Netlog
This document describes a package called NETLOG, created at Texas A&M university (TAMU). A few years back, TAMU was the victim of a coordinated attack upon their UNIX systems by a cooperating group of Internet crackers. In response to these attacks, the following three software packages were created:
- DRAWBRIDGE
- a bridging filter package
- TIGER
- machine binaries (program) checking program
- NETLOG
- a network traffic monitoring tool
Netlog consists of four separate programs designed to run under SunOS 4.x and 5.x:
- TCPlogger
- UDPlogger
- extract
- netwatch
TCPlogger is able to record all TCP traffic passed through the single monitoring host. It does this by placing the network interface into 'promiscuous mode' and reading all TCP connect requests. Note that it is not possible to monitor outgoing packets originating from the host machine due to the mechanisms used: the network interface tap (NIT) under SunOS 4.x, and the SunOS 5.x Data Link Provider Interface (DLPI). The details of a record entered in the log file for each connection attempt are:
- the time of the request
- IP dource and destination addresses
- TCP sequence number
- TCP source and destination ports
UDPlogger is essentially the same program as TCPlogger, except it records connectionless UDP traffic. The system administrator may configure the default timeout for a UDP 'connection' so as to avoid recording each packet sent as if it were a distinct 'connection.'
Extract is a useful tool for processing the logfiles produced by TCPlogger and UDPlogger. It can extract the entries based upon any one (or combination of) the 6 fields of a record within a log file. For example the user could quickly display all traffic that originated from a specific site and port during a certain time interval.
The last program included with Netlog is netwatch. This program is an interactive tool for real-time monitoring network traffic, attempting to identify any suspicious behavoir. Some activities reported by netwatch include:
- attempts to log in to certain accounts
- detecting interactive shells via rsh
- attempted interactive connections to SMTP port
- UDP activities including tftp, SunRPC, and fsp
Traffic can be monitored one or both sides of a connection. Note that under SunOS 4.x, if network traffic should become to heavy, the host machine may reach a point of non-functionality. This is due to the overhead of reading every single packet passed to or through the host...
Get my own copy of Netlog or see what other network monitoring tools are available