1. Introduction
NetSentinel is a network traffic logging and analizing utility. You can monitor your network's traffic, log the connections you want them to be and see who is doing what on your network. Until now, following properties of packets can be determined:
2. Installation/Uninstallation
You can use install-netsentinel.sh and uninstall-netsentinel.sh for installation and uninstallation respectively. They are at the root of source directory `NetSentinel'. Again, for the 0.0.1 version, there is not so much directory and file existency check on setup and you may have to edit the installation file. For example, on setup, NetSentinel tries to copy the rc.netsentinel file to /etc/rc.d/ directory and you may be using /etc/init.d for this purpose.
3. Configuration
All the configuration (except `Defaul Log Level' see below) options that can be set in the netsentinel.conf file can also be set in the NetSentinel Front-End. Generally, tasks that fall into same group is grouped in a Tab (i.e. GTK Notebook), so we'll look at them in the order of layout.
As the name tells us, General Options Tab contains several basic configuration entities. Here, you can set whether NetSentinel to start on startup (Not Functioning Yet!), and asking for password on program startup. Here is a snapshot:
Also you can change your NetSentinel password here. In daily usage, you can enter at
most 3 faulty password or program will shut. Also, all the password processes involving
"password accepted", "wrong password entered", "password changed" and "Too many faulty
password" is logged and can be traced from syslog.
Note: Initial password is netsentinel
Almost all important (and functional) options are set here. Most people will prefer not to log all the network traffic, as this will cause huge amounts of log and disk capacity waste (two database or text entry for a single ping-pong pair!). So, we should filter the traffic up to some packet properties like source IP, destination IP, requested service (destination port number) and protocol of course. Most of these information is protocol specific and if the captured packet hasn't that field in protocol header; filter rule is simply ignored. For example, when an ICMP packet is captured port numbers won't be checked. Here, you can see several sample filters. All the following samples and screen outputs will be generated from this configuration.
Most of the entries are self-explanatory in fact. But it'll be useful to mention
about several points. First, if you are unsure about the specific value or want to
span all the possible values, then use the value `any' for any kind of entity. This
can be a port number (all the ports), protocol or IP address. Here, for example,we
_have to_ span all of the source port to be able to analize a possible ssh traffic.
Because an SSH client can try to connect us from any of the source ports but destination
port 22 (standart configuration).
Attention, if you are doing some kind of port forwarding and forwarding some
port X to port 22, then NetSentinel won't be catch this traffic as an SSH traffic since
because it only looks at the port number field of TCP header and assumes some traffic
as an SSH traffic only if it has destination port 22. So, when defining an ICMP filter
you can completely ignore the port number values that belongs to TCP header.
The port number-service correspondence list is directly taken from /etc/services file and
thus, correspondences should be correct on most of the distributions. These lists are
holded in services.tcp and services.udp files in the root of NetSentinel installation
directory.
You can set several option about event and packet logging at the Logging Options
Tab. Target log formats and filenames (database and table names for MySQL) are set
here. Also you can set some restrictions on the log file size. For example, you
can define a max. byte(s) of event log file; and NetSentinel will backup the file
by gzipping it and create a new one if it oversizes.
Also, login information for MySQL database is can be set here. But remember,
you _must_ edit the packet_report.php file in the src/util directory by hand if there
is a change in the login information. These username/password pair is only for logging
in from NetSentinel.
You can cancel a specific output format by simply unchecking it's checkbox here. But,
every configuration change in the NetSentinel Front-End requires NetSentinel Daemon
(which is switched into with the command-line switches --daemon and -d) to be restarted.
