ipaudit - IP traffic summarizer

SYNOPSIS

       ipaudit -aciolprswx [interface]




DESCRIPTION

       ipaudit is an IP traffic monitor.  It listens to a network
       interface in promiscuous mode (or  reads  data  previously
       dumped  to a file) and tallies the total traffic for every
       "connection".  A connection is a combination of ip address
       pairs,  protocol and for tcp/udp protocols, the ports num­
       bers.



OUTPUT

       If hosts 105.33.41.107 telnets to 211.117.5.11  this  cre­
       ates  a  single  connection.  ipaudit will tally the total
       bytes of traffic and total packet count in each  direction
       between the two hosts.

       When  ipaudit reports its findings, this telnet connection
       will be listed as

       105.033.041.107 211.117.005.011 6 1105 23 19934 2993 41 33

       The columns are (1) host 1 ip (2) host 2 ip, (3) protocol,
       (4) host 1 port,  (5)  host  2  port,  (6)  host  1  bytes
       received,  (7)  host  2 bytes received, (8) host 1 packets
       received, (9) host 2 packets received.

       For protocol other then tcp/udp where there are no  ports,
       the  port  numbers  are set to 0 in the output.  Note that
       the host ip octets are padded on the left with 0 to make 3
       digits.  This help make the output more readable.

       As  another  example,  if the first host now sends 10 ping
       packets to a non-existent host 105.33.41.188 then it  will
       be reported as an output line

       105.033.041.107 105.033.041.188 1 0 680 0 10

       This says that address 105.33.41.188 received 680 bytes in
       10 packets of protocol 1 - even though there  is  no  such
       address!





OPTIONS

              Network interface to read data from.


       -r <dumpfile>
              Reads network info from <dumpfile> instead of read­
              ing live from network.  Such a dumpfile could  have
              been  produced by the programs ipaudit , tcpdump or
              ethereal (http://www.zing.org).


       -c <npacket>
              Terminate program after reading <npacket>  packets.


       -w <dumpfile>
              Writes  first  nlen bytes of every packet to <dump­
              file> (see -s option about  nlen).   Can  later  be
              read  by  ipaudit  ,  tcpdump or ethereal .  The -w
              option does affect traffic analysis - it will still
              take place.  Warning: -w must be accompanied by the
              either the -a or the -p option to produce  a  dump­
              file.  Otherwise the -w option is ignored.


       -a     dump  ALL  packets to dump file.  This could result
              in large dump files.  You may want to  use  the  -p
              option instead.


       -p prot[,port..][:prot[,port..]..
              Only  dump  packets  with  specific  protocols  and
              ports.  For example, -p1:6:17  dumps  only  packets
              with  protocols  1  (icmp),  6  (tcp) and 17 (udp).
              You can also break down udp and tcp packets by port
              numbers  -  for  example -p1:6,21,23 will only dump
              icmp packets, ftp packets (protocol 6, port 21) and
              telnet packets (protocol 6, port 23).


       -s <nlen>
              Save  no  more  than  first  <nlen>  packet  bytes.
              Default is 96, minimum is 68.


       -i <pidfile>
              Save the program process id to <pidfile>.  This  is
              used  to  terminate program execution when sampling
              time has expired.  Use command like

              kill -2 `cat <pidfile>`

              to signal ipaudit to stop.  Once  ipaudit  receives


       -l <local-ip>
              Normally, the two ip address within a line of  out­
              put are in sorted order.  But if you are monitoring
              a link between two networks,  you  might  want  the
              addresses of one network to come first on an output
              line.  <local-ip> is the partial ip address of  the
              network which is listed first on the line.  If nei­
              ther ip address belongs to the group of  <local-ip>
              then they are printed in sorted order.

              For example,

              ipaudit -c 10000 -l 137.11 eth0

              will  tally 10,000 packets and list the results on-
              screen, placing ip addresses beginning with  137.11
              first  on each output line.  Note that ipaudit pads
              the bytes with leading zeros, so  that  the  output
              will actually start like

              137.011.nnn.nnn ...



       -x <program>
              After  ipaudit ends, either from receiving a signal
              or reaching its  packet  limit  (-c  option),  call
              <program>.   This  option  is  intend  for  calling
              reports scripts which  read  ipaudit  output  after
              completion.   You  can send at most one argument to
              this program, for example

              ipaudit -c 10000 -x 'report traffic.out'  -o  traf­
              fic.out eth0

              runs ipaudit for 10,000 steps, places the output in
              the file traffic.out, and then  calls  the  program
              'report'  with the argument 'traffic.out' - telling
              'report' where to find its input file.

              Note that to  send  an  argument  'traffic.out'  to
              'report' we needed to enclose both options together
              in a single pair of quotes.  Without the quotes  -x
              would  think  that we were running 'report' without
              an option (and, the  option  traffic.out  would  be
              interpreted as the network interface - not what you
              wanted at all).



              Writes traffic list to <outfile>  upon  completion.
              By default, it writes traffic to stdout.




EXAMPLES

       ipaudit -w dump.fil -p1:2:6,21,23 eth0

              This  runs tells ipaudit to write all packet header
              for icmp, telnet, and ftp to dump.fil and  to  read
              traffic  from  the network interface eth0.  ipaudit
              will continue to run until it is  interrupted  with
              control-C  or  the  kill  command, at which time it
              will list on the terminal a summary of traffic that
              it saw.


       ipaudit -i ipaudit.pid -o traffic.out le0

              Read  traffic  from  interface le0 and place in the
              file traffic.out when program completes.  The  pro­
              cess  id  number  is  written to ipaudit.pid at the
              program start.  Thus you can terminate ipaudit with
              the command kill -2 `cat ipaudit.pid`


       ipaudit -c 50000 eth0 > traffic.out

              Read  50,000  packets  of  traffic  from eth0, pipe
              default stdout output into file traffic.out.




BUGS

       Report any to j.rifkin@uconn.edu.



AUTHOR

       j rifkin <j.rifkin@uconn.edu>
       http://www.sp.uconn.edu/~jrifkin



SEE ALSO

       tcpdump(1) pcap(3)









Man(1) output converted with man2html