diff options
Diffstat (limited to 'perl')
-rw-r--r-- | perl/Ipfanaly.pl | 639 | ||||
-rw-r--r-- | perl/Isbgraph | 297 | ||||
-rw-r--r-- | perl/LICENSE | 6 | ||||
-rw-r--r-- | perl/Services | 2146 | ||||
-rw-r--r-- | perl/ipf-mrtg.pl | 22 | ||||
-rw-r--r-- | perl/ipfmeta.pl | 210 | ||||
-rw-r--r-- | perl/logfilter.pl | 181 | ||||
-rw-r--r-- | perl/plog | 1061 |
8 files changed, 4562 insertions, 0 deletions
diff --git a/perl/Ipfanaly.pl b/perl/Ipfanaly.pl new file mode 100644 index 0000000..0fa7c17 --- /dev/null +++ b/perl/Ipfanaly.pl @@ -0,0 +1,639 @@ +#!/usr/local/bin/perl +# (C) Copyright 1998 Ivan S. Bishop (isb@notoryus.genmagic.com) +# +############### START SUBROUTINE DECLARATIONS ########### + + +sub usage { + print "\n" x 24; + print "USAGE: ipfanalyze.pl -h [-p port# or all] [-g] [-s] [-v] [-o] portnum -t [target ip address] [-f] logfilename\n"; + print "\n arguments to -p -f -o REQUIRED\n"; + print "\n -h show this help\n"; + print "\n -p limit stats/study to this port number.(eg 25 not smtp)\n"; + print " -g make graphs, one per 4 hour interval called outN.gif 1<=N<=5\n"; + print " -s make security report only (no graphical or full port info generated) \n"; + print " -o lowest port number incoming traffic can talk to and be regarded as safe\n"; + print " -v verbose report with graphs and textual AND SECURITY REPORTS with -o 1024 set\n"; + print " -t the ip address of the inerface on which you collected data!\n"; + print " -f name ipfilter log file (compatible with V 3.2.9) [ipfilter.log]\n"; + print " \nExample: ./ipfanalyze.pl -p all -g -f log1\n"; + print "Will look at traffic to/from all ports and make graphs from file log1\n"; + print " \nExample2 ./ipfanalyze.pl -p 25 -g -f log2\n"; + print "Will look at SMTP traffic and make graphs from file log2\n"; + print " \nExample3 ./ipfanalyze.pl -p all -g -f log3 -o 1024\n"; + print "Will look at all traffic,make graphs from file log3 and log security info for anthing talking inwards below port 1024\n"; + print " \nExample4 ./ipfanalyze.pl -p all -f log3 -v \n"; + print "Report the works.....when ports below 1024 are contacted highlight (like -s -o 1024)\n"; +} + + + + +sub makegifs { +local ($maxin,$maxout,$lookat,$xmax)=@_; +$YMAX=$maxin; +$XMAX=$xmax; + +if ($maxout > $maxin) + { $YMAX=$maxout;} + +($dateis,$junk)=split " " , @recs[0]; +($dayis,$monthis,$yearis)=split "/",$dateis; +$month=$months{$monthis}; +$dateis="$dayis " . "$month " . "$yearis "; +# split graphs in to 6 four hour spans for 24 hours +$numgraphs=int($XMAX/240); + +$junk=0; +$junk=$XMAX - 240*($numgraphs); +if($junk gt 0 ) +{ +$numgraphs++; +} + +$cnt1=0; +$end=0; +$loop=0; + +while ($cnt1++ < $numgraphs) +{ + $filename1="in$cnt1.dat"; + $filename2="out$cnt1.dat"; + $filename3="graph$cnt1.conf"; + open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n"; + open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n"; + + $loop=$end; + $end=($end + 240); + +# write all files as x time coord from 1 to 240 minutes +# set hour in graph via conf file + $arraycnt=0; + while ($loop++ < $end ) + { + $arraycnt++; + $val1=""; + $val2=""; + $val1=$inwards[$loop] [1]; + if($val1 eq "") + {$val1=0}; + $val2=$outwards[$loop] [1]; + if($val2 eq "") + {$val2=0}; + print INDATA "$arraycnt:$val1\n"; + print OUTDATA "$arraycnt:$val2\n"; + } + close INDATA; + close OUTDATA; + $gnum=($cnt1 - 1); + open(INCONFIG,"> $filename3") || die "Couldnt open ./graph.conf for writing \n"; + print INCONFIG "NUMBERYCELLGRIDSIZE:5\n"; + print INCONFIG "MAXYVALUE:$YMAX\n"; + print INCONFIG "MINYVALUE:0\n"; + print INCONFIG "XCELLGRIDSIZE:1.3\n"; + print INCONFIG "XMAX: 240\n"; + print INCONFIG "Bar:0\n"; + print INCONFIG "Average:0\n"; + print INCONFIG "Graphnum:$gnum\n"; + print INCONFIG "Title: port $lookat packets/minute to/from gatekeep on $dateis \n"; + print INCONFIG "Transparent:no\n"; + print INCONFIG "Rbgcolour:0\n"; + print INCONFIG "Gbgcolour:255\n"; + print INCONFIG "Bbgcolour:255\n"; + print INCONFIG "Rfgcolour:0\n"; + print INCONFIG "Gfgcolour:0\n"; + print INCONFIG "Bfgcolour:0\n"; + print INCONFIG "Rcolour:0\n"; + print INCONFIG "Gcolour:0\n"; + print INCONFIG "Bcolour:255\n"; + print INCONFIG "Racolour:255\n"; + print INCONFIG "Gacolour:255\n"; + print INCONFIG "Bacolour:0\n"; + print INCONFIG "Rincolour:100\n"; + print INCONFIG "Gincolour:100\n"; + print INCONFIG "Bincolour:60\n"; + print INCONFIG "Routcolour:60\n"; + print INCONFIG "Goutcolour:100\n"; + print INCONFIG "Boutcolour:100\n"; + close INCONFIG; + +} + + +$cnt1=0; +while ($cnt1++ < $numgraphs) +{ + $filename1="in$cnt1.dat"; + $out="out$cnt1.gif"; + $filename2="out$cnt1.dat"; + $filename3="graph$cnt1.conf"; + system( "cp ./$filename1 ./in.dat; + cp ./$filename2 ./out.dat; + cp ./$filename3 ./graph.conf"); + system( "./isbgraph -conf graph.conf;mv graphmaker.gif $out"); + system(" cp $out /isb/local/etc/httpd/htdocs/."); + +} + +} # end of subroutine make gifs + + + + +sub packbytime { +local ($xmax)=@_; +$XMAX=$xmax; +# pass in the dest port number or get graph for all packets +# at 1 minute intervals +# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 +# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 +# +# dont uses hashes to store how many packets per minite as they +# return random x coordinate order +@inwards=(); +@outwards=(); +$cnt=-1; +$value5=0; +$maxin=0; +$maxout=0; +$xpos=0; +while ($cnt++ <= $#recs ) + { + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$cnt]; + $bit=substr(@recs[$cnt],11); + ($bit,$junkit)= split " " , $bit ; + ($hour,$minute,$sec,$junk) = split ":", $bit; +# +# covert the time to decimal minutes and bucket to nearest minute +# + $xpos=($hour * 3600) + ($minute * 60) + ($sec) ; +# xpos is number of seconds since 00:00:00 on day...... + $xpos=int($xpos / 60); +# if we just want to see all packet in/out activity + if("$lookat" eq "all") + { + if("$destip" eq "$gatekeep") + { +# TO GATEKEEP port lookat +# print "to gatekeep at $xpos\n"; + $value5=$inwards[$xpos] [1]; + $value5++ ; +# $maxin = $value5 if $maxin < $value5 ; + + if($value5 > $maxin) + { + $maxin=$value5; + $timemaxin="$hour:$minute"; + } + $inwards[$xpos][1]=$value5; + } + else + { +# FROM GATEKEEP to port lookat +# print "from gatekeep at $xpos\n"; + $value4=$outwards[$xpos] [1]; + $value4++ ; +# $maxout = $value4 if $maxout < $value4 ; + if($value4 > $maxout) + { + $maxout=$value4; + $timemaxout="$hour:$minute"; + } + + $outwards[$xpos][1]=$value4; + } + } + + + + + if("$destport" eq "$lookat") + { + if("$destip" eq "$gatekeep") + { +# TO GATEKEEP port lookat +# print "to gatekeep at $xpos\n"; + $value5=$inwards[$xpos] [1]; + $value5++ ; + $maxin = $value5 if $maxin < $value5 ; + $inwards[$xpos][1]=$value5; + } + else + { +# FROM GATEKEEP to port lookat +# print "from gatekeep at $xpos\n"; + $value4=$outwards[$xpos] [1]; + $value4++ ; + $maxout = $value4 if $maxout < $value4 ; + $outwards[$xpos][1]=$value4; + } + } + } # end while + +# now call gif making stuff +if("$opt_g" eq "1") +{ + print "Making plots of in files outN.gif\n";; + makegifs($maxin,$maxout,$lookat,$#inwards); +} +if ("$timemaxin" ne "") +{print "\nTime of peak packets/minute in was $timemaxin\n";} +if ("$timemaxout" ne "") +{print "\nTime of peak packets/minute OUT was $timemaxout\n";} + +} # end of subroutine packets by time + + + + + +sub posbadones { + +$safenam=""; +@dummy=$saferports; +foreach $it (split " ",$saferports) { +if ($it eq "icmp" ) + { + $safenam = $safenam . " icmp"; + } +else + { + $safenam = $safenam . " $services{$it}" ; + } + +} +print "\n\n########################################################################\n"; +print "well known ports are 0->1023\n"; +print "Registered ports are 1024->49151\n"; +print "Dynamic/Private ports are 49152->65535\n\n"; +print "Sites that contacted gatekeep on 'less safe' ports (<$ITRUSTABOVE)\n"; + +print " 'safe' ports are $safenam \n"; +print "\n variables saferports and safehosts hardwire what/who we trust\n"; +print "########################################################################\n"; + +$loop=-1; +while ($loop++ <= $#recs ) + { + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; + if ("$destip" eq "$gatekeep") + { + if ($destport < $ITRUSTABOVE ) + { +# if index not found (ie < 0) then we have a low port attach to gatekeep +# that is not to a safer port (see top of this file) +# ie no ports 25 (smtp), 53 (dns) , 113 (ident), 123 (ntp), icmp + $where=index($saferports,$destport); + if ($where < 0) + { + $nameis=$services{$destport}; + if ("$nameis" eq "" ) + { + $nameis=$destport; + } + print " Warning: $srcip contacted gatekeep $nameis\n"; + } + } + } + } +print "\n\n"; +} # end of subroutine posbadones + + + + +sub toobusy_site { +$percsafe=1; +print "\n\n########################################################################\n"; +print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking/probing\n"; +print "Trusted hosts are $safehosts\n"; +print "\nTOTAL packets were $#recs \n"; +print "########################################################################\n"; +while(($ipadd,$numpacketsent)=each %numpacks) +{ +$perc=$numpacketsent/$#recs*100; +if ($perc > $percsafe) +# dont believe safehosts are attacking! + { + $where=index($safehosts,$ipadd); +# if not found (ie < 0 then the source host IP address +# isn't in the saferhosts list, a list we trust...... + if ($where < 0 ) + { + printf "$ipadd sent %4.1f (\045) of all packets to gatekeep\n",$perc; + } + } +} + +print "\n\n"; +} # end of subroutine toobusy_site + + +############### END SUBROUTINE DECLARATIONS ########### + +use Getopt::Std; + +getopt('pfot'); + +if("$opt_t" eq "0") + {usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n"; +exit; +} + +if("$opt_h" eq "1") + {usage;exit 0}; +if("$opt_H" eq "1") + {usage;exit 0}; + +if("$opt_v" eq "1") +{ +$ITRUSTABOVE=1024; +$opt_s=1; +$opt_o=$ITRUSTABOVE; +print "\n" x 5; +print "NOTE: when the final section of the verbose report is generated\n"; +print " every host IP address that contacted $gatekeep has \n"; +print " a tally of how many times packets from a particular port on that host\n"; +print " reached $gatekeep, and WHICH source port or source portname \n"; +print " these packets originated from.