	      stance  of iplog is running that was started with	the --pid-file
	      option.  Also note the --pid-file	option must  be	 given	before
	      the -k and -R options.

       -m, --scans-only=true
	      Only log scans and floods.  Do not log other traffic.

       -n, --detect-null-scan=true (default)
	      Detect null scans	(a "stealth scan" used by nmap and other scan-
	      ners).

       --detect-null-scan=false
	      Do not detect null scans.

       --log-null-scan
	      Same as --detect-null-scan.

       -o, --no-fork
	      Run in the foreground.

       -p, --detect-portscan=true (default)
	      Detect port scans	(connect(2) scans and SYN (half	open) scans).

       --detect-portscan=false
	      Do not detect port scans.

       --log-portscan
	      Same as --detect-portscan.

       -s, --detect-syn-flood=true (default)
	      Stop resolving IP	addresses (until the  flood  ends)  if	a  SYN
	      flood is detected.

       --detect-syn-flood=false
	      Do not stop resolving IP addresses if a SYN flood	is detected.

       -t, --detect-traceroute=true (default)
	      Detect (and log) traceroute.

       --detect-traceroute=false
	      Do not detect traceroute.

       --log-traceroute
	      Same as --detect-traceroute.

       -u <user|UID>, --user=<user|UID>
	      Run as the user or with the UID specified.

       -v, --version
	      Print version information	and exit.

       -w, --log-ip
	      Log  the IP addresses as well as the hostnames of	hosts that are
	      looked up.

       -x, --detect-xmas-scan=true (default)
	      Detect Xmas scans	(a "stealth" scan used by nmap and other scan-
	      ners).

       --detect-xmas-scan=false
	      Do not detect Xmas scans.

       --log-xmas-scan
	      Same as --detect-xmas-scan.

       -y, --detect-frag=true
	      Detect fragment attacks.

       --detect-frag=false
	      Do not detect fragment attacks.

       --log-frag
	      Same as --detect-frag.

       -z, --fool-nmap=true
	      Attempt  to  fool	programs, such as nmap and queso, that perform
	      remote OS	detection.  As a side effect, this  option  will  also
	      cause most of nmap's "stealth" scans to fail.

       WARNING
	      This option is dangerous and can set off network traffic storms.

       --fool-nmap=false (default)
	      Do not attempt to	fool nmap's OS detection.

FILES
       /usr/local/etc/iplog.conf
	      The iplog	configuration file.

BUGS
       Report any bugs to odin@numb.org

AUTHOR
       Ryan McCabe <odin@numb.org>

AVAILABILITY
       The primary distribution	site for iplog is http://ojnk.sourceforge.net

MIRROR LIST
       ftp://ojnk.sourceforge.net/pub/ojnk/iplog
       http://www.numb.org/~odin

SEE ALSO
       iplog.conf(5) tcpdump(1)	syslog(3) openlog(3) pcap(3) nmap(8)

iplog 2.2.3		       03 December 2000			      iplog(8)

NAME | SYNOPSIS | DESCRIPTION | NOTATION | OPTIONS | FILES | BUGS | AUTHOR | AVAILABILITY | MIRROR LIST | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=iplog&sektion=8&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help