For controlling the NetSentinel Daemon, you can use the rc.netsentinel file that will be
copied into /etc/rc.d directory on startup. Sample usage can be like the following:
[root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel status NetSentinel: There is no NetSentinel daemon running [root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel start Starting NetSentinel Daemon [OK] [root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel status NetSentinel: There is a daemon running with pid 9733 [root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel restart Starting NetSentinel Daemon [OK] [root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel status NetSentinel: There is a daemon running with pid 9743 [root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel stop Killing NetSentinel daemon with pid 9743 [root@zion:/home/mbaris/Projects/NetSentinel]$ /etc/rc.d/rc.netsentinel status NetSentinel: There is no NetSentinel daemon running [root@zion:/home/mbaris/Projects/NetSentinel]$
And, you can see a snapshot of the Logging Options Tab below:
Remaining options are for resolving hostname from IP address and service name from
port number, packet selection. For both part, several lines of log will explain
much more than tens line of write:
Here i selected "resolve hostname from address" and "resolve service name from port"
options after the time 02:52.
[ssh_filter] [18/11/04 02:50:29] 10.0.0.23:35962 > 10.0.0.23:22 [establishing connection] sseq:12410 ack:0 win:32767 [ssh_filter] [18/11/04 02:50:48] 10.0.0.23:35962 > 10.0.0.23:22 [releasing connection] sseq:12410 ack:12378 win:32767 [ssh_filter] [18/11/04 02:52:04] zion.real__world.net: > zion.real__world.net:ssh [establishing connection] sseq:13792 ack:0 win:32767 [ssh_filter] [18/11/04 02:52:06] zion.real__world.net: > zion.real__world.net:ssh [releasing connection] sseq:13792 ack:13773 win:32767
This tab is not a functional one but, here, you can see total processed packets count, total processed packets size, error and event log files sizes and packet log target files sizes. All of the values can be updated on-the-fly with the `Update' button.
For example, a little test. Let's ping ourselves first for 2 times and do X-MAS Scan, FIN Scan and then NULL Scan respectively using NMap (www.insecure.org).
And, after all, generated statistics are the followings:
And web based output from MySQL (with packet_report.php file)
Here are several log outputs from this test:
[icmp_traffic] [18/11/04 03:07:04] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:8 code:0 checksum:12714 [icmp_traffic] [18/11/04 03:07:04] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:0 code:0 checksum:12722 [icmp_traffic] [18/11/04 03:07:05] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:8 code:0 checksum:7286 [icmp_traffic] [18/11/04 03:07:05] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:0 code:0 checksum:7294 [icmp_traffic] [18/11/04 03:07:24] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:8 code:0 checksum:10562 [icmp_traffic] [18/11/04 03:07:24] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:0 code:0 checksum:10570 [tcp_traffic] [18/11/04 03:07:24] 10.0.0.23:53618 > 10.0.0.23:22 XMAS Scan [FIN|PSH|URG] [releasing connection] sseq:29685 ack:0 win:4096 [tcp_traffic] [18/11/04 03:07:24] 10.0.0.23:53619 > 10.0.0.23:22 XMAS Scan [FIN|PSH|URG] [releasing connection] sseq:29684 ack:0 win:1024 [icmp_traffic] [18/11/04 03:07:43] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:8 code:0 checksum:48144 [icmp_traffic] [18/11/04 03:07:43] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:0 code:0 checksum:48152 [tcp_traffic] [18/11/04 03:07:43] 10.0.0.23:50983 > 10.0.0.23:22 FIN Scan [FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR] [releasing connection] sseq:53862 ack:0 win:3072 [tcp_traffic] [18/11/04 03:07:43] 10.0.0.23:50984 > 10.0.0.23:22 FIN Scan [FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR] [releasing connection] sseq:53863 ack:0 win:4096 [icmp_traffic] [18/11/04 03:07:46] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:8 code:0 checksum:25074 [icmp_traffic] [18/11/04 03:07:46] 10.0.0.23 [zion.real__world.net] > 10.0.0.23 [zion.real__world.net] type:0 code:0 checksum:25082 [tcp_traffic] [18/11/04 03:07:47] 10.0.0.23:57997 > 10.0.0.23:22 NULL Scan [!FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR] sseq:32350 ack:0 win:3072 [tcp_traffic] [18/11/04 03:07:47] 10.0.0.23:57998 > 10.0.0.23:22 NULL Scan [!FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR] sseq:32351 ack:0 win:1024
<?xml version="1.0" encoding="ISO-8859-1"?>
<traffic>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:04</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>8</type>