\n"; +print " Many non RFC obeying boxes do not use high ports and respond to requests from\n"; +print " $gatekeep using reserved low ports... hence you'll see things like\n"; +print " #### with 207.50.191.60 as the the source for packets ####\n"; +print " 1 connections from topx to gatekeep\n\n\n\n"; + +} + +if("$opt_o" eq "") + {usage;print "\n---->ERROR: Must specify lowest safe port name for incoming trafic\n";exit 0} +else +{ +$ITRUSTABOVE=$opt_o;$opt_s=1;} + +if("$opt_f" eq "") + {usage;print "\n---->ERROR: Must specify filename with -f \n";exit 0}; +$FILENAME=$opt_f; + +if("$opt_p" eq "") + {usage;print "\n---->ERROR: Must specify port number or 'all' with -p \n";exit 0}; + +# -p arg must be all or AN INTEGER in range 1<=N<=64K +if ("$opt_p" ne "all") + { + $_=$opt_p; + unless (/^[+-]?\d+$/) + { + usage; + print "\n---->ERROR: Must specify port number (1-64K) or 'all' with -p \n"; + exit 0; + } + } + + +# if we get here then the port option is either 'all' or an integer... +# good enough..... +$lookat=$opt_p; + +# -o arg must be all or AN INTEGER in range 1<=N<=64K + $_=$opt_o; + unless (/^[+-]?\d+$/) + { + usage; + print "\n---->ERROR: Must specify port number (1-64K) with -o \n"; + exit 0; + } + + +#--------------------------------------------------------------------- + + +%danger=(); +%numpacks=(); + +$saferports="25 53 113 123 icmp"; +$gatekeep="192.216.16.2"; +#genmagic is 192.216.25.254 +$safehosts="$gatekeep 192.216.25.254"; + + + +# load hash with service numbers versus names + +# hash called $services +print "Creating hash of service names / numbers \n"; +$SERV="./services"; +open (INFILE, $SERV) || die "Cant open $SERV: $!n"; +while(<INFILE>) +{ + ($servnum,$servname,$junk)=split(/ /,$_); +# chop off null trailing..... + $servname =~ s/\n$//; + $services{$servnum}=$servname; +} +print "Create hash of month numbers as month names\n"; +%months=("01","January","02","February","03","March","04","April","05","May","06","June","07","July","08","August","09","September","10","October","11","November","12","December"); + +print "Reading log file into an array\n"; +#$FILENAME="./ipfilter.log"; +open (REC, $FILENAME) || die "Cant open $FILENAME: \n"; +($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC; +print "Log file $FILENAME is $size bytes in size\n"; +#each record is an element of array rec[] now +while(<REC>) + { + @recs[$numrec++]=$_; + } + + +# get list of UNIQUE source IP addresses now, records look like +# 192.216.25.254,62910 -> 192.216.16.2,113 PR tcp len 20 40 -R +# this is slow on big log files, about 1minute for every 2.5M log file +print "Making list of unique source IP addresses (1minute for every 2M log parsed)\n"; +$loop=-1; +$where=-1; +while ($loop++ < $#recs ) + { +# get the LHS = source IP address, need fiddle as icmp rcords are logged oddly + $bit=substr(@recs[$loop],39); + $bit =~ s/,/ /g; + ($sourceip,$junkit)= split " " , $bit ; + +# NOTE the . is the string concat command NOT + .......!!!! + + $sourceip =~ split " ", $sourceip; + $where=index($allips,$sourceip); +# if not found (ie < 0, add it) + if ($where < 0 ) + { + $allips = $allips . "$sourceip " ; + } + } + +print "Put all unique ip addresses into a 1D array\n"; +@allips=split " ", $allips; + +#set loop back to -1 as first array element in recs is element 0 NOT 1 !! +print "Making compact array of logged entries\n"; +$loop=-1; +$icmp=" icmp "; +$ptr=" -> "; +$lenst=" len "; +$numpackets=0; + +while ($loop++ < $#recs ) + { +# this prints from 39 char to EOR + $a=substr(@recs[$loop],39); + ($srcip,$dummy,$destip,$dummy2,$dummy3,$dummy4,$lenicmp)= split " " , $a ; +# need to rewrite icmp ping records.... they dont have service numbers + $whereicmp=index($a,"PR icmp"); + if($whereicmp > 0 ) + { + $a = $srcip . $icmp . $ptr . $destip . $icmp . $icmp . $lenst . $lenicmp ; + } + +# dump the "->" and commas from logging + $a =~ s/->//g; + $a =~ s/PR//g; + $a =~ s/,/ /g; +# shortrec has records that look like +# 209.24.1.217 123 192.216.16.2 123 udp len 20 76 + @shortrecs[$loop]= "$a"; + +# count number packets from each IP address into hash + ($srcip,$junk) = split " ","$a"; + $numpackets=$numpacks{"$srcip"}; + $numpackets++ ; + $numpacks{"$srcip"}=$numpackets; + +} + + + +# call sub to analyse packets by time +# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76 +# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62 +packbytime($XMAX); + +if("$opt_s" eq "1") +{ +# call subroutine to scan for connections to ports on gatekeep +# other than those listed in saferports, connections to high +# ports are assumed OK..... +posbadones; + +# call subroutine to print out which sites had sent more than +# a defined % of packets to gatekeep +toobusy_site; +} + + +# verbose reporting? +if ("$opt_v" eq "1") +{ +$cnt=-1; +# loop over ALL unique IP source destinations +while ($cnt++ < $#allips) +{ + %tally=(); + %unknownsrcports=(); + $uniqip=@allips[$cnt]; + $loop=-1; + $value=0; + $value1=0; + $value2=0; + $value3=0; + $set="N"; + + while ($loop++ < $#recs ) + { +# get src IP num, src port number, +# destination IP num, destnation port number,protocol + ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop]; +# loop over all records for the machine $uniqip +# NOTE THE STRINGS ARE COMPARED WITH eq NOT cmp and NOT = !!!! + if( "$uniqip" eq "$srcip") + { +# look up hash of service names to get key... IF ITS NOT THERE THEN WHAT??? +# its more than likely a request coming back in on a high port +# ....So... +# find out the destination port from the unknown (high) src port +# and tally these as they may be a port attack + if ("$srcport" eq "icmp") + { $srcportnam="icmp";} + else + { + $srcportnam=$services{$srcport}; + } +# try and get dest portname, if not there, leave it as the +# dest portnumber + if ("$destport" eq "icmp") + { $destportnam="icmp";} + else + { + $destportnam=$services{$destport}; + } + + if ($destportnam eq "") + { + $destportnam=$destport; + } + + if ($srcportnam eq "") + { +# increment number of times a (high)/unknown port has gone to destport + $value1=$unknownsrcports{$destportnam}; + $value1++ ; + $unknownsrcports{$destportnam}=$value1; + } + else + { +# want tally(srcport) counter to be increased by 1 + $value3=$tally{$srcportnam}; + $value3++ ; + $tally{$srcportnam}=$value3; + } + } + + + } +# end of loop over ALL IP's + +if ($set eq "N") +{ +$set="Y"; + +print "\n#### with $uniqip as the the source for packets ####\n"; +while(($key,$value)=each %tally) + { + if (not "$uniqip" eq "$gatekeep") + { + print "$value connections from $key to gatekeep\n"; + } + else + { + print "$value connections from gatekeep to $key\n"; + } + } + + + +while(($key2,$value2)=each %unknownsrcports) + { + if (not "$uniqip" eq "$gatekeep") + { + print "$value2 high port connections to $key2 on gatekeep\n"; + } + else + { + print "$value2 high port connections to $key2 from gatekeep\n"; + } + } + +} +# print if rests for UNIQIP IF flag is set to N then toggle flag + +} # end of all IPs loop +} # end of if verbose option set block + + + diff --git a/perl/Isbgraph b/perl/Isbgraph new file mode 100644 index 0000000..c68b672 --- /dev/null +++ b/perl/Isbgraph @@ -0,0 +1,297 @@ +#!/usr/local/bin/perl + +# isbgraph +# an example in not so hot perl programming.... +# based around GraphMaker from Fabrizio Pivari +# A graph maker perl script + +use GD; +use Getopt::Long; +$hr=0; + +sub main{ + +$opt_conf="./graphmaker.cnf"; + +@elem=("NUMBERYCELLGRIDSIZE","MAXYVALUE","MINYVALUE","XCELLGRIDSIZE","XMAX", + "Data","Graph","Bar","Average","Graphnum","Title","Transparent","Rbgcolour", + "Gbgcolour","Bbgcolour","Rfgcolour","Gfgcolour","Bfgcolour","Rcolour", + "Gcolour","Bcolour","Racolour","Gacolour","Bacolour"); + +%option=( + NUMBERYCELLGRIDSIZE => '8', + MAXYVALUE => '7748', + MINYVALUE => '6500', + XCELLGRIDSIZE => '18', + XMAX => '1000', + Data => './graphmaker.dat', + Graph => './graphmaker.gif', + Bar => '1', + Average => '1', + Graphnum => '1', + Title => 'GraphMaker 2.1', + Transparent => 'yes', + Rbgcolour => '255', + Gbgcolour => '255', + Bbgcolour => '255', + Rfgcolour => '0', + Gfgcolour => '0', + Bfgcolour => '0', + Rcolour => '0', + Gcolour => '0', + Bcolour => '255', + Racolour => '255', + Gacolour => '255', + Bacolour => '0'); + +&GetOptions("conf=s","help") || &printusage ; + + +if ($opt_help) {&printusage}; + +open (CNF, $opt_conf) || die; +while (<CNF>) { +s/\t/ /g; #replace tabs by space +next if /^\s*\#/; #ignore comment lines +next if /^\s*$/; #ignore empty lines +foreach $elem (@elem) + { + if (/\s*$elem\s*:\s*(.*)/) { $option{$elem}=$1; } + } +} +close(CNF); +######################################### +# +# +# +# number datapoints/24 hours is 1440 (minutes) +# +# Split into N graphs where each graph has max of 240 datapoints (4 hours) +# + +$barset=0; +$m=0; +$YGRIDSIZE = 400; +$YCELLGRIDSIZE = $YGRIDSIZE/$option{'NUMBERYCELLGRIDSIZE'}; +$XINIT = 30; +$XEND = 8; +$YINIT =20; +$YEND = 20; +#$XGRIDSIZE = ($option{'XMAX'}*$option{'XCELLGRIDSIZE'}); +#$XGRIDSIZE = (240*$option{'XCELLGRIDSIZE'}); +$XGRIDSIZE = 620; +$XGIF = $XGRIDSIZE + $XINIT + $XEND; +$XGRAPH = $XGRIDSIZE + $XINIT; +$YGIF = $YGRIDSIZE + $YEND + $YINIT; +$YGRAPH = $YGRIDSIZE + $YINIT; +$RANGE=$option{'MAXYVALUE'}-$option{'MINYVALUE'}; +$SCALE=$YGRIDSIZE/$RANGE; + +# NEW IMAGE + $im=new GD::Image($XGIF,$YGIF); + +$white=$im->colorAllocate(255,255,255); +$black=$im->colorAllocate(0,0,0); +$pink=$im->colorAllocate(255,153,153); +$red=$im->colorAllocate(255,0,0); +$blue=$im->colorAllocate(0,0,255); +$green=$im->colorAllocate(0,192,51); +$orange=$im->colorAllocate(255,102,0); +$pink=$im->colorAllocate(255,153,153); +$teal=$im->colorAllocate(51,153,153); +# gif background is $bg + $bg=$white; + $fg=$blue; +# LINE COLOUR HELP BY VAR $colour + $colour=$red; + $acolour=$yellow; + # GRID + if ($option{'Transparent'} eq "yes") {$im->transparent($bg)}; + $im->filledRectangle(0,0,$XGIF,$YGIF,$bg); + +# Dot style +# vertical markers on Y axis grid + $im->setStyle($fg,$bg,$bg,$bg); + for $i (0..$option{'XMAX'}) + { + $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i; + # $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled); + $num = $i+1; + + use integer; + { + $posis=$num - ($num/60)*60; + } + if ($posis eq 0) + { + $outhr=0; + $hr=($hr + 1) ; + $outhr=$hr+$option{'Graphnum'}*4; +# shift minutes coords to correct stat hour! + $im->string(gdMediumBoldFont,$xspace-3,$YGRAPH,"$outhr",$fg); + } + + } # end of scan over X values (minutes) + + $YCELLVALUE=($option{'MAXYVALUE'}-$option{'MINYVALUE'})/$option{'NUMBERYCELLGRIDSIZE'}; + for $i (0..