Applies to the practice: [pgcimlogo.GIF (3191 bytes)] Network Monitoring PGCI Inc. Applicable technologies: 33 rue Prince Unix and derivatives; tcpdump Montréal, Québec H3C 2M7 Any seasoned system administator has developed Cité du a keen sense of paranoia. Most often, they multimédia would like to know _what_ exactly is happening info@pgci.ca on their network, and who is touching it. With (514) 865-9178 the recent release of nmap-2.00, a popular "stealthy and undetectable" network scanner, I decided to conjure a little hack that highlights these often illegal network probing activities. Besides, isn't there anything more annoying that someone trying to pass undetected while scanning your network? I though so. The following hack was written in perl, and uses tcpdump to capture packets. It's flexible, open source, has an anti-flooding mecanism and even logs to syslog. For high network traffic systems, Abacus will be able to handle real-time traffic without lag or causing any chokepoint. All you need to do is specify the network you wish to monitor, and the ports you wish to exclude, these parametres are located near the top of the script. # modify these for your particular network @ex = (53,113); $net = "207.253.13.5"; Here are a few things the monitor is looking for: * All icmp packets * All udp packets * TCP packets with no ACK * Fragmented IP packets * IP packets with options * Packets with X.X.X.255 destination * Packets with X.X.X.0 destination It also captures all the following types of scans offered by nmap: Scan typeTCP SYN FIN Frag Xmas/Null UDP scan scan scan scan scan Detected?Yes Yes Yes Yes Yes Yes Here is the source code (released under the GNU General Public License) for syn.pl, which can always be obtained on ftp.pgci.ca/pub/syn. If you have any comments, improvements, or possible "stealthly" methods to probe a network undetected, email me. ------------------------------------------------ Questions or comments? Copyright 1996-1998 PGCI Inc. All rights reserved. Legal terms.Privacy policy.