<code>0</code>
<checksum>12714</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:04</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>0</type>
<code>0</code>
<checksum>12722</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:05</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>8</type>
<code>0</code>
<checksum>7286</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:05</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>0</type>
<code>0</code>
<checksum>7294</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:24</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>8</type>
<code>0</code>
<checksum>10562</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:24</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>0</type>
<code>0</code>
<checksum>10570</checksum>
</icmp_packet>
<tcp_packet>
<filter>tcp_traffic</filter>
<date>18/11/04 03:07:24</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<source_port>53618</source_port>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<destination_port>22</destination_port>
<fingerprint_scan></fingerprint_scan>
<port_scan>XMAS Scan [FIN|PSH|URG]</port_scan>
<seq>29685</seq>
<ack>0</ack>
<win>4096</win>
</tcp_packet>
<tcp_packet>
<filter>tcp_traffic</filter>
<date>18/11/04 03:07:24</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<source_port>53619</source_port>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<destination_port>22</destination_port>
<fingerprint_scan></fingerprint_scan>
<port_scan>XMAS Scan [FIN|PSH|URG]</port_scan>
<seq>29684</seq>
<ack>0</ack>
<win>1024</win>
</tcp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:43</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>8</type>
<code>0</code>
<checksum>48144</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:43</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>0</type>
<code>0</code>
<checksum>48152</checksum>
</icmp_packet>
<tcp_packet>
<filter>tcp_traffic</filter>
<date>18/11/04 03:07:43</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<source_port>50983</source_port>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<destination_port>22</destination_port>
<fingerprint_scan></fingerprint_scan>
<port_scan>FIN Scan [FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR]</port_scan>
<seq>53862</seq>
<ack>0</ack>
<win>3072</win>
</tcp_packet>
<tcp_packet>
<filter>tcp_traffic</filter>
<date>18/11/04 03:07:43</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<source_port>50984</source_port>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<destination_port>22</destination_port>
<fingerprint_scan></fingerprint_scan>
<port_scan>FIN Scan [FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR]</port_scan>
<seq>53863</seq>
<ack>0</ack>
<win>4096</win>
</tcp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:46</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>8</type>
<code>0</code>
<checksum>25074</checksum>
</icmp_packet>
<icmp_packet>
<filter>icmp_traffic</filter>
<date>18/11/04 03:07:46</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<type>0</type>
<code>0</code>
<checksum>25082</checksum>
</icmp_packet>
<tcp_packet>
<filter>tcp_traffic</filter>
<date>18/11/04 03:07:47</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<source_port>57997</source_port>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<destination_port>22</destination_port>
<fingerprint_scan></fingerprint_scan>
<port_scan>NULL Scan [!FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR]</port_scan>
<seq>32350</seq>
<ack>0</ack>
<win>3072</win>
</tcp_packet>
<tcp_packet>
<filter>tcp_traffic</filter>
<date>18/11/04 03:07:47</date>
<source_address>10.0.0.23</source_address>
<source_host>zion.real__world.net</source_host>
<source_port>57998</source_port>
<destination_address>10.0.0.23</destination_address>
<destination_host>zion.real__world.net</destination_host>
<destination_port>22</destination_port>
<fingerprint_scan></fingerprint_scan>
<port_scan>NULL Scan [!FIN|!SYN|!RST|!PUSH|!ACK|!URG|!ECNECHO|!CWR]</port_scan>
<seq>32351</seq>
<ack>0</ack>
<win>1024</win>
</tcp_packet>
</traffic>
4. Internationalization and Localization
NetSentinel supports English (as native) and Turkish for now. To be able to use NetSentinel in Turkish, it is enough to set the environment variable LC_ALL to tr_TR as in:
[mbaris@zion:/home/mbaris/Projects/NetSentinel]$ export LC_ALL=tr_TRand the resulting screen-shot is:
For any kind of question or bug report, please do not hesitate to contact me.
Developer & Maintainer: M.Baris Demiray <barisdemiray[at]yahoo[dot]com>
Project Web-Site: http://netsentinel.sourceforge.net