$option{'NUMBERYCELLGRIDSIZE'}) + { + $num=$option{'MINYVALUE'}+$YCELLVALUE*($option{'NUMBERYCELLGRIDSIZE'}-$i); + $im->string(gdMediumBoldFont,0,$YINIT+$YCELLGRIDSIZE*$i -6,"$num",$fg); + } + $im->string(gdSmallFont,$XGRIDSIZE/2-80,0,$option{'Title'},$fg); + + $odd_even = $option{'XCELLGRIDSIZE'}%2; + #odd + if ($odd_even eq 1) {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;} + else {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;} + +# start reading data +# open (DATA,$option{'Data'}) || die "cant open $option{'Data'}"; +# nextdata becomes Y on reading of second data set.... +$nextdata="N"; +@datafiles=("./in.dat" , "./out.dat" ); + foreach ( @datafiles ) +{ + $m=0; + $count=0; + $i=0; + $fname=$_; + + print "fname $fname\n"; +# change entry for red in colour table to green for packets LEAVING target host + + open (DATA,$_) || die "cant open $_"; + print "$nextdata nextdata\n"; + while (<DATA>) + { + /(.*):(.*)/; + if ($option{'Average'} eq 1) {$m+=$2;$i++;} + if ($count eq 0){$XOLD=$1;$YOLD=$2;$count=1;next} + $X=$1; $Y=$2; +# +($X-1) are the pixel of the line + $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*($X-1) +($X-1); + $xspaceold= $XINIT+$option{'XCELLGRIDSIZE'}*($XOLD-1) +($XOLD-1); + $yspace= $YGRAPH-($Y-$option{'MINYVALUE'})*$SCALE; + $yspaceold= $YGRAPH-($YOLD-$option{'MINYVALUE'})*$SCALE; + $barset=$option{'Bar'}; + if ($barset eq 0) + { + + if($nextdata eq "Y") + { + + #$im->line($XINIT,$YGRAPH,$X,$Y,$orange); + $im->line($xspaceold,$yspaceold,$xspace,$yspace,$green); + } + else + { + $im->line($xspaceold,$yspaceold,$xspace,$yspace,$red); + } + } + else + { + if ($1 eq 2) + { + $im->filledRectangle($xspaceold,$yspaceold, + $xspaceold+$middle,$YGRAPH,$colour); + $im->rectangle($xspaceold,$yspaceold, + $xspaceold+$middle,$YGRAPH,$fg); + } + else + { + $im->filledRectangle($xspaceold-$middle,$yspaceold, + $xspaceold+$middle,$YGRAPH,$colour); + $im->rectangle($xspaceold-$middle,$yspaceold, + $xspaceold+$middle,$YGRAPH,$fg); + } + } + $XOLD=$X; $YOLD=$Y; + + } # end of while DATA loop + + $im->line(500,40,530,40,$red); + $im->line(500,60,530,60,$green); + $im->string(gdSmallFont,535,35,"Packets IN",$fg); + $im->string(gdSmallFont,535,55,"Packets OUT",$fg); + + if ($option{'Bar'} ne 0) + { + if ($X eq $option{'XMAX'}) + { + $im->filledRectangle($xspace-$middle,$yspace, + $xspace,$YGRAPH,$colour); + $im->rectangle($xspace-$middle,$yspace, + $xspace,$YGRAPH,$fg); + } + else + { + $im->filledRectangle($xspace-$middle,$yspace, + $xspace+$middle,$YGRAPH,$colour); + $im->rectangle($xspace-$middle,$yspace, + $xspace+$middle,$YGRAPH,$fg); + } + } + close (DATA); + + + $nextdata="Y"; +# TOP LEFT is 0,0 on GIF (image) +# origin of plot is xinit,yinit + # print "little line\n"; + $im->line($xspace,$yspace,$xspace,$YGRAPH,$blue); + $im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue); +# (0,0) in cartesian space time=0 minutes, rate 0 packets/s + $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$blue); + $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$green); + +} # close foreach loop on data file names + + + + + if ($option{'Average'} eq 1) + { + # Line style + $im->setStyle($acolour,$acolour,$acolour,$acolour,$bg,$bg,$bg,$bg); + $m=$m/$i; + $ym=$YGRAPH-($m-$option{'MINYVALUE'})*$SCALE; + $im->line($XINIT,$ym,$XGRAPH,$ym,gdStyled) + } + $im->line($XINIT,$YINIT,$XINIT,$YGRAPH,$fg); + $im->line($XINIT,$YINIT,$XGRAPH,$YINIT,$fg); + $im->line($XGRAPH,$YINIT,$XGRAPH,$YGRAPH,$fg); + $im->line($XINIT,$YGRAPH,$XGRAPH,$YGRAPH,$fg); + + $im->string(gdSmallFont,$XGIF-335,$YGIF - 12,"Time of Day (hours)",$fg); + open (GRAPH,">$option{'Graph'}") || die "Error: Grafico.gif - $!\n"; + print GRAPH $im -> gif; + close (GRAPH); + + + + +} # end of subroutine main + +main; +exit(0); + +sub printusage { + print <<USAGEDESC; + +usage: + graphmaker [-options ...] + +where options include: + -help print out this message + -conf file the configuration file (default graphmaker.cnf) + +If you want to know more about this tool, you might want +to read the docs. They came together with graphmaker! + +Home: http://www.geocities.com/CapeCanaveral/Lab/3469/graphmaker.html + +USAGEDESC + exit(1); +} + diff --git a/perl/LICENSE b/perl/LICENSE new file mode 100644 index 0000000..4ae42df --- /dev/null +++ b/perl/LICENSE @@ -0,0 +1,6 @@ +These shell scripts are provided "as is" by Ivan S. Bishop and any +express or implied warranties, including, but not limited to, the +implied warranties of merchantability and fitness for a particular +purpose are disclaimed. + +Permission has been granted for their redistribution within this package. diff --git a/perl/Services b/perl/Services new file mode 100644 index 0000000..401fff0 --- /dev/null +++ b/perl/Services @@ -0,0 +1,2146 @@ +1 tcpmux TCPPortServiceMultiplexer +3 compressnet CompressionProcess +5 rje RemoteJobEntry +7 echo +9 discard +11 systat +13 daytime +15 netstat +17 qotd QuoteoftheDay +18 msp MessageSendProtocol +19 chargen +20 ftp-data +21 ftp +22 ssh SSHRemoteLoginProtocol +23 telnet +25 smtp +27 nsw-fe NSWUserSystemFE +29 msg-icp MSGICP +31 msg-auth MSGAuthentication +33 dsp DisplaySupportProtocol +37 time Time +38 rap RouteAccessProtocol +39 rlp ResourceLocationProtocol +41 graphics Graphics +42 nameserver HostNameServer +43 whois +44 mpm-flags MPMFLAGSProtocol +45 mpm MessageProcessingModule[recv] +46 mpm-snd MPM[defaultsend] +47 ni-ftp NIFTP +48 auditd DigitalAuditDaemon +49 tacacs LoginHostProtocol(TACACS) +50 re-mail-ck RemoteMailCheckingProtocol +51 la-maint IMPLogicalAddressMaintenance +52 xns-time XNSTimeProtocol +53 domain DomainNameServer +54 xns-ch XNSClearinghouse +55 isi-gl ISIGraphicsLanguage +56 xns-auth XNSAuthentication +58 xns-mail XNSMail +61 ni-mail NIMAIL +62 acas ACAServices +63 whois++ whois++ +64 covia CommunicationsIntegrator(CI) +65 tacacs-ds TACACS-DatabaseService +66 sqlnet OracleSQL*NET +67 bootps BootstrapProtocolServer +68 bootpc BootstrapProtocolClient +69 tftp TrivialFileTransfer +70 gopher Gopher +71 netrjs-1 RemoteJobService +72 netrjs-2 RemoteJobService +73 netrjs-3 RemoteJobService +74 netrjs-4 RemoteJobService +76 deos DistributedExternalObjectStore +77 rje +78 vettcp vettcp +79 finger Finger +80 www-http WorldWideWebHTTP +81 hosts2-ns HOSTS2NameServer +82 xfer XFERUtility +83 mit-ml-dev MITMLDevice +84 ctf CommonTraceFacility +85 mit-ml-dev MITMLDevice +86 mfcobol MicroFocusCobol +87 link +88 kerberos Kerberos +89 su-mit-tg SU/MITTelnetGateway +90 dnsix DNSIXSecuritAttributeTokenMap +91 mit-dov MITDoverSpooler +92 npp NetworkPrintingProtocol +93 dcp DeviceControlProtocol +94 objcall TivoliObjectDispatcher +95 supdup SUPDUP +96 dixie DIXIEProtocolSpecification +97 swift-rvf SwiftRemoteVirturalFileProtocol +98 tacnews TACNews +99 metagram MetagramRelay +100 newacct [unauthorizeduse] +101 hostname NICHostNameServer +102 iso-tsap ISO-TSAPClass0 +103 x400 +104 x400-snd +105 cso CCSOnameserverprotocol +106 3com-tsmux 3COM-TSMUX +107 rtelnet RemoteTelnetService +108 snagas SNAGatewayAccessServer +109 pop2 PostOfficeProtocol-Version2 +110 pop3 PostOfficeProtocol-Version3 +111 sunrpc SUNRemoteProcedureCall +112 mcidas McIDASDataTransmissionProtocol +113 ident +114 audionews AudioNewsMulticast +115 sftp SimpleFileTransferProtocol +116 ansanotify ANSAREXNotify +117 uucp-path UUCPPathService +118 sqlserv SQLServices +119 nntp NetworkNewsTransferProtocol +120 cfdptkt CFDPTKT +121 erpc EncoreExpeditedRemotePro.Call +122 smakynet SMAKYNET +123 ntp NetworkTimeProtocol +124 ansatrader ANSAREXTrader +125 locus-map LocusPC-InterfaceNetMapSer +126 unitary UnisysUnitaryLogin +127 locus-con LocusPC-InterfaceConnServer +128 gss-xlicen GSSXLicenseVerification +129 pwdgen PasswordGeneratorProtocol +130 cisco-fna ciscoFNATIVE +131 cisco-tna ciscoTNATIVE +132 cisco-sys ciscoSYSMAINT +133 statsrv StatisticsService +134 ingres-net INGRES-NETService +135 epmap DCEendpointresolution +136 profile PROFILENamingSystem +137 netbios-ns NETBIOSNameService +138 netbios-dgm NETBIOSDatagramService +139 netbios-ssn NETBIOSSessionService +140 emfis-data EMFISDataService +141 emfis-cntl EMFISControlService +142 bl-idm Britton-LeeIDM +143 imap InternetMessageAccessProtocol +144 NeWS +145 uaac UAACProtocol +146 iso-tp0 ISO-IP0 +147 iso-ip ISO-IP +148 jargon Jargon +149 aed-512 AED512EmulationService +150 sql-net SQL-NET +151 hems HEMS +152 bftp BackgroundFileTransferProgram +153 sgmp SGMP +154 netsc-prod NETSC +155 netsc-dev NETSC +156 sqlsrv SQLService +157 knet-cmp KNET/VMCommand/MessageProtocol +158 pcmail-srv PCMailServer +159 nss-routing NSS-Routing +160 sgmp-traps SGMP-TRAPS +161 snmp SNMP +162 snmptrap SNMPTRAP +163 cmip-man CMIP/TCPManager +164 cmip-agent CMIP/TCPAgent +165 xns-courier Xerox +166 s-net SiriusSystems +167 namp NAMP +168 rsvd RSVD +169 send SEND +170 print-srv NetworkPostScript +171 multiplex NetworkInnovationsMultiplex +172 cl/1 NetworkInnovationsCL/1 +173 xyplex-mux Xyplex +174 mailq MAILQ +175 vmnet VMNET +176 genrad-mux GENRAD-MUX +177 xdmcp XDisplayManagerControlProtocol +178 nextstep NextStepWindowServer +179 bgp BorderGatewayProtocol +180 ris Intergraph +181 unify Unify +182 audit UnisysAuditSITP +183 ocbinder OCBinder +184 ocserver OCServer +185 remote-kis Remote-KIS +186 kis KISProtocol +187 aci ApplicationCommunicationInterface +188 mumps PlusFive'sMUMPS +189 qft QueuedFileTransport +190 gacp GatewayAccessControlProtocol +191 prospero ProsperoDirectoryService +192 osu-nms OSUNetworkMonitoringSystem +193 srmp SpiderRemoteMonitoringProtocol +194 irc InternetRelayChatProtocol +195 dn6-nlm-aud DNSIXNetworkLevelModuleAudit +196 dn6-smm-red DNSIXSessionMgtModuleAuditRedir +197 dls DirectoryLocationService +198 dls-mon DirectoryLocationServiceMonitor +199 smux SMUX +200 src IBMSystemResourceController +201 at-rtmp AppleTalkRoutingMaintenance +202 at-nbp AppleTalkNameBinding +203 at-3 AppleTalkUnused +204 at-echo AppleTalkEcho +205 at-5 AppleTalkUnused +206 at-zis AppleTalkZoneInformation +207 at-7 AppleTalkUnused +208 at-8 AppleTalkUnused +209 qmtp TheQuickMailTransferProtocol +210 z39.50 ANSIZ39.50 +211 914c/g TexasInstruments914C/GTerminal +212 anet ATEXSSTR +213 ipx IPX +214 vmpwscs VMPWSCS +215 softpc InsigniaSolutions +216 CAIlic ComputerAssociatesInt'lLicenseServer +217 dbase dBASEUnix +218 mpp NetixMessagePostingProtocol +219 uarps UnisysARPs +220 imap3 InteractiveMailAccessProtocolv3 +221 fln-spx BerkeleyrlogindwithSPXauth +222 rsh-spx BerkeleyrshdwithSPXauth +223 cdc CertificateDistributionCenter +224 Reserved +225 Reserved +226 Reserved +227 Reserved +228 Reserved +229 Reserved +230 Reserved +231 Reserved +232 Reserved +233 Reserved +234 Reserved +235 Reserved +236 Reserved +237 Reserved +238 Reserved +239 Reserved +240 Reserved +241 Reserved +242 direct Direct +243 sur-meas SurveyMeasurement +244 dayna Dayna +245 link LINK +246 dsp3270 DisplaySystemsProtocol +247 subntbcst_tftp SUBNTBCST_TFTP +248 bhfhs bhfhs +249 +250 Reserved +251 Reserved +252 Reserved +253 Reserved +254 Reserved +255 Reserved +256 rap RAP +257 set SecureElectronicTransaction +258 yak-chat YakWinsockPersonalChat +259 esro-gen EfficientShortRemoteOperations +260 openport Openport +261 nsiiops IIOPNameServiceoverTLS/SSL +262 arcisdms Arcisdms +263 hdap HDAP +280 http-mgmt http-mgmt +281 personal-link PersonalLink +282 cableport-ax CablePortA/X +309 entrusttime EntrustTime +310 bhmds bhmds +311 asip-webadmin AppleShareIPWebAdmin +312 vslmp VSLMP +313 magenta-logic MagentaLogic +314 opalis-robot OpalisRobot +315 dpsi DPSI +316 decauth decAuth +317 zannet Zannet +344 pdap ProsperoDataAccessProtocol +345 pawserv PerfAnalysisWorkbench +346 zserv Zebraserver +347 fatserv FatmenServer +348 csi-sgwp CabletronManagementProtocol +349 mftp mftp +350 matip-type-a MATIPTypeA +351 bhoetty bhoetty(added5/21/97) +352 dtag-ste-sb DTAG +353 ndsauth NDSAUTH +354 bh611 bh611 +355 datex-asn DATEX-ASN +356 cloanto-net-1 CloantoNet1 +357 bhevent bhevent +358 shrinkwrap Shrinkwrap +359 tenebris_nts TenebrisNetworkTraceService +360 scoi2odialog scoi2odialog +361 semantix Semantix +362 srssend SRSSend +363 rsvp_tunnel RSVPTunnel +364 aurora-cmgr AuroraCMGR +365 dtk DTK +366 odmr ODMR +367 mortgageware MortgageWare +368 qbikgdp QbikGDP +369 rpc2portmap rpc2portmap +370 codaauth2 codaauth2 +371 clearcase Clearcase +372 ulistproc ListProcessor +373 legent-1 LegentCorporation +374 legent-2 LegentCorporation +375 hassle Hassle +376 nip AmigaEnvoyNetworkInquiryProto +377 tnETOS NECCorporation +378 dsETOS NECCorporation +379 is99c TIA/EIA/IS-99modemclient +380 is99s TIA/EIA/IS-99modemserver +381 hp-collector hpperformancedatacollector +382 hp-managed-node hpperformancedatamanagednode +383 hp-alarm-mgr hpperformancedataalarmmanager +384 arns ARemoteNetworkServerSystem +385 ibm-app IBMApplication +386 asa ASAMessageRouterObjectDef. +387 aurp AppletalkUpdate-BasedRoutingPro. +388 unidata-ldm UnidataLDMVersion4 +389 ldap LightweightDirectoryAccessProtocol +390 uis UIS +391 synotics-relay SynOpticsSNMPRelayPort +392 synotics-broker SynOpticsPortBrokerPort +393 dis DataInterpretationSystem +394 embl-ndt EMBLNucleicDataTransfer +395 netcp NETscoutControlProtocol +396 netware-ip NovellNetwareoverIP +397 mptn MultiProtocolTrans.Net. +398 kryptolan Kryptolan +399 iso-tsap-c2 ISOTransportClass2Non-Controlover +400 work-sol WorkstationSolutions +401 ups UninterruptiblePowerSupply +402 genie GenieProtocol +403 decap decap +404 nced nced +405 ncld ncld +406 imsp InteractiveMailSupportProtocol +407 timbuktu Timbuktu +408 prm-sm ProsperoResourceManagerSys.Man. +409 prm-nm ProsperoResourceManagerNodeMan. +410 decladebug DECLadebugRemoteDebugProtocol +411 rmt RemoteMTProtocol +412 synoptics-trap TrapConventionPort +413 smsp SMSP +414 infoseek InfoSeek +415 bnet BNet +416 silverplatter Silverplatter +417 onmux Onmux +418 hyper-g Hyper-G +419 ariel1 Ariel +420 smpte SMPTE +421 ariel2 Ariel +422 ariel3 Ariel +423 opc-job-start IBMOperationsPlanningandControlStart +424 opc-job-track IBMOperationsPlanningandControlTrack +425 icad-el ICAD +426 smartsdp smartsdp +427 svrloc ServerLocation +428 ocs_cmu OCS_CMU +429 ocs_amu OCS_AMU +430 utmpsd UTMPSD +431 utmpcd UTMPCD +432 iasd IASD +433 nnsp NNSP +434 mobileip-agent MobileIP-Agent +435 mobilip-mn MobilIP-MN +436 dna-cml DNA-CML +437 comscm comscm +438 dsfgw dsfgw +439 dasp daspThomasObermair +440 sgcp sgcp +441 decvms-sysmgt decvms-sysmgt +442 cvc_hostd cvc_hostd +443 https httpprotocoloverTLS/SSL +444 snpp SimpleNetworkPagingProtocol +445 microsoft-ds Microsoft-DS +446 ddm-rdb DDM-RDB +447 ddm-dfm DDM-RFM +448 ddm-ssl DDM-SSL +449 as-servermap ASServerMapper +450 tserver TServer +451 sfs-smp-net CrayNetworkSemaphoreserver +452 sfs-config CraySFSconfigserver +453 creativeserver CreativeServer +454 contentserver ContentServer +455 creativepartnr CreativePartnr +456 macon-udp macon-udp +457 scohelp scohelp +458 appleqtc applequicktime +459 ampr-rcmd ampr-rcmd +460 skronk skronk +461 datasurfsrv DataRampSrv +462 datasurfsrvsec DataRampSrvSec +463 alpes alpes +464 kpasswd kpasswd +465 smtps smtpprotocoloverTLS/SSL(wasssmtp) +466 digital-vrc digital-vrc +467 mylex-mapd mylex-mapd +468 photuris proturis +469 rcp RadioControlProtocol +470 scx-proxy scx-proxy +471 mondex Mondex +472 ljk-login ljk-login +473 hybrid-pop hybrid-pop +474 tn-tl-w1 tn-tl-w1 +475 tcpnethaspsrv tcpnethaspsrv +476 tn-tl-fd1 tn-tl-fd1 +477 ss7ns ss7ns +478 spsc spsc +479 iafserver iafserver +480 iafdbase iafdbase +481 ph Phservice +482 bgs-nsi bgs-nsi +483 ulpnet ulpnet +484 integra-sme IntegraSoftwareManagementEnvironment +485 powerburst AirSoftPowerBurst +486 avian avian +487 saft saftSimpleAsynchronousFileTransfer +488 gss-http gss-http +489 nest-protocol nest-protocol +490 micom-pfs micom-pfs +491 go-login go-login +492 ticf-1 TransportIndependentConvergenceforFNA +493 ticf-2 TransportIndependentConvergenceforFNA +494 pov-ray POV-Ray +495 intecourier intecourier +496 pim-rp-disc PIM-RP-DISC +497 dantz dantz +498 siam siam +499 iso-ill ISOILLProtocol +500 isakmp isakmp +501 stmf STMF +502 asa-appl-proto asa-appl-proto +503 intrinsa Intrinsa +504 citadel citadel +505 mailbox-lm mailbox-lm +506 ohimsrv ohimsrv +507 crs crs +508 xvttp xvttp +509 snare snare +510 fcp FirstClassProtocol +511 mynet mynet-as +512 exec-or-biff +513 login-or-who +514 shell-or-syslog +515 printer spooler +516 videotex videotex +517 talk liketenexlink,butacross +518 ntalk +519 utime unixtime +520 route +521 ripng ripng +522 ulp ULP +523 ibm-db2 IBM-DB2 +524 ncp NCP +525 timed timeserver +526 tempo newdate +527 stx StockIXChange +528 custix CustomerIXChange +529 irc-serv IRC-SERV +530 courier rpc +531 conference chat +532 netnews readnews +533 netwall foremergencybroadcasts +534 mm-admin MegaMediaAdmin +535 iiop iiop +536 opalis-rdv opalis-rdv +537 nmsp NetworkedMediaStreamingProtocol +538 gdomap gdomap +539 apertus-ldp ApertusTechnologiesLoadDetermination +540 uucp uucpd +541 uucp-rlogin uucp-rlogin +542 commerce commerce +543 klogin +544 kshell krcmd +545 appleqtcsrvr appleqtcsrvr +546 dhcpv6-client DHCPv6Client +547 dhcpv6-server DHCPv6Server +548 afpovertcp AFPoverTCP +549 idfp IDFP +550 new-rwho new-who +551 cybercash cybercash +552 deviceshare deviceshare +553 pirp pirp +554 rtsp RealTimeStreamControlProtocol +555 dsf +556 remotefs rfsserver +557 openvms-sysipc openvms-sysipc +558 sdnskmp SDNSKMP +559 teedtap TEEDTAP +560 rmonitor rmonitord +561 monitor +562 chshell chcmd +563 nntps nntpprotocoloverTLS/SSL(wassnntp) +564 9pfs plan9fileservice +565 whoami whoami +566 streettalk streettalk +567 banyan-rpc banyan-rpc +568 ms-shuttle microsoftshuttle +569 ms-rome microsoftrome +570 meter demon +571 meter udemon +573 banyan-vip banyan-vip +574 ftp-agent FTPSoftwareAgentSystem +575 vemmi VEMMI +576 ipcd ipcd +577 vnas vnas +578 ipdd ipdd +579 decbsrv decbsrv +580 sntp-heartbeat SNTPHEARTBEAT +581 bdp BundleDiscoveryProtocol +582 scc-security SCCSecurity +583 philips-vc PhilipsVideo-Conferencing +584 keyserver KeyServer +585 imap4-ssl IMAP4+SSL(use993instead) +586 password-chg PasswordChange +587 submission Submission +588 cal CAL +589 eyelink EyeLink +590 tns-cml TNSCML +591 http-alt FileMaker,Inc.-HTTPAlternate(see +592 eudora-set EudoraSet +593 http-rpc-epmap HTTPRPCEpMap +594 tpip TPIP +595 cab-protocol CABProtocol +596 smsd SMSD +597 ptcnameservice PTCNameService +598 sco-websrvrmg3 SCOWebServerManager3 +599 acp AeolonCoreProtocol +600 ipcserver SunIPCserver +606 urm CrayUnifiedResourceManager +607 nqs nqs +608 sift-uft Sender-Initiated/UnsolicitedFileTransfer +609 npmp-trap npmp-trap +610 npmp-local npmp-local +611 npmp-gui npmp-gui +612 hmmp-ind HMMPIndication +613 hmmp-op HMMPOperation +614 sshell SSLshell +615 sco-inetmgr InternetConfigurationManager +616 sco-sysmgr SCOSystemAdministrationServer +617 sco-dtmgr SCODesktopAdministrationServer +618 dei-icda DEI-ICDA +619 digital-evm DigitalEVM +620 sco-websrvrmgr SCOWebServerManager +621 escp-ip ESCP +622 collaborator Collaborator +623 aux_bus_shunt AuxBusShunt +624 cryptoadmin CryptoAdmin +625 dec_dlm DECDLM +626 asia ASIA +627 cks-tivioli CKS&TIVIOLI +628 qmqp QMQP +629 3com-amp3 3ComAMP3 +630 rda RDA +631 ipp IPP(InternetPrintingProtocol) +632 bmpp bmpp +633 servstat ServiceStatusupdate(SterlingSoftware) +634 ginad ginad +635 rlzdbase RLZDBase +636 ldaps ldapprotocoloverTLS/SSL(wassldap) +637 lanserver lanserver +638 mcns-sec mcns-sec +639 msdp MSDP +666 mdqs +667 disclose campaigncontributiondisclosures-SDRTechnologies +668 mecomm MeComm +669 meregister MeRegister +670 vacdsm-sws VACDSM-SWS +671 vacdsm-app VACDSM-APP +672 vpps-qua VPPS-QUA +673 cimplex CIMPLEX +674 acap ACAP +675 dctp DCTP +676 vpps-via VPPSVia +704 elcsd errlogcopy/serverdaemon +705 agentx AgentX +707 borland-dsj BorlandDSJ +709 entrust-kmsh EntrustKeyManagementServiceHandler +710 entrust-ash EntrustAdministrationServiceHandler +711 cisco-tdp CiscoTDP +729 netviewdm1 IBMNetViewDM/6000Server/Client +730 netviewdm2 IBMNetViewDM/6000send +731 netviewdm3 IBMNetViewDM/6000receive +741 netgw netGW +742 netrcs NetworkbasedRev.Cont.Sys. +744 flexlm FlexibleLicenseManager +747 fujitsu-dev FujitsuDeviceControl +748 ris-cm RussellInfoSciCalendarManager +749 kerberos-adm kerberosadministration +750 kerberos-iv kerberosversioniv +751 pump +752 qrh +753 rrh +754 tell send +758 nlogin +759 con +760 ns +761 rxe +762 quotad +763 cycleserv +764 omserv +765 webster +767 phonebook phone +769 vid +770 cadlock +771 rtip +772 cycleserv2 +773 notify +774 rpasswd +775 acmaint_transd +776 wpages +780 wpgs +786 concert Concert +787 qsc QSC +800 mdbs_daemon +801 device +829 pkix-3-ca-ra PKIX-3CA/RA +873 rsync rsync +886 iclcnet-locate ICLcoNETionlocateserver +887 iclcnet_svinfo ICLcoNETionserverinfo +888 