
Protolog - The Internet Protocols logger
----------------------------------------
Author: 
         Diego Javier Grigna <diego@grigna.com>


Q: What is Protolog?

A: It's a set of three daemons that logs the IP/TCP, IP/UDP and IP/ICMP
   packets that arrives to your Linux box. It also takes cares and logs
   IP options, eluding the IP options sniffer attack.


Q: For what it is useful?

A: It's useful for people with PPP, ADSL or SLIP accounts on a ISP (and 
   maybe for people with other kinds of network connection). I mainly use
   it when I connect to my ISP, I am really paranoid, so I needed a tool
   to see what's happening, what packets people (or machines) are sending
   to my host. 

   It's also useful for learning about network errors (ICMP messages), and
   about how hackers try to penetrate (or gather information about) your host.
   
   I check the logs more frequently when I enter IRC. The most common attacks
   (if we can call them this way) are telnet connections to ports 21/23/25/79/
   80/etc..., tcp port scans, BO/NETBUS probes (UDP port 31337 and TCP port
   12345), etc. The programs won't say what packet is good and what malicious,
   their pourpose is only to make logs, not advice about malicius packets, you
   must read them to see what's wrong. Most of the time you will see network
   error messages, and other normal packets.

   Note that some attacks, like those that plays with IP fragmentation, or
   the length of the IP header, are processed by the Linux kernel, if your
   kernel is patched for those attacks, it will probably log the error
   messages via syslog, and the packet will be discarded. If this happens
   the Linux kernel won't send the packet to userland, so Protolog won't
   see that kinds of attacks. Of course if your kernel is not patched for
   those attacks your kernel would crash and Protolog won't see that packets.

   Summary: It's useful for learning and for security.


Q: What are the executable names, and what they do?

A: Here is the list of the executable files:

     src/KillLoggers        It's a shell script that "killall -9"
                            all the loggers.

     src/LaunchLoggers      It's a shell script that Launch the loggers
                            with some command line parameters I like to
                            use.
                            ** IMPORTANT! ** Check this file and make sure
                            they are the command line options you need.
                            I had set the "-f 43" option, so make sure it is
                            what you want. See the file TCP.flags.txt for
                            more information.

     src/ipretplog          It's the program that interprets Protolog
                            raw files and outputs a detailed report.
     src/plogicmp           It's the ICMP packet logger.
     src/plogtcp            It's the TCP packet logger.
     src/plogudp            It's the UDP packet logger.

   Check the ipretplog(8), plogicmp(8), plogtcp(8) and plogudp(8) man
   pages for more information.


Q: Where are the logs?

A: By default the logs are located at "/var/log/protolog/", and you can
   change it in the Makefile.

   log files & descriptions:

   /var/log/protolog/    Directory where the logs dwell.

   icmp.log              ICMP human readeable log (plogicmp logs here
                         a quick report of the incoming ICMP packets).

   icmp.raw              plogicmp logs here sizeof( time_t) bytes with
                         the date when the ICMP packet arrives + the raw
                         data of the packet, (it means ICMP header + data)
                         that later could be interpreted by the program
                         ipretplog(8).

   tcp.log, tcp.raw      The same as above but for TCP.

   udp.log, udp.raw      The same as above but for UDP.


Q: What about the bugs?

A: See the file BUGS on this directory.


Q: Where can I get Protolog?

A:
   See:
        http://www.grigna.com/diego/linux
   or
        ftp://sunsite.unc.edu/pub/Linux/system/network/monitor/protolog-1.0.7.tar.gz

--------------------------------------------------------------------------

If you have (problems|questions|bug|features to add) please
mail me to:
            diego@grigna.com

