Tree [936ad7] master 1.1 /
 History

HTTPS access


File Date Author Commit
 autom4te.cache 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 doc 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 src 2016-02-08 Jon Rifkin Jon Rifkin [d39077] Fix typo in add_ports(), change to udp_ports[]
 .gitignore 2013-03-13 Joseph Gooch Joseph Gooch [af23ef] Ignores
 AUTHORS 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 COPYING 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 ChangeLog 2016-02-13 Jon Rifkin Jon Rifkin [936ad7] Add most recent changes
 INSTALL 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 Makefile 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 Makefile.am 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 Makefile.in 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 NEWS 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 PACKAGE_HOWTO 2016-02-13 Jon Rifkin Jon Rifkin [c9d8b4] Notes on remaking tarball package
 README 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 aclocal.m4 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 config.log 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 config.status 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 configure 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 configure.ac 2016-02-13 Jon Rifkin Jon Rifkin [0b0826] Update automake configration; rename configure....
 depcomp 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 install-sh 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 missing 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit
 mkinstalldirs 2013-03-12 Jon Rifkin Jon Rifkin [c01a21] Initial commit

Read Me

IPAUDIT
==========================


Contents
========
IPAUDIT listens to a network device in promiscuis mode, and records
of every 'connection', each conversation between two ip addresses.  A unique
connection is determined by the ip addresses of the two machines, the 
protocol used between them and the port numbers (if they are communicating
via udp or tcp).

It uses a hash table to keep track of the number of bytes and packets
in both directions.  When IPAUDIT receives a signal SIGTERM (kill)
or SIGINT (kill -2, usually the same as a Control-C), it stops collecting
data and write the tabulated results.

This package also includes some companion C programs.  See the CONTENTS file
for more info.


Suggested Usage
===============
IPAUDIT can be used to monitor network activity for a variety of purposes.
It has proved useful for monitoring intrusion detection, bandwidth consumption 
and denial of service attacks.

We run it in shifts.  Every 30 minutes launch an new instance of IPAUDIT
in the background and kill the previous instance.  Before the previous
instance dies it writes a file describing the network activity for the
past 30 minutes.  Perl scripts then parse this file and make a Web
viewable report.  It currently monitors a 45MB link averaging at about
1/3 capacity on a Pentium II/333 running Linux 2.2.13.  Average CPU
usage is at about 10%, and peaks at around %20 on the half hour.

IPAUDIT can also be used with IPAUIT-WEB, and collection of cron and 
web-cgi scripts for gathering data and making reports (NOTE: The separate 
IPAUDIT-WEB distruction not yet available.  You can however obtain
web-cgi scripts from ipaudit-0.93b4.tgz).


Installing
==========
(1) You must first have pcap library installed (see Requirements below).
(2) Type 'make' to produce executables, located in the src/ directory.
(3) Copy man pages ipaudit.1 to your man page directory.
(4) optionally copy man page ipstrings.1, total.1 from man/ to system man page directory.
(5) 'ipaudit' typically must be run as root to read the network interface.


Documentation
=============
See the man pages ipaudit.1, ipstrings.1, total.1 and web page 
   http://sp.uconn.edu/~jrifkin/ipaudit/


Contact Info
============
Jon Rifkin <jon.rifkin@uconn.edu>.  The most recent version of
IPAUDIT is at

   http://ipaudit.sf.net

If you are having trouble with ipaudit, please send output 
when running with the -d option.


Requirements
============
IPAUDIT uses the pcap library which is available from the
URL http://www-nrg.ee.lbl.gov/nrg.html.  It is installed
by default in some Unix environments, and it available
as an rpm from Red Hat.


Recommendations
===============
If you save raw pcap data files (using the -w
option).  Many programs can read such files
including ipstrings (included with ipaudit, see
the 'ipstrings' man page), tcpdump (the original
pcap program, http://www.tcpdump.org) and
ethereal (http://www.zing.org).  But remember
that 'ipstrings' included with ipaudit can also
read these files.  See the 'ipstrings' man page.

You might find the included program 'total' useful
for performing some simple queries on ipaudit's output 
files.  See the 'total' man page.


License
=======
IPAUDIT is covered by the GNU General Public Licensse. 
See the file COPYING for copying permission.

IPAUDIT is Copyright (c) 1999-2005 by Jonathan Rifkin