accessbuilder AccessBuilder +900 omginitialrefs OMGInitialRefs +911 xact-backup xact-backup +989 ftps-data ftpprotocol,data,overTLS/SSL +990 ftps ftpprotocol,control,overTLS/SSL +991 nas NetnewsAdministrationSystem +992 telnets telnetprotocoloverTLS/SSL +993 imaps imap4protocoloverTLS/SSL +994 ircs ircprotocoloverTLS/SSL +995 pop3s pop3protocoloverTLS/SSL(wasspop3) +996 vsinet vsinet +997 maitrd +998 busboy +999 garcon +1000 cadlock +1008 ufsd +1010 surf surf +1011 Reserved +1012 Reserved +1013 Reserved +1014 Reserved +1015 Reserved +1016 Reserved +1017 Reserved +1018 Reserved +1019 Reserved +1020 Reserved +1021 Reserved +1022 Reserved +1025 blackjack networkblackjack +1030 iad1 BBNIAD +1031 iad2 BBNIAD +1032 iad3 BBNIAD +1047 neod1 Sun'sNEOObjectRequestBroker +1048 neod2 Sun'sNEOObjectRequestBroker +1058 nim nim +1059 nimreg nimreg +1067 instl_boots InstallationBootstrapProto.Serv. +1068 instl_bootc InstallationBootstrapProto.Cli. +1080 socks Socks +1083 ansoft-lm-1 AnasoftLicenseManager +1084 ansoft-lm-2 AnasoftLicenseManager +1099 rmiSun +1103 xaudio +1110 nfsd-status Clusterstatusinfo +1111 lmsocialserver LMSocialServer +1123 murray Murray +1155 nfa NetworkFileAccess +1161 health-polling HealthPolling +1162 health-trap HealthTrap +1180 mc-client MillicentClientProxy +1212 lupa lupa +1222 nerv SNIR&Dnetwork +1234 search-agent InfoseekSearchAgent +1239 nmsd NMSD +1248 hermes +1300 h323hostcallsc H323HostCallSecure +1313 bmc_patroldb BMC_PATROLDB +1314 pdps PhotoscriptDistributedPrintingSystem +1345 vpjp VPJP +1346 alta-ana-lm AltaAnalyticsLicenseManager +1347 bbn-mmc multimediaconferencing +1348 bbn-mmx multimediaconferencing +1349 sbook RegistrationNetworkProtocol +1350 editbench RegistrationNetworkProtocol +1351 equationbuilder DigitalToolWorks(MIT) +1352 lotusnote LotusNote +1353 relief ReliefConsulting +1354 rightbrain RightBrainSoftware +1355 intuitive-edge IntuitiveEdge +1356 cuillamartin CuillaMartinCompany +1357 pegboard ElectronicPegBoard +1358 connlcli CONNLCLI +1359 ftsrv FTSRV +1360 mimer MIMER +1361 linx LinX +1362 timeflies TimeFlies +1363 ndm-requester NetworkDataMoverRequester +1364 ndm-server NetworkDataMoverServer +1365 adapt-sna NetworkSoftwareAssociates +1366 netware-csp NovellNetWareCommServicePlatform +1367 dcs DCS +1368 screencast ScreenCast +1369 gv-us GlobalViewtoUnixShell +1370 us-gv UnixShelltoGlobalView +1371 fc-cli FujitsuConfigProtocol +1372 fc-ser FujitsuConfigProtocol +1373 chromagrafx Chromagrafx +1374 molly EPISoftwareSystems +1375 bytex Bytex +1376 ibm-pps IBMPersontoPersonSoftware +1377 cichlid CichlidLicenseManager +1378 elan ElanLicenseManager +1379 dbreporter IntegritySolutions +1380 telesis-licman TelesisNetworkLicenseManager +1381 apple-licman AppleNetworkLicenseManager +1382 udt_os +1383 gwha GWHannawayNetworkLicenseManager +1384 os-licman ObjectiveSolutionsLicenseManager +1385 atex_elmd AtexPublishingLicenseManager +1386 checksum CheckSumLicenseManager +1387 cadsi-lm ComputerAidedDesignSoftwareIncLM +1388 objective-dbc ObjectiveSolutionsDataBaseCache +1389 iclpv-dm DocumentManager +1390 iclpv-sc StorageController +1391 iclpv-sas StorageAccessServer +1392 iclpv-pm PrintManager +1393 iclpv-nls NetworkLogServer +1394 iclpv-nlc NetworkLogClient +1395 iclpv-wsm PCWorkstationManagersoftware +1396 dvl-activemail DVLActiveMail +1397 audio-activmail AudioActiveMail +1398 video-activmail VideoActiveMail +1399 cadkey-licman CadkeyLicenseManager +1400 cadkey-tablet CadkeyTabletDaemon +1401 goldleaf-licman GoldleafLicenseManager +1402 prm-sm-np ProsperoResourceManager +1403 prm-nm-np ProsperoResourceManager +1404 igi-lm InfiniteGraphicsLicenseManager +1405 ibm-res IBMRemoteExecutionStarter +1406 netlabs-lm NetLabsLicenseManager +1407 dbsa-lm DBSALicenseManager +1408 sophia-lm SophiaLicenseManager +1409 here-lm HereLicenseManager +1410 hiq HiQLicenseManager +1411 af AudioFile +1412 innosys InnoSys +1413 innosys-acl Innosys-ACL +1414 ibm-mqseries IBMMQSeries +1415 dbstar DBStar +1416 novell-lu6.2 NovellLU6.2 +1417 timbuktu-srv1 TimbuktuService1Port +1418 timbuktu-srv2 TimbuktuService2Port +1419 timbuktu-srv3 TimbuktuService3Port +1420 timbuktu-srv4 TimbuktuService4Port +1421 gandalf-lm GandalfLicenseManager +1422 autodesk-lm AutodeskLicenseManager +1423 essbase EssbaseArborSoftware +1424 hybrid HybridEncryptionProtocol +1425 zion-lm ZionSoftwareLicenseManager +1426 sais Satellite-dataAcquisitionSystem1 +1427 mloadd mloaddmonitoringtool +1428 informatik-lm InformatikLicenseManager +1429 nms HypercomNMS +1430 tpdu HypercomTPDU +1431 rgtp ReverseGossipTransport +1432 blueberry-lm BlueberrySoftwareLicenseManager +1433 ms-sql-s Microsoft-SQL-Server +1434 ms-sql-m Microsoft-SQL-Monitor +1435 ibm-cics IBMCICS +1436 saism Satellite-dataAcquisitionSystem2 +1437 tabula Tabula +1438 eicon-server EiconSecurityAgent/Server +1439 eicon-x25 EiconX25/SNAGateway +1440 eicon-slp EiconServiceLocationProtocol +1441 cadis-1 CadisLicenseManagement +1442 cadis-2 CadisLicenseManagement +1443 ies-lm IntegratedEngineeringSoftware +1444 marcam-lm MarcamLicenseManagement +1445 proxima-lm ProximaLicenseManager +1446 ora-lm OpticalResearchAssociatesLicenseManager +1447 apri-lm AppliedParallelResearchLM +1448 oc-lm OpenConnectLicenseManager +1449 peport PEport +1450 dwf TandemDistributedWorkbenchFacility +1451 infoman IBMInformationManagement +1452 gtegsc-lm GTEGovernmentSystemsLicenseMan +1453 genie-lm GenieLicenseManager +1454 interhdl_elmd interHDLLicenseManager +1455 esl-lm ESLLicenseManager +1456 dca DCA +1457 valisys-lm ValisysLicenseManager +1458 nrcabq-lm NicholsResearchCorp. +1459 proshare1 ProshareNotebookApplication +1460 proshare2 ProshareNotebookApplication +1461 ibm_wrless_lan IBMWirelessLAN +1462 world-lm WorldLicenseManager +1463 nucleus Nucleus +1464 msl_lmd MSLLicenseManager +1465 pipes PipesPlatformmfarlin@peerlogic.com +1466 oceansoft-lm OceanSoftwareLicenseManager +1467 csdmbase CSDMBASE +1468 csdm CSDM +1469 aal-lm ActiveAnalysisLimitedLicenseManager +1470 uaiact UniversalAnalytics +1471 csdmbase csdmbase +1472 csdm csdm +1473 openmath OpenMath +1474 telefinder Telefinder +1475 taligent-lm TaligentLicenseManager +1476 clvm-cfg clvm-cfg +1477 ms-sna-server ms-sna-server +1478 ms-sna-base ms-sna-base +1479 dberegister dberegister +1480 pacerforum PacerForum +1481 airs AIRS +1482 miteksys-lm MiteksysLicenseManager +1483 afs AFSLicenseManager +1484 confluent ConfluentLicenseManager +1485 lansource LANSource +1486 nms_topo_serv nms_topo_serv +1487 localinfosrvr LocalInfoSrvr +1488 docstor DocStor +1489 dmdocbroker dmdocbroker +1490 insitu-conf insitu-conf +1491 anynetgateway anynetgateway +1492 stone-design-1 stone-design-1 +1493 netmap_lm netmap_lm +1494 ica ica +1495 cvc cvc +1496 liberty-lm liberty-lm +1497 rfx-lm rfx-lm +1498 sybase-sqlany SybaseSQLAny +1499 fhc FedericoHeinzConsultora +1500 vlsi-lm VLSILicenseManager +1501 saiscm Satellite-dataAcquisitionSystem3 +1502 shivadiscovery Shiva +1503 imtc-mcs Databeam +1504 evb-elm EVBSoftwareEngineeringLicenseManager +1505 funkproxy FunkSoftware,Inc. +1506 utcd UniversalTimedaemon(utcd) +1507 symplex symplex +1508 diagmond diagmond +1509 robcad-lm Robcad,Ltd.LicenseManager +1510 mvx-lm MidlandValleyExplorationLtd.Lic.Man. +1511 3l-l1 3l-l1 +1512 wins Microsoft'sWindowsInternetNameService +1513 fujitsu-dtc FujitsuSystemsBusinessofAmerica,Inc +1514 fujitsu-dtcns FujitsuSystemsBusinessofAmerica,Inc +1515 ifor-protocol ifor-protocol +1516 vpad VirtualPlacesAudiodata +1517 vpac VirtualPlacesAudiocontrol +1518 vpvd VirtualPlacesVideodata +1519 vpvc VirtualPlacesVideocontrol +1520 atm-zip-office atmzipoffice +1521 ncube-lm nCubeLicenseManager +1522 ricardo-lm RicardoNorthAmericaLicenseManager +1523 cichild-lm cichild +1524 ingreslock ingres +1525 orasrv oracle +1526 pdap-np ProsperoDataAccessProtnon-priv +1527 tlisrv oracle +1528 mciautoreg micautoreg +1529 coauthor oracle +1530 rap-service rap-service +1531 rap-listen rap-listen +1532 miroconnect miroconnect +1533 virtual-places VirtualPlacesSoftware +1534 micromuse-lm micromuse-lm +1535 ampr-info ampr-info +1536 ampr-inter ampr-inter +1537 sdsc-lm isi-lm +1538 3ds-lm 3ds-lm +1539 intellistor-lm IntellistorLicenseManager +1540 rds rds +1541 rds2 rds2 +1542 gridgen-elmd gridgen-elmd +1543 simba-cs simba-cs +1544 aspeclmd aspeclmd +1545 vistium-share vistium-share +1546 abbaccuray abbaccuray +1547 laplink laplink +1548 axon-lm AxonLicenseManager +1549 shivahose ShivaHose +1550 3m-image-lm ImageStoragelicensemanager3MCompany +1551 hecmtl-db HECMTL-DB +1552 pciarray pciarray +1553 sna-cs sna-cs +1554 caci-lm CACIProductsCompanyLicenseManager +1555 livelan livelan +1556 ashwin AshWinCITecnologies +1557 arbortext-lm ArborTextLicenseManager +1558 xingmpeg xingmpeg +1559 web2host web2host +1560 asci-val asci-val +1561 facilityview facilityview +1562 pconnectmgr pconnectmgr +1563 cadabra-lm CadabraLicenseManager +1564 pay-per-view Pay-Per-View +1565 winddlb WinDD +1566 corelvideo CORELVIDEO +1567 jlicelmd jlicelmd +1568 tsspmap tsspmap +1569 ets ets +1570 orbixd orbixd +1571 rdb-dbs-disp OracleRemoteDataBase +1572 chip-lm ChipcomLicenseManager +1573 itscomm-ns itscomm-ns +1574 mvel-lm mvel-lm +1575 oraclenames oraclenames +1576 moldflow-lm moldflow-lm +1577 hypercube-lm hypercube-lm +1578 jacobus-lm JacobusLicenseManager +1579 ioc-sea-lm ioc-sea-lm +1580 tn-tl-r2 tn-tl-r2 +1581 mil-2045-47001 MIL-2045-47001 +1582 msims MSIMS +1583 simbaexpress simbaexpress +1584 tn-tl-fd2 tn-tl-fd2 +1585 intv intv +1586 ibm-abtact ibm-abtact +1587 pra_elmd pra_elmd +1588 triquest-lm triquest-lm +1589 vqp VQP +1590 gemini-lm gemini-lm +1591 ncpm-pm ncpm-pm +1592 commonspace commonspace +1593 mainsoft-lm mainsoft-lm +1594 sixtrak sixtrak +1595 radio radio +1596 radio-bc radio-bc +1597 orbplus-iiop orbplus-iiop +1598 picknfs picknfs +1599 simbaservices simbaservices +1600 issd +1601 aas aas +1602 inspect inspect +1603 picodbc pickodbc +1604 icabrowser icabrowser +1605 slp SalutationManager(SalutationProtocol) +1606 slm-api SalutationManager(SLM-API) +1607 stt stt +1608 smart-lm SmartCorp.LicenseManager +1609 isysg-lm isysg-lm +1610 taurus-wh taurus-wh +1611 ill InterLibraryLoan +1612 netbill-trans NetBillTransactionServer +1613 netbill-keyrep NetBillKeyRepository +1614 netbill-cred NetBillCredentialServer +1615 netbill-auth NetBillAuthorizationServer +1616 netbill-prod NetBillProductServer +1617 nimrod-agent