Provided by: psad_2.2.1-2.1_amd64 bug

NAME

       nf2csv - iptables to CSV data

SYNOPSIS

       nf2csv [options]

DESCRIPTION

       nf2csv  Parses  iptables  log  messages and generates comma-separate value formatted data.
       This   is    useful    to    provide    input    to    the    AfterGlow    project    (see
       http://afterglow.sourceforge.net)  so  iptables  logs  can  be visualized graphically.  An
       interesting application of nf2csv and AfterGlow is to parse  and  visualize  the  iptables
       logfiles  made  available  by  the Honeynet project in their Scan of the Month challenges.
       The  Scan30  and  Scan34   challenges   (see   http://www.honeynet.org/scans/scan30/   and
       http://www.honeynet.org/scans/scan34/)  contain  extensive  iptables  logfiles,  and  some
       graphical      representations      of      these      can      be      viewed       here:
       http://www.cipherdyne.org/psad/honeynet/.   The  psad  program  also  has  the  ability to
       generate CSV data from iptables logs with its --CSV mode.

OPTIONS

       -f, --fields <tokens>
              Specify the set of fields that should be printed from iptables  log  messages.  The
              most  common  usage  of  this  argument  is  SRC  DST  DPT  to print the source and
              destination IP addresses, followed  by  the  destination  port  number.   Available
              fields  to  print  include:  SRC, SPT, DST, DPT, PROTO, LEN, IN, TOS, TTL, SEQ, ID,
              TYPE, CODE (and these can also be referred to as src, dst, sp, dp,  proto,  ip_len,
              intf,  tos,  and  ttl).   There  are  several  additional fields that are not given
              specific tags within iptables log messages, and these can be included by specifying
              one  of  the  following:  flags,  top_opts,  ip_opts,  chain, log_prefix, frag_bit,
              src_mac, dst_mac, and udp_len.  Each of these fields accepts a search  criteria  in
              the  form  of  a  numeric  comparison, string match, or IP match.  See the EXAMPLES
              section below for more information.

       -u, --unique-lines
              Only print unique output lines.  This can drastically reduce the output  of  nf2csv
              depending on the characteristics of the iptables logfile that is being parsed.

       -m, --max-lines <num>
              Specify  the  maximum  number of output lines nf2csv will generate.  This is useful
              for providing a limited set of data to AfterGlow in order  to  make  visualizations
              more clear and less cluttered.

       -r, --regex <regex>
              Specify  a  regular  expression  that  must  match  against the entire iptables log
              message in order for it to be included within the  CSV  output.   This  allows  log
              messages  to  be  included  from  the output with all of the flexibility of regular
              expressions.  See the EXAMPLES section below for more information.

       -n, --neg-regex <regex>
              Specify a regular expression that must not match against the iptables  log  message
              in  order for it to be included within the CSV output.  This allows log messages to
              be excluded from the output with all of the  flexibility  of  regular  expressions.
              See the EXAMPLES section below for more information.

       -s, --start-line <line>
              Specify the starting line where nf2csv begins to process iptables log data.  If you
              are processing a huge file with thousands of iptables log messages this option  can
              be  useful  to parse a specific chunk of this data.  Also see the --end-line option
              below.

       -e, --end-line <line>
              Specify the last line of iptables log data that nf2csv will parse.

EXAMPLES

       The following examples illustrate the command line arguments that  could  be  supplied  to
       nf2csv in a few situations:

       Print source and destination IP addresses and the destination port number:

       $ nfcsv -f src dst dp

       Same as above, but now require that the source IP come from the 11.11.11.0/24 subnet:

       $ nfcsv -f src:11.11.11.0/24 dst dp

       Display instances of the MyDoom worm:

       $ nfcsv -f src dst dp:3127

       Display packets that have low TTL values:

       $ nfcsv -f src dst ttl:<10

       Display  all traffic to or from the host 11.11.11.67 (this sets up an OR condition between
       the src and dst fields):

       $ nfcsv -f src dst dp -r 11.11.11.67

       Display likely instances of Window Messanger popup spam attempts  (note  the  use  of  the
       --regex  argument  to require minimal lengths on the UDP length field and source port, but
       the output contains the destination port of 1026):

       $ nfcsv -f src dst dp -r SPT={4}.*LEN=[4-9]{2}

SEE ALSO

       psad(8)

AUTHOR

       Michael Rash <mbr@cipherdyne.org>

BUGS

       Send bug reports to mbr@cipherdyne.org.  Suggestions and/or comments are always welcome as
       well.

DISTRIBUTION

       nf2csv  is  distributed  with the psad project (http://www.cipherdyne.org/psad/) under the
       GNU General  Public  License  (GPL),  and  the  latest  version  may  be  downloaded  from
       http://www.cipherdyne.org/