lunar (1) nstreams.1.gz

Provided by: nstreams_1.0.4-1build1_amd64 bug

NAME

       nstreams - a tcpdump output analyzer

SYNOPSIS

       nstreams [ -v ] [ -c nstreams-services ] [ -n nstreams-networks_file ] [ -N [ -i ] [ -I ]]
       [ -r ] [ -O output [ -D iface ] [ -Y ]] [ -u ] [ -U ] [ -B ] [  -f  tcpdump_file  ]  [  -l
       <iface> ] [ tcpdump output ]

DESCRIPTION

       nstreams  is  a utility designed to identify the IP streams that are occuring on a network
       from a non-user friendly tcpdump output of several megabytes.

       This is especially useful when you plan to install a firewall but if you do not  know  the
       nstreams  that the network users are generating (http, real audio, and more...).  nstreams
       can read the tcpdump output directly from stdin, or from a file. It can even generate  the
       configuration file of your firewall, using the  -O option.

OPTIONS

       -c <nstreams-services-file>
              The  path to an alternate nstreams service file. This file is used to identify each
              protocol. See the services file section later in this manual page.

       -n <nstreams-networks-file>
              The path to an alternate nstreams network file. This file is used to identify which
              hosts  belong  to which network. See the networks file section later in this manual
              page.

       -f <tcpdump output file>
              The path to the file to read data from. This file must have  been  generated  using
              'tcpdump -w filename'.

       -l <iface>
              Listen directly on interface <iface>. This avoids the use of tcpdump.

       -N     print  the  networks  names  instead  of  the hosts IP addresses. The intra-network
              traffic will not be shown. Use this option twice to show the  networks  IP  address
              instead of their names.

       -i     Also show the intra-network traffic (must be used with -N)

       -I     Only show the intra-network traffic (must be used with -N)

       -r     be  redundant.  That  is, the same streams will be printed each time they appear in
              the dump.

       -v     print version number and exit.

       -O <type>
              output type. You can use this option to generate your firewall startup script.   Do
              nstreams -h to see the supported output types.

       -D <iface>
              interface to apply to output onto. Must be used with -O.

       -Y     The  firewall  rules  that  will be generated will deny all packets coming from the
              outside trying to establish connections to the inside. If you system is not serving
              anything, then it's safe to turn on this option.

       -u     Do not print the unknown streams

       -U     Only print the unknown streams

       -B     Show broadcasts and networks

USAGE

       Let  tcpdump(1)  run  some  time on your network (like one week), and save its output in a
       file, by doing :
       tcpdump -l -n > output
       or
       tcpdump -w filename

       Then, feed nstreams with this output file, and it will turn it into a easily-readable file
       which will help you to write efficient firewall filters.  You may also do :
       tcpdump -l -n | nstreams
       or
       nstreams -f filename (if you used tcpdump -w)

THE SERVICES FILE

       The  service  file  contains  the description of each protocol, as well as their name. Its
       syntax is :
       protocol_name:server_port(s)/{udp,tcp}:client_ports(s)
       or :
       protocol_name:type(s)/icmp:code(s)

       Whereas :

       protocol_name
              is the name of the  protocol  described.  This  name  may  contain  any  character,
              including space, except ':'.

       server_port(s)
              is  the  range  of  ports  used by the server. Usually, you will want to define one
              server port only, but you may enter any range you want.

       ip_protocol
              is the IP protocol that this protocol is lying onto. Acceptable values are tcp  and
              udp

       client_port(s)

              is the range of ports that the client may use. You can set this to any or, for more
              accurate results, to ports ranges, like '1-1024,2048-4096'.
              The rules are : 'first match, first taken'.

SERVICE FILE EXAMPLE

       Using this syntax, you would declare the ssh protocol by :
       ssh-unix:22/tcp:1000-1023
       Because the Unix version of the ssh client uses a privileged port to connect onto the  ssh
       server which listens on port 22.

THE NETWORKS FILE

       The  networks  file  is used to define sets and subsets of hosts (also known as networks).
       This avoids redundancy in the output file. The syntax format for this file is :
       network name:ip/mask
       Whereas the network name is whatever you want, the IP is the ip of the  network,  and  the
       mask is the CIDR netmask of the network.  The rule is 'first match, first taken'.

NETWORKS FILE EXAMPLE

       admin:192.168.19.0/29
       whole_subnet:192.168.0.0/16
       internet:0.0.0.0/0

LIMITS

       • nstreams can only parse the output of 'tcpdump -n'

       •  Even  though  the  output  of nstreams is easier to read than the one of tcpdump, it is
       still not easily readable. Use sort(1) on the nstream output to get a more readable file.

       • This program could have been written in perl

FILES

       /etc/nstreams-services
       /etc/nstreams-networks

SEE ALSO

       tcpdump(1)

AUTHORS

       Concept : Herve Schauer Consultants - http://www.hsc.fr
       Coding : Renaud Deraison <deraison@cvs.nessus.org>

BUG REPORTS

       Please send all your bug reports with the detail of your configuration to Renaud  Deraison
       <deraison@cvs.nessus.org>