NimrodInter-AgentCommunication +1618 skytelnet skytelnet +1619 xs-openstorage xs-openstorage +1620 faxportwinport faxportwinport +1621 softdataphone softdataphone +1622 ontime ontime +1623 jaleosnd jaleosnd +1624 udp-sr-port udp-sr-port +1625 svs-omagent svs-omagent +1630 oraclenet8cman OracleNet8Cman +1636 cncp CableNetControlProtocol +1637 cnap CableNetAdminProtocol +1638 cnip CableNetInfoProtocol +1639 cert-initiator cert-initiator +1640 cert-responder cert-responder +1641 invision InVision +1642 isis-am isis-am +1643 isis-ambc isis-ambc +1644 saiseh Satellite-dataAcquisitionSystem4 +1645 datametrics datametrics +1646 sa-msg-port sa-msg-port +1647 rsap rsap +1648 concurrent-lm concurrent-lm +1649 inspect inspect +1650 nkd nkd +1651 shiva_confsrvr shiva_confsrvr +1652 xnmp xnmp +1653 alphatech-lm alphatech-lm +1654 stargatealerts stargatealerts +1655 dec-mbadmin dec-mbadmin +1656 dec-mbadmin-h dec-mbadmin-h +1657 fujitsu-mmpdc fujitsu-mmpdc +1658 sixnetudr sixnetudr +1659 sg-lm SiliconGrailLicenseManager +1660 skip-mc-gikreq skip-mc-gikreq +1661 netview-aix-1 netview-aix-1 +1662 netview-aix-2 netview-aix-2 +1663 netview-aix-3 netview-aix-3 +1664 netview-aix-4 netview-aix-4 +1665 netview-aix-5 netview-aix-5 +1666 netview-aix-6 netview-aix-6 +1667 netview-aix-7 netview-aix-7 +1668 netview-aix-8 netview-aix-8 +1669 netview-aix-9 netview-aix-9 +1670 netview-aix-10 netview-aix-10 +1671 netview-aix-11 netview-aix-11 +1672 netview-aix-12 netview-aix-12 +1673 proshare-mc-1 IntelProshareMulticast +1674 proshare-mc-2 IntelProshareMulticast +1675 pdp PacificDataProducts +1676 netcomm1 netcomm1 +1677 groupwise groupwise +1678 prolink prolink +1679 darcorp-lm darcorp-lm +1680 microcom-sbp microcom-sbp +1681 sd-elmd sd-elmd +1682 lanyon-lantern lanyon-lantern +1683 ncpm-hip ncpm-hip +1684 snaresecure SnareSecure +1685 n2nremote n2nremote +1686 cvmon cvmon +1687 nsjtp-ctrl nsjtp-ctrl +1688 nsjtp-data nsjtp-data +1689 firefox firefox +1690 ng-umds ng-umds +1691 empire-empuma empire-empuma +1692 sstsys-lm sstsys-lm +1693 rrirtr rrirtr +1694 rrimwm rrimwm +1695 rrilwm rrilwm +1696 rrifmm rrifmm +1697 rrisat rrisat +1698 rsvp-encap-1 RSVP-ENCAPSULATION-1 +1699 rsvp-encap-2 RSVP-ENCAPSULATION-2 +1700 mps-raft mps-raft +1701 l2f l2f +1702 deskshare deskshare +1703 hb-engine hb-engine +1704 bcs-broker bcs-broker +1705 slingshot slingshot +1706 jetform jetform +1707 vdmplay vdmplay +1708 gat-lmd gat-lmd +1709 centra centra +1710 impera impera +1711 pptconference pptconference +1712 registrar resourcemonitoringservice +1713 conferencetalk ConferenceTalk +1714 sesi-lm sesi-lm +1715 houdini-lm houdini-lm +1716 xmsg xmsg +1717 fj-hdnet fj-hdnet +1718 h323gatedisc h323gatedisc +1719 h323gatestat h323gatestat +1720 h323hostcall h323hostcall +1721 caicci caicci +1722 hks-lm HKSLicenseManager +1723 pptp pptp +1724 csbphonemaster csbphonemaster +1725 iden-ralp iden-ralp +1726 iberiagames IBERIAGAMES +1727 winddx winddx +1728 telindus TELINDUS +1729 citynl CityNLLicenseManagement +1730 roketz roketz +1731 msiccp MSICCP +1732 proxim proxim +1733 siipat SIMS-SIIPATProtocolforAlarm +1734 cambertx-lm CamberCorporationLicenseManagement +1735 privatechat PrivateChat +1736 street-stream street-stream +1737 ultimad ultimad +1738 gamegen1 GameGen1 +1739 webaccess webaccess +1740 encore encore +1741 cisco-net-mgmt cisco-net-mgmt +1742 3Com-nsd 3Com-nsd +1743 cinegrfx-lm CinemaGraphicsLicenseManager +1744 ncpm-ft ncpm-ft +1745 remote-winsock remote-winsock +1746 ftrapid-1 ftrapid-1 +1747 ftrapid-2 ftrapid-2 +1748 oracle-em1 oracle-em1 +1749 aspen-services aspen-services +1750 sslp SimpleSocketLibrary'sPortMaster +1751 swiftnet SwiftNet +1752 lofr-lm LeapofFaithResearchLicenseManager +1753 translogic-lm TranslogicLicenseManager +1754 oracle-em2 oracle-em2 +1755 ms-streaming ms-streaming +1756 capfast-lmd capfast-lmd +1757 cnhrp cnhrp +1758 tftp-mcast tftp-mcast +1759 spss-lm SPSSLicenseManager +1760 www-ldap-gw www-ldap-gw +1761 cft-0 cft-0 +1762 cft-1 cft-1 +1763 cft-2 cft-2 +1764 cft-3 cft-3 +1765 cft-4 cft-4 +1766 cft-5 cft-5 +1767 cft-6 cft-6 +1768 cft-7 cft-7 +1769 bmc-net-adm bmc-net-adm +1770 bmc-net-svc bmc-net-svc +1771 vaultbase vaultbase +1772 essweb-gw EssWebGateway +1773 kmscontrol KMSControl +1774 global-dtserv global-dtserv +1775 Unknown +1776 femis FederalEmergencyManagementInformationSystem +1777 powerguardian powerguardian +1778 prodigy-intrnet prodigy-internet +1779 pharmasoft pharmasoft +1780 dpkeyserv dpkeyserv +1781 answersoft-lm answersoft-lm +1782 hp-hcip hp-hcip +1783 fjris FujitsuRemoteInstallService +1784 finle-lm FinleLicenseManager +1785 windlm WindRiverSystemsLicenseManager +1786 funk-logger funk-logger +1787 funk-license funk-license +1788 psmond psmond +1789 hello hello +1790 nmsp NarrativeMediaStreamingProtocol +1791 ea1 EA1 +1792 ibm-dt-2 ibm-dt-2 +1793 rsc-robot rsc-robot +1794 cera-bcm cera-bcm +1795 dpi-proxy dpi-proxy +1796 vocaltec-admin VocaltecServerAdministration +1797 uma UMA +1798 etp EventTransferProtocol +1799 netrisk NETRISK +1800 ansys-lm ANSYS-Licensemanager +1801 msmq MicrosoftMessageQue +1802 concomp1 ConComp1 +1803 hp-hcip-gwy HP-HCIP-GWY +1804 enl ENL +1805 enl-name ENL-Name +1806 musiconline Musiconline +1807 fhsp FujitsuHotStandbyProtocol +1808 oracle-vp2 Oracle-VP2 +1809 oracle-vp1 Oracle-VP1 +1810 jerand-lm JerandLicenseManager +1811 scientia-sdb Scientia-SDB +1812 radius RADIUS +1813 radius-acct RADIUSAccounting +1814 tdp-suite TDPSuite +1815 mmpft MMPFT +1816 harp HARP +1818 etftp EnhancedTrivialFileTransferProtocol +1819 plato-lm PlatoLicenseManager +1820 mcagent mcagent +1821 donnyworld donnyworld +1822 es-elmd es-elmd +1823 unisys-lm UnisysNaturalLanguageLicenseManager +1824 metrics-pas metrics-pas +1850 gsi GSI +1860 sunscalar-svc SunSCALARServices +1861 lecroy-vicp LeCroyVICP +1862 techra-server techra-server +1863 msnp MSNP +1864 paradym-31port Paradym31Port +1865 entp ENTP +1870 sunscalar-dns SunSCALARDNSService +1881 ibm-mqseries2 IBMMQSeries +1901 fjicl-tep-a FujitsuICLTerminalEmulatorProgramA +1902 fjicl-tep-b FujitsuICLTerminalEmulatorProgramB +1903 linkname LocalLinkNameResolution +1904 fjicl-tep-c FujitsuICLTerminalEmulatorProgramC +1905 sugp SecureUP.LinkGatewayProtocol +1906 tpmd TPortMapperReq +1907 intrastar IntraSTAR +1908 dawn Dawn +1909 global-wlink GlobalWorldLink +1911 mtp StarlightNetworksMultimediaTransportProtocol +1913 armadp armadp +1914 elm-momentum Elm-Momentum +1915 facelink FACELINK +1916 persona PersoftPersona +1917 noagent nOAgent +1918 can-nds CandleDirectoryService-NDS +1919 can-dch CandleDirectoryService-DCH +1920 can-ferret CandleDirectoryService-FERRET +1921 noadmin NoAdmin +1944 close-combat close-combat +1945 dialogic-elmd dialogic-elmd +1946 tekpls tekpls +1947 hlserver hlserver +1948 eye2eye eye2eye +1949 ismaeasdaqlive ISMAEasdaqLive +1950 ismaeasdaqtest ISMAEasdaqTest +1951 bcs-lmserver bcs-lmserver +1973 dlsrap DataLinkSwitchingRemoteAccessProtocol +1985 hsrp HotStandbyRouterProtocol +1986 licensedaemon ciscolicensemanagement +1987 tr-rsrb-p1 ciscoRSRBPriority1port +1988 tr-rsrb-p2 ciscoRSRBPriority2port +1989 tr-rsrb-p3 ciscoRSRBPriority3port +1990 stun-p1 ciscoSTUNPriority1port +1991 stun-p2 ciscoSTUNPriority2port +1992 stun-p3 ciscoSTUNPriority3port +1993 snmp-tcp-port ciscoSNMPTCPport +1994 stun-port ciscoserialtunnelport +1995 perf-port ciscoperfport +1996 tr-rsrb-port ciscoRemoteSRBport +1997 gdp-port ciscoGatewayDiscoveryProtocol +1998 x25-svc-port ciscoX.25service(XOT) +1999 tcp-id-port ciscoidentificationport +2000 callbook +2001 dc +2002 globe +2004 mailbox +2005 berknet +2006 invokator +2007 dectalk +2008 conf +2009 news +2010 search +2011 raid-cc raid +2012 ttyinfo +2013 raid-am +2014 troff +2015 cypress +2016 bootserver +2017 cypress-stat +2018 terminaldb +2019 whosockami +2020 xinupageserver +2021 servexec +2022 down +2023 xinuexpansion3 +2024 xinuexpansion4 +2025 ellpack +2026 scrabble +2027 shadowserver +2028 submitserver +2030 device2 +2032 blackboard +2033 glogger +2034 scoremgr +2035 imsldoc +2038 objectmanager +2040 lam +2041 interbase +2042 isis isis +2043 isis-bcast isis-bcast +2044 rimsl +2045 cdfunc +2046 sdfunc +2047 dls +2048 dls-monitor +2049 nfsd-or-shilp +2065 dlsrpn DataLinkSwitchReadPortNumber +2067 dlswpn DataLinkSwitchWritePortNumber +2090 lrp LoadReportProtocol +2091 prp PRP +2102 zephyr-srv Zephyrserver +2103 zephyr-clt Zephyrserv-hmconnection +2104 zephyr-hm Zephyrhostmanager +2105 minipay MiniPay +2180 mc-gt-srv MillicentVendorGatewayServer +2200 ici ICI +2201 ats AdvancedTrainingSystemProgram +2202 imtc-map Int.MultimediaTeleconferencingCosortium +2213 kali Kali +2220 ganymede Ganymede +2221 unreg-ab1 Allen-Bradleyunregisteredport +2222 unreg-ab2 Allen-Bradleyunregisteredport +2223 inreg-ab3 Allen-Bradleyunregisteredport +2232 ivs-video IVSVideodefault +2233 infocrypt INFOCRYPT +2234 directplay DirectPlay +2235 sercomm-wlink Sercomm-WLink +2236 nani Nani +2237 optech-port1-lm OptechPort1LicenseManager +2238 aviva-sna AVIVASNASERVER +2239 imagequery ImageQuery +2240 recipe RECIPe +2241 ivsd IVSDaemon +2242 foliocorp FolioRemoteServer +2279 xmquery xmquery +2280 lnvpoller LNVPOLLER +2281 lnvconsole LNVCONSOLE +2282 lnvalarm LNVALARM +2283 lnvstatus LNVSTATUS +2284 lnvmaps LNVMAPS +2285 lnvmailmon LNVMAILMON +2286 nas-metering NAS-Metering +2287 dna DNA +2288 netml NETML +2295 advant-lm AdvantLicenseManager +2296 theta-lm ThetaLicenseManager(Rainbow) +2297 d2k-datamover1 D2KDataMover1 +2298 d2k-datamover2 D2KDataMover2 +2299 pc-telecommute PCTelecommute +2300 cvmmon CVMMON +2301 cpq-wbem CompaqHTTP +2302 binderysupport BinderySupport +2303 proxy-gateway ProxyGateway +2304 attachmate-uts AttachmateUTS +2305 mt-scaleserver MTScaleServer +2306 tappi-boxnet TAPPIBoxNet +2307 pehelp pehelp +2308 sdhelp sdhelp +2309 sdserver SDServer +2310 sdclient SDClient +2311 messageservice MessageService +2313 iapp IAPP(InterAccessPointProtocol) +2314 cr-websystems CRWebSystems +2315 precise-sft PreciseSft. +2316 sent-lm SENTLicenseManager +2317 attachmate-g32 AttachmateG32 +2318 cadencecontrol CadenceControl +2319 infolibria InfoLibria +2320 siebel-ns SiebelNS +2321 rdlap RDLAPoverUDP +2322 ofsd ofsd +2323 3d-nfsd 3d-nfsd +2324 cosmocall Cosmocall +2325 designspace-lm DesignSpaceLicenseManagement +2326 idcp IDCP +2327 xingcsm xingcsm +2328 netrix-sftm NetrixSFTM +2329 nvd NVD +2330 tscchat TSCCHAT +2331 agentview AGENTVIEW +2332 rcc-host RCCHost +2333 snapp SNAPP +2334 ace-client ACEClientAuth +2335 ace-proxy ACEProxy +2336 appleugcontrol AppleUGControl +2337 ideesrv ideesrv +2338 norton-lambert NortonLambert +2339 3com-webview 3ComWebView +2340 wrs_registry WRSRegistry +2341 xiostatus XIOStatus +2342 manage-exec SeagateManageExec +2343 nati-logos natilogos +2344 fcmsys fcmsys +2345 dbm dbm +2346 redstorm_join GameConnectionPort +2347 redstorm_find GameAnnouncementandLocation +2348 redstorm_info Informationtoqueryforgamestatus +2349 redstorm_diag DisgnosticsPort +2350 psbserver psbserver +2351 psrserver psrserver +2352 pslserver pslserver +2353 pspserver pspserver +2354 psprserver psprserver +2355 psdbserver psdbserver +2356 gxtelmd GXTLicenseManagemant +2357 unihub-server UniHubServer +2358 futrix Futrix +2359 flukeserver FlukeServer +2389 ovsessionmgr OpenViewSessionMgr +2390 rsmtp RSMTP +2391 3com-net-mgmt 3COMNetManagement +2392 tacticalauth TacticalAuth +2393 ms-olap1 MSOLAP1 +2394 ms-olap2 MSOLAP2 +2395 lan900_remote LAN900Remote +2396 wusage Wusage +2397 ncl NCL +2398 orbiter Orbiter +2399 fmpro-fdal FileMaker,Inc.-DataAccessLayer +2400 opequus-server OpEquusServer +2401 cvspserver cvspserver +2402 taskmaster2000 TaskMaster2000Server +2403 taskmaster2000 TaskMaster2000Web +2404 iec870-5-104 IEC870-5-104 +2405 trc-netpoll TRCNetpoll +2406 jediserver JediServer +2407 orion Orion +2408 optimanet OptimaNet +2409 sns-protocol SNSProtocol +2410 vrts-registry VRTSRegistry +2411 netwave-ap-mgmt NetwaveAPManagement +2412 cdn CDN +2413 orion-rmi-reg orion-rmi-reg +2414 interlingua Interlingua +2415 comtest COMTEST +2416 rmtserver RMTServer +2417 composit-server CompositServer +2418 cas cas +2419 attachmate-s2s AttachmateS2S +2420 dslremote-mgmt DSLRemoteManagement +2421 g-talk G-Talk +2422 crmsbits CRMSBITS +2423 rnrp RNRP +2424 kofax-svr KOFAX-SVR +2425 fjitsuappmgr FujitsuAppManager +2426 appliantudp AppliantUDP +2427 stgcp SimpletelephonyGatewayControlProtocol +2428 ott OneWayTripTime +2429 ft-role FT-ROLE +2430 venus venus +2431 venus-se venus-se +2432 codasrv codasrv +2433 codasrv-se codasrv-se +2434 pxc-epmap pxc-epmap +2435 optilogic OptiLogic +2436 topx TOP/X +2437 unicontrol UniControl +2438 msp MSP +2439 sybasedbsynch SybaseDBSynch +2440 spearway SpearwayLockser +2441 pvsw-inet pvsw-inet +2442 netangel Netangel +2500 rtsserv ResourceTrackingsystemserver +2501 rtsclient ResourceTrackingsystemclient +2524 optiwave-lm OptiwaveLicenseManagement +2525 ms-v-worlds MSV-Worlds +2526 ema-sent-lm EMALicenseManager +2527 iqserver IQServer +2528 ncr_ccl NCRCCL +2529 utsftp UTSFTP +2530 vrcommerce VRCommerce +2531 ito-e-gui ITO-EGUI +2532 ovtopmd OVTOPMD +2534 combox-web-acc ComboxWebAccess +2564 hp-3000-telnet HP3000NS/VTblockmodetelnet +2592 netrek netrek +2593 mns-mail MNSMailNoticeService +2628 dict DICT +2629 sitaraserver SitaraServer +2630 sitaramgmt SitaraManagement +2631 sitaradir SitaraDir +2632 irdg-post IRdgPost +2633 interintelli InterIntelli +2634 pk-electronics PKElectronics +2635 backburner BackBurner +2636 solve Solve +2637 imdocsvc ImportDocumentService +2638 sybaseanywhere SybaseAnywhere +2639 aminet AMInet +2640 sai_sentlm SabbaghAssociatesLicenceManager +2641 hdl-srv HDLServer +2642 tragic Tragic +2643 gte-samp GTE-SAMP +2644 travsoft-ipx-t TravsoftIPXTunnel +2645 novell-ipx-cmd NovellIPXCMD +2646 and-lm ANDLicenceManager +2647 syncserver SyncServer +2648 upsnotifyprot Upsnotifyprot +2649 vpsipport VPSIPPORT +2650 eristwoguns eristwoguns +2651 ebinsite EBInSite +2652 interpathpanel InterPathPanel +2653 sonus Sonus +2654 corel_vncadmin CorelVNCAdmin +2655 unglue UNIXNtGlue +2656 kana Kana +2657 sns-dispatcher SNSDispatcher +2658 sns-admin SNSAdmin +2659 sns-query SNSQuery +2700 tqdata tqdata +2766 listen +2784 www-dev worldwideweb-development +2785 aic-np aic-np +2786 aic-oncrpc aic-oncrpc-DestinyMCDdatabase +2787 piccolo piccolo-CornerstoneSoftware +2788 fryeserv NetWareLoadableModule-SeagateSoftware +2908 mao mao +2909 funk-dialout FunkDialout +2910 tdaccess TDAccess +2911 blockade Blockade +2912 epicon Epicon +2913 boosterware BoosterWare +2914 gamelobby GameLobby +2915 tksocket TKSocket +2916 elvin_server ElvinServer +2917 elvin_client ElvinClient +2918 kastenchasepad KastenChasePad +2971 netclip NetClip +2972 pmsm-webrctl PMSMWebrctl +2973 svnetworks SVNetworks +2974 signal Signal +2975 fjmpcm FujitsuConfigurationManagementService +2998 realsecure RealSecure +3000 hbci HBCI +3001 redwood-broker RedwoodBroker +3002 exlm-agent EXLMAgent +3003 cgms CGMS +3004 csoftragent CsoftAgent +3005 geniuslm GeniusLicenseManager +3006 ii-admin InstantInternetAdmin +3007 lotusmtap LotusMailTrackingAgentProtocol +3008 midnight-tech MidnightTechnologies +3009 pxc-ntfy PXC-NTFY +3010 gw TelerateWorkstation +3011 trusted-web TrustedWeb +3012 twsdss TrustedWebClient +3013 gilatskysurfer GilatSkySurfer +3014 broker_service BrokerService +3015 nati-dstp NATIDSTP +3016 notify_srvr NotifyServer +3017 event_listener EventListener +3018 srvc_registry ServiceRegistry +3019 resource_mgr ResourceManager +3020 cifs CIFS +3021 agriserver AGRIServer +3047 hlserver FastSecurityHLServer +3048 pctrader SierraNetPCTrader +3049 nsws NSWS +3080 stm_pproc stm_pproc +3105 cardbox Cardbox +3106 cardbox-http CardboxHTTP +3130 icpv2 ICPv2 +3131 netbookmark NetBookMark +3141 vmodem VMODEM +3142 rdc-wh-eos RDCWHEOS +3143 seaview SeaView +3144 tarantella Tarantella +3145 csi-lfap CSI-LFAP +3147 rfio RFIO +3180 mc-brk-srv MillicentBrokerServer +3264 ccmail cc:mail/lotus +3265 altav-tunnel AltavTunnel +3266 ns-cfg-server NSCFGServer +3267 ibm-dial-out IBMDialOut +3268 msft-gc MicrosoftGlobalCatalog +3269 msft-gc-ssl MicrosoftGlobalCatalogwithLDAP/SSL +3270 verismart Verismart +3271 csoft-prev CSoftPrevPort +3272 user-manager FujitsuUserManager +3273 sxmp SimpleExtensibleMultiplexedProtocol +3274 ordinox-server OrdinoxServer +3275 samd SAMD +3276 maxim-asics MaximASICs +3277 awg-proxy AWGProxy +3278 lkcmserver LKCMServer +3279 admind admind +3280 vs-server VSServer +3281 sysopt SYSOPT +3282 datusorb Datusorb +3283 net-assistant NetAssistant +3284 4talk 4Talk +3285 plato Plato +3286 e-net E-Net +3287 directvdata DIRECTVDATA +3288 cops COPS +3289 enpc ENPC +3290 caps-lm CAPSLOGISTICSTOOLKIT-LM +3291 sah-lm SAHolditch&Associates- +3292 cart-o-rama CartORama +3293 fg-fps fg-fps +3294 fg-gip fg-gip +3295 dyniplookup DynamicIPLookup +3296 rib-slm RibLicenseManager +3297 cytel-lm CytelLicenseManager +3298 transview Transview +3299 pdrncs pdrncs +3300 bmcpatrolagent BMCPatrolAgent +3301 bmcpatrolrnvu BMCPatrolRendezvous +3302 mcs-fastmail MCSFastmail +3303 opsession-clnt OPSessionClient +3304 opsession-srvr OPSessionServer +3305 odette-ftp ODETTE-FTP +3306 mysql MySQL +3307 opsession-prxy OPSessionProxy +3308 tns-server TNSServer +3309 tns-adv TNDADV +3310 dyna-access DynaAccess +3311 mcns-tel-ret MCNSTelRet +3312 appman-server ApplicationManagementServer +3313 uorb UnifyObjectBroker +3314 uohost UnifyObjectHost +3315 cdid CDID +3316 aicc-cmi AICC/CMI +3317 vsaiport VSAIPORT +3318 ssrip SwithtoSwithRoutingInformationProtocol +3319 sdt-lmd SDTLicenseManager +3320 officelink2000 OfficeLink2000 +3321 vnsstr VNSSTR +3322 active-net +3323 active-net +3324 active-net +3325 active-net +3326 sftu SFTU +3327 bbars BBARS +3328 egptlm EaglepointLicenseManager +3329 hp-device-disc HPDeviceDisc +3330 mcs-calypsoicf MCSCalypsoICF +3331 mcs-messaging MCSMessaging +3332 mcs-mailsvr MCSMailServer +3333 dec-notes DECNotes +3334 directv-web DirectTVWebcasting +3335 directv-soft DirectTVSoftwareUpdates +3336 directv-tick DirectTVTickers +3337 directv-catlg DirectTVDataCatalog +3338 anet-b OMFdatab +3339 anet-l OMFdatal +3340 anet-m OMFdatam +3341 anet-h OMFdatah +3342 webtie WebTIE +3343 ms-cluster-net MSClusterNet +3344 bnt-manager BNTManager +3345 influence Influence +3346 trnsprntproxy TrnsprntProxy +3347 phoenix-rpc PhoenixRPC +3348 pangolin-laser PangolinLaser +3349 chevinservices ChevinServices +3350 findviatv FINDVIATV +3351 btrieve BTRIEVE +3352 ssql SSQL +3353 fatpipe FATPIPE +3354 suitjd SUITJD +3355 ordinox-dbase OrdinoxDbase +3356 upnotifyps UPNOTIFYPS +3357 adtech-test AdtechTestIP +3358 mpsysrmsvr MpSysRmsvr +3359 wg-netforce WGNetForce +3360 kv-server KVServer +3361 kv-agent KVAgent +3362 dj-ilm DJILM +3363 nati-vi-server NATIViServer +3364 creativeserver CreativeServer +3365 contentserver ContentServer +3366 creativepartnr CreativePartner +3367 satvid-dtalnk +3368 satvid-dtalnk +3369 satvid-dtalnk +3370 satvid-dtalnk +3371 satvid-dtalnk +3372 tip2 TIP2 +3373 lavenir-lm LavenirLicenseManager +3374 cluster-disc ClusterDisc +3375 vsnm-agent VSNMAgent +3376 cdbroker CDBroker +3377 cogsys-lm CogsysNetworkLicenseManager +3378 wsicopy WSICOPY +3379 socorfs SOCORFS +3380 sns-channels SNSChannels +3381 geneous Geneous +3382 fujitsu-neat FujitsuNetworkEnhancedAntitheftfunction +3383 esp-lm EnterpriseSoftwareProductsLicenseManager +3384 hp-clic HardwareManagement +3385 qnxnetman qnxnetman +3386 gprs-sig GPRSSIG +3387 backroomnet BackRoomNet +3388 cbserver CBServer +3389 ms-wbt-server MSWBTServer +3390 dsc DistributedServiceCoordinator +3391 savant SAVANT +3392 efi-lm EFILicenseManagement +3393 d2k-tapestry1 D2KTapestryClienttoServer +3394 d2k-tapestry2 D2KTapestryServertoServer +3395 dyna-lm DynaLicenseManager(Elam) +3396 printer_agent PrinterAgent +3397 cloanto-lm CloantoLicenseManager +3398 mercantile Mercantile +3421 bmap BullAppriseportmapper +3454 mira AppleRemoteAccessProtocol +3455 prsvp RSVPPort +3456 vat VATdefaultdata +3457 vat-control VATdefaultcontrol +3458 d3winosfi DsWinOSFI +3459 integral Integral +3460 edm-manager EDMManger +3461 edm-stager EDMStager +3462 edm-std-notify EDMSTDNotify +3463 edm-adm-notify EDMADMNotify +3464 edm-mgr-sync EDMMGRSync +3465 edm-mgr-cntrl EDMMGRCntrl +3466 workflow WORKFLOW +3563 watcomdebug WatcomDebug +3900 udt_os UnidataUDTOS +3984 mapper-nodemgr MAPPERnetworknodemanager +3985 mapper-mapethd MAPPERTCP/IPserver +3986 mapper-ws_ethd MAPPERworkstationserver +3987 centerline Centerline +4000 terabase Terabase +4001 newoak NewOak +4008 netcheque NetChequeaccounting +4009 chimera-hwm ChimeraHWM +4010 samsung-unidex SamsungUnidex +4011 altserviceboot AlternateServiceBoot +4012 pda-gate PDAGate +4013 acl-manager ACLManager +4014 taiclock TAICLOCK +4045 lockd +4096 bre BRE(BridgeRelayElement) +4132 nuts_dem NUTSDaemon +4133 nuts_bootp NUTSBootpServer +4134 nifty-hmi NIFTY-ServeHMIprotocol +4141 oirtgsvc WorkflowServer +4142 oidocsvc DocumentServer +4143 oidsr DocumentReplication +4200 VRML +4201 VRML +4202 VRML +4203 VRML +4204 VRML +4205 VRML +4206 VRML +4207 VRML +4208 VRML +4209 VRML +4210 VRML +4211 VRML +4212 VRML +4213 VRML +4214 VRML +4215 VRML +4216 VRML +4217 VRML +4218 VRML +4219 VRML +4220 VRML +4221 VRML +4222 VRML +4223 VRML +4224 VRML +4225 VRML +4226 VRML +4227 VRML +4228 VRML +4229 VRML +4230 VRML +4231 VRML +4232 VRML +4233 VRML +4234 VRML +4235 VRML +4236 VRML +4237 VRML +4238 VRML +4239 VRML +4240 VRML +4241 VRML +4242 VRML +4243 VRML +4244 VRML +4245 VRML +4246 VRML +4247 VRML +4248 VRML +4249 VRML +4250 VRML +4251 VRML +4252 VRML +4253 VRML +4254 VRML +4255 VRML +4256 VRML +4257 VRML +4258 VRML +4259 VRML +4260 VRML +4261 VRML +4262 VRML +4263 VRML +4264 VRML +4265 VRML +4266 VRML +4267 VRML +4268 VRML +4269 VRML +4270 VRML +4271 VRML +4272 VRML +4273 VRML +4274 VRML +4275 VRML +4276 VRML +4277 VRML +4278 VRML +4279 VRML +4280 VRML +4281 VRML +4282 VRML +4283 VRML +4284 VRML +4285 VRML +4286 VRML +4287 VRML +4288 VRML +4289 VRML +4290 VRML +4291 VRML +4292 VRML +4293 VRML +4294 VRML +4295 VRML +4296 VRML +4297 VRML +4298 VRML +4299 VRML +4300 corelccam CorelCCam +4321 rwhois RemoteWhoIs +4343 unicall UNICALL +4344 vinainstall VinaInstall +4345 m4-network-as Macro4NetworkAS +4346 elanlm ELANLM +4347 lansurveyor LANSurveyor +4348 itose ITOSE +4349 fsportmap FileSystemPortMap +4350 net-device NetDevice +4351 plcy-net-svcs PLCYNetServices +4444 krb524 KRB524 +4445 upnotifyp UPNOTIFYP +4446 n1-fwp N1-FWP +4447 n1-rmgmt N1-RMGMT +4448 asc-slmd ASCLicenceManager +4449 privatewire PrivateWire +4450 camp Camp +4451 ctisystemmsg CTISystemMsg +4452 ctiprogramload CTIProgramLoad +4453 nssalertmgr NSSAlertManager +4454 nssagentmgr NSSAgentManager +4455 prchat-user PRChatUser +4456 prchat-server PRChatServer +4457 prRegister PRRegister +4500 sae-urn sae-urn +4501 urn-x-cdchoice urn-x-cdchoice +4545 highscore Highscore +4546 sf-lm SFLicenseManager(Sentinel) +4547 lanner-lm LannerLicenseManager +4672 rfa remotefileaccessserver +4800 iims IconaInstantMessengingSystem +4801 iwec IconaWebEmbeddedChat +4802 ilss IconaLicenseSystemServer +4827 htcp HTCP +4868 phrelay PhotonRelay +4869 phrelaydbg PhotonRelayDebug +4885 abbs ABBS +5000 commplex-main +5001 commplex-link +5002 rfe radiofreeethernet +5003 fmpro-internal FileMaker,Inc.-Proprietarynamebinding +5004 avt-profile-1 avt-profile-1 +5005 avt-profile-2 avt-profile-2 +5010 telelpathstart TelepathStart +5011 telelpathattack TelepathAttack +5020 zenginkyo-1 zenginkyo-1 +5021 zenginkyo-2 zenginkyo-2 +5050 mmcc multimediaconferencecontroltool +5051 ita-agent ITAAgent +5052 ita-manager ITAManager +5060 sip SIP +5145 rmonitor_secure +5150 atmp AscendTunnelManagementProtocol +5190 aol America-Online +5191 aol-1 AmericaOnline1 +5192 aol-2 AmericaOnline2 +5193 aol-3 AmericaOnline3 +5236 padl2sim +5272 pk PK +5300 hacl-hb #HAclusterheartbeat +5301 hacl-gs #HAclustergeneralservices +5302 hacl-cfg #HAclusterconfiguration +5303 hacl-probe #HAclusterprobing +5304 hacl-local #HAClusterCommands +5305 hacl-test #HAClusterTest +5306 sun-mc-grp SunMCGroup +5307 sco-aip SCOAIP +5308 cfengine CFengine +5309 jprinter JPrinter +5310 outlaws Outlaws +5311 tmlogin TMLogin +5400 excerpt ExcerptSearch +5401 excerpts ExcerptSearchSecure +5402 mftp MFTP +5403 hpoms-ci-lstn HPOMS-CI-LSTN +5404 hpoms-dps-lstn HPOMS-DPS-LSTN +5405 netsupport NetSupport +5406 systemics-sox SystemicsSox +5407 foresyte-clear Foresyte-Clear +5408 foresyte-sec Foresyte-Sec +5409 salient-dtasrv SalientDataServer +5410 salient-usrmgr SalientUserManager +5411 actnet ActNet +5412 continuus Continuus +5413 wwiotalk WWIOTALK +5414 statusd StatusD +5415 ns-server NSServer +5416 sns-gateway SNSGateway +5417 sns-agent SNSAgent +5418 mcntp MCNTP +5419 dj-ice DJ-ICE +5420 cylink-c Cylink-C +5500 fcp-addr-srvr1 fcp-addr-srvr1 +5501 fcp-addr-srvr2 fcp-addr-srvr2 +5502 fcp-srvr-inst1 fcp-srvr-inst1 +5503 fcp-srvr-inst2 fcp-srvr-inst2 +5504 fcp-cics-gw1 fcp-cics-gw1 +5555 personal-agent PersonalAgent +5599 esinstall EnterpriseSecurityRemoteInstall +5600 esmmanager EnterpriseSecurityManager +5601 esmagent EnterpriseSecurityAgent +5602 a1-msc A1-MSC +5603 a1-bs A1-BS +5604 a3-sdunode A3-SDUNode +5605 a4-sdunode A4-SDUNode +5631 pcanywheredata pcANYWHEREdata +5632 pcanywherestat pcANYWHEREstat +5678 rrac RemoteReplicationAgentConnection +5679 dccm DirectCableConnectManager +5713 proshareaudio proshareconfaudio +5714 prosharevideo proshareconfvideo +5715 prosharedata proshareconfdata +5716 prosharerequest proshareconfrequest +5717 prosharenotify proshareconfnotify +5729 openmail OpenmailUserAgentLayer +5741 ida-discover1 IDADiscoverPort1 +5742 ida-discover2 IDADiscoverPort2 +5745 fcopy-server fcopy-server +5746 fcopys-server fcopys-server +5755 openmailg OpenMailDeskGatewayserver +5757 x500ms OpenMailX.500DirectoryServer +5766 openmailns OpenMailNewMailServer +5767 s-openmail OpenMailSuerAgentLayer(Secure) +5768 openmailpxy OpenMailCMTSServer +6000 X11 +6001 X11 +6002 X11 +6003 X11 +6004 X11 +6005 X11 +6006 X11 +6007 X11 +6008 X11 +6009 X11 +6010 X11 +6011 X11 +6012 X11 +6013 X11 +6014 X11 +6015 X11 +6016 X11 +6017 X11 +6018 X11 +6019 X11 +6020 X11 +6021 X11 +6022 X11 +6023 X11 +6024 X11 +6025 X11 +6026 X11 +6027 X11 +6028 X11 +6029 X11 +6030 X11 +6031 X11 +6032 X11 +6033 X11 +6034 X11 +6035 X11 +6036 X11 +6037 X11 +6038 X11 +6039 X11 +6040 X11 +6041 X11 +6042 X11 +6043 X11 +6044 X11 +6045 X11 +6046 X11 +6047 X11 +6048 X11 +6049 X11 +6050 X11 +6051 X11 +6052 X11 +6053 X11 +6054 X11 +6055 X11 +6056 X11 +6057 X11 +6058 X11 +6059 X11 +6060 X11 +6061 X11 +6062 X11 +6063 X11 +6110 softcm HPSoftBenchCM +6111 spc HPSoftBenchSub-ProcessControl +6112 dtspcd dtspcd +6123 backup-express BackupExpress +6141 meta-corp MetaCorporationLicenseManager +6142 aspentec-lm AspenTechnologyLicenseManager +6143 watershed-lm WatershedLicenseManager +6144 statsci1-lm StatSciLicenseManager-1 +6145 statsci2-lm StatSciLicenseManager-2 +6146 lonewolf-lm LoneWolfSystemsLicenseManager +6147 montage-lm MontageLicenseManager +6148 ricardo-lm RicardoNorthAmericaLicenseManager +6149 tal-pod tal-pod +6253 crip CRIP +6389 clariion-evr01 clariion-evr01 +6455 skip-cert-recv SKIPCertificateReceive +6456 skip-cert-send SKIPCertificateSend +6471 lvision-lm LVisionLicenseManager +6500 boks BoKSMaster +6501 boks_servc BoKSServc +6502 boks_servm BoKSServm +6503 boks_clntd BoKSClntd +6505 badm_priv BoKSAdminPrivatePort +6506 badm_pub BoKSAdminPublicPort +6507 bdir_priv BoKSDirServer,PrivatePort +6508 bdir_pub BoKSDirServer,PublicPort +6558 xdsxdm +6665 ircu +6666 ircu +6667 ircu +6668 ircu +6669 ircu IRCU +6670 vocaltec-gold VocaltecGlobalOnlineDirectory +6672 vision_server vision_server +6673 vision_elmd vision_elmd +6701 kti-icad-srvr KTI/ICADNameserver +6790 hnmp HNMP +6831 ambit-lm ambit-lm +6969 acmsoda acmsoda +7000 afs3-fileserver fileserveritself +7001 afs3-callback callbackstocachemanagers +7002 afs3-prserver users&groupsdatabase +7003 afs3-vlserver volumelocationdatabase +7004 afs3-kaserver AFS/Kerberosauthenticationservice +7005 afs3-volser volumemanagementserver +7006 afs3-errors errorinterpretationservice +7007 afs3-bos basicoverseerprocess +7008 afs3-update server-to-serverupdater +7009 afs3-rmtsys remotecachemanagerservice +7010 ups-onlinet onlinetuninterruptablepowersupplies +7020 dpserve DPServe +7021 dpserveadmin DPServeAdmin +7070 arcp ARCP +7099 lazy-ptop lazy-ptop +7100 font-service XFontService +7121 virprot-lm VirtualPrototypesLicenseManager +7174 clutild Clutild +7200 fodms FODMSFLIP +7201 dlip DLIP +7395 winqedit winqedit +7426 pmdmgr OpenViewDMPostmasterManager +7427 oveadmgr OpenViewDMEventAgentManager +7428 ovladmgr OpenViewDMLogAgentManager +7429 opi-sock OpenViewDMrqtcommunication +7430 xmpv7 OpenViewDMxmpv7apipipe +7431 pmd OpenViewDMovc/xmpv3apipipe +7491 telops-lmd telops-lmd +7511 pafec-lm pafec-lm +7544 nta-ds FlowAnalyzerDisplayServer +7545 nta-us FlowAnalyzerUtilityServer +7570 aries-kfinder AriesKfinder +7588 sun-lm SunLicenseManager +7777 cbt cbt +7781 accu-lmgr accu-lmgr +7932 t2-drm Tier2DataResourceManager +7933 t2-brm Tier2BusinessRulesManager +7980 quest-vista QuestVista +7999 irdmi2 iRDMI2 +8000 irdmi iRDMI +8001 vcom-tunnel VCOMTunnel +8008 http-alt HTTPAlternate +8032 pro-ed ProEd +8033 mindprint MindPrint +8080 http-alt HTTPAlternate(seeport80) +8200 trivnet1 TRIVNET +8201 trivnet2 TRIVNET +8376 cruise-enum CruiseENUM +8377 cruise-swroute CruiseSWROUTE +8378 cruise-config CruiseCONFIG +8379 cruise-diags CruiseDIAGS +8380 cruise-update CruiseUPDATE +8400 cvd cvd +8401 sabarsd sabarsd +8402 abarsd abarsd +8403 admind admind +8450 npmp npmp +8473 vp2p VitualPointtoPoint +8554 rtsp-alt RTSPAlternate(seeport554) +8765 ultraseek-http UltraseekHTTP +8880 cddbp-alt CDDBP +8888 ddi-tcp-1 NewsEDGEserverTCP(TCP1) +8889 ddi-tcp-2 DesktopDataTCP1 +8890 ddi-tcp-3 DesktopDataTCP2 +8891 ddi-tcp-4 DesktopDataTCP3:NESSapplication +8892 ddi-tcp-5 DesktopDataTCP4:FARMproduct +8893 ddi-tcp-6 DesktopDataTCP5:NewsEDGE/Webapplication +8894 ddi-tcp-7 DesktopDataTCP6:COALapplication +9000 cslistener CSlistener +9006 sctp SCTP +9090 websm WebSM +9535 man +9594 msgsys MessageSystem +9595 pds PingDiscoveryService +9876 sd SessionDirector +9888 cyborg-systems CYBORGSystems +9898 monkeycom MonkeyCom +9992 palace Palace +9993 palace Palace +9994 palace Palace +9995 palace Palace +9996 palace Palace +9997 palace Palace +9998 distinct32 Distinct32 +9999 distinct distinct +10000 ndmp NetworkDataManagementProtocol +10007 mvs-capacity MVSCapacity +11001 metasys Metasys +11367 atm-uhas ATMUHAS +12000 entextxid IBMEnterpriseExtenderSNAXIDExchange +12001 entextnetwk IBMEnterpriseExtenderSNACOSNetwork +12002 entexthigh IBMEnterpriseExtenderSNACOSHigh +12003 entextmed IBMEnterpriseExtenderSNACOSMedium +12004 entextlow IBMEnterpriseExtenderSNACOSLow +12753 tsaf tsafport +13160 i-zipqd I-ZIPQD +13720 bprd BPRDProtocol(VERITASNetBackup) +13721 bpbrm BPBRMProtocol(VERITASNetBackup) +13782 bpcd VERITASNetBackup +13818 dsmcc-config DSMCCConfig +13819 dsmcc-session DSMCCSessionMessages +13820 dsmcc-passthru DSMCCPass-ThruMessages +13821 dsmcc-download DSMCCDownloadProtocol +13822 dsmcc-ccp DSMCCChannelChangeProtocol +14001 itu-sccp-ss7