IPAUDIT listens to a network device in promiscuis mode, and records
of every 'connection', each conversation between two ip addresses. A unique
connection is determined by the ip addresses of the two machines, the
protocol used between them and the port numbers (if they are communicating
via udp or tcp).
It uses a hash table to keep track of the number of bytes and packets
in both directions. When IPAUDIT receives a signal SIGTERM (kill)
or SIGINT (kill -2, usually the same as a Control-C), it stops collecting
data and write the tabulated results.
This package also includes some companion C programs. See the CONTENTS file
for more info.
IPAUDIT can be used to monitor network activity for a variety of purposes.
It has proved useful for monitoring intrusion detection, bandwidth consumption
and denial of service attacks.
We run it in shifts. Every 30 minutes launch an new instance of IPAUDIT
in the background and kill the previous instance. Before the previous
instance dies it writes a file describing the network activity for the
past 30 minutes. Perl scripts then parse this file and make a Web
viewable report. It currently monitors a 45MB link averaging at about
1/3 capacity on a Pentium II/333 running Linux 2.2.13. Average CPU
usage is at about 10%, and peaks at around %20 on the half hour.
IPAUDIT can also be used with IPAUIT-WEB, and collection of cron and
web-cgi scripts for gathering data and making reports (NOTE: The separate
IPAUDIT-WEB distruction not yet available. You can however obtain
web-cgi scripts from ipaudit-0.93b4.tgz).
(1) You must first have pcap library installed (see Requirements below).
(2) Type 'make' to produce executables, located in the src/ directory.
(3) Copy man pages ipaudit.1 to your man page directory.
(4) optionally copy man page ipstrings.1, total.1 from man/ to system man page directory.
(5) 'ipaudit' typically must be run as root to read the network interface.
See the man pages ipaudit.1, ipstrings.1, total.1 and web page
Jon Rifkin <email@example.com>. The most recent version of
IPAUDIT is at
If you are having trouble with ipaudit, please send output
when running with the -d option.
IPAUDIT uses the pcap library which is available from the
URL http://www-nrg.ee.lbl.gov/nrg.html. It is installed
by default in some Unix environments, and it available
as an rpm from Red Hat.
If you save raw pcap data files (using the -w
option). Many programs can read such files
including ipstrings (included with ipaudit, see
the 'ipstrings' man page), tcpdump (the original
pcap program, http://www.tcpdump.org) and
ethereal (http://www.zing.org). But remember
that 'ipstrings' included with ipaudit can also
read these files. See the 'ipstrings' man page.
You might find the included program 'total' useful
for performing some simple queries on ipaudit's output
files. See the 'total' man page.
IPAUDIT is covered by the GNU General Public Licensse.
See the file COPYING for copying permission.
IPAUDIT is Copyright (c) 1999-2005 by Jonathan Rifkin