ipaudit - IP traffic summarizer
SYNOPSIS
ipaudit -aciolprswx [interface]
DESCRIPTION
ipaudit is an IP traffic monitor. It listens to a network
interface in promiscuous mode (or reads data previously
dumped to a file) and tallies the total traffic for every
"connection". A connection is a combination of ip address
pairs, protocol and for tcp/udp protocols, the ports num
bers.
OUTPUT
If hosts 105.33.41.107 telnets to 211.117.5.11 this cre
ates a single connection. ipaudit will tally the total
bytes of traffic and total packet count in each direction
between the two hosts.
When ipaudit reports its findings, this telnet connection
will be listed as
105.033.041.107 211.117.005.011 6 1105 23 19934 2993 41 33
The columns are (1) host 1 ip (2) host 2 ip, (3) protocol,
(4) host 1 port, (5) host 2 port, (6) host 1 bytes
received, (7) host 2 bytes received, (8) host 1 packets
received, (9) host 2 packets received.
For protocol other then tcp/udp where there are no ports,
the port numbers are set to 0 in the output. Note that
the host ip octets are padded on the left with 0 to make 3
digits. This help make the output more readable.
As another example, if the first host now sends 10 ping
packets to a non-existent host 105.33.41.188 then it will
be reported as an output line
105.033.041.107 105.033.041.188 1 0 680 0 10
This says that address 105.33.41.188 received 680 bytes in
10 packets of protocol 1 - even though there is no such
address!
OPTIONS
Network interface to read data from.
-r <dumpfile>
Reads network info from <dumpfile> instead of read
ing live from network. Such a dumpfile could have
been produced by the programs ipaudit , tcpdump or
ethereal (http://www.zing.org).
-c <npacket>
Terminate program after reading <npacket> packets.
-w <dumpfile>
Writes first nlen bytes of every packet to <dump
file> (see -s option about nlen). Can later be
read by ipaudit , tcpdump or ethereal . The -w
option does affect traffic analysis - it will still
take place. Warning: -w must be accompanied by the
either the -a or the -p option to produce a dump
file. Otherwise the -w option is ignored.
-a dump ALL packets to dump file. This could result
in large dump files. You may want to use the -p
option instead.
-p prot[,port..][:prot[,port..]..
Only dump packets with specific protocols and
ports. For example, -p1:6:17 dumps only packets
with protocols 1 (icmp), 6 (tcp) and 17 (udp).
You can also break down udp and tcp packets by port
numbers - for example -p1:6,21,23 will only dump
icmp packets, ftp packets (protocol 6, port 21) and
telnet packets (protocol 6, port 23).
-s <nlen>
Save no more than first <nlen> packet bytes.
Default is 96, minimum is 68.
-i <pidfile>
Save the program process id to <pidfile>. This is
used to terminate program execution when sampling
time has expired. Use command like
kill -2 `cat <pidfile>`
to signal ipaudit to stop. Once ipaudit receives
-l <local-ip>
Normally, the two ip address within a line of out
put are in sorted order. But if you are monitoring
a link between two networks, you might want the
addresses of one network to come first on an output
line. <local-ip> is the partial ip address of the
network which is listed first on the line. If nei
ther ip address belongs to the group of <local-ip>
then they are printed in sorted order.
For example,
ipaudit -c 10000 -l 137.11 eth0
will tally 10,000 packets and list the results on-
screen, placing ip addresses beginning with 137.11
first on each output line. Note that ipaudit pads
the bytes with leading zeros, so that the output
will actually start like
137.011.nnn.nnn ...
-x <program>
After ipaudit ends, either from receiving a signal
or reaching its packet limit (-c option), call
<program>. This option is intend for calling
reports scripts which read ipaudit output after
completion. You can send at most one argument to
this program, for example
ipaudit -c 10000 -x 'report traffic.out' -o traf
fic.out eth0
runs ipaudit for 10,000 steps, places the output in
the file traffic.out, and then calls the program
'report' with the argument 'traffic.out' - telling
'report' where to find its input file.
Note that to send an argument 'traffic.out' to
'report' we needed to enclose both options together
in a single pair of quotes. Without the quotes -x
would think that we were running 'report' without
an option (and, the option traffic.out would be
interpreted as the network interface - not what you
wanted at all).
Writes traffic list to <outfile> upon completion.
By default, it writes traffic to stdout.
EXAMPLES
ipaudit -w dump.fil -p1:2:6,21,23 eth0
This runs tells ipaudit to write all packet header
for icmp, telnet, and ftp to dump.fil and to read
traffic from the network interface eth0. ipaudit
will continue to run until it is interrupted with
control-C or the kill command, at which time it
will list on the terminal a summary of traffic that
it saw.
ipaudit -i ipaudit.pid -o traffic.out le0
Read traffic from interface le0 and place in the
file traffic.out when program completes. The pro
cess id number is written to ipaudit.pid at the
program start. Thus you can terminate ipaudit with
the command kill -2 `cat ipaudit.pid`
ipaudit -c 50000 eth0 > traffic.out
Read 50,000 packets of traffic from eth0, pipe
default stdout output into file traffic.out.
BUGS
Report any to j.rifkin@uconn.edu.
AUTHOR
j rifkin <j.rifkin@uconn.edu>
http://www.sp.uconn.edu/~jrifkin
SEE ALSO
tcpdump(1) pcap(3)
Man(1) output converted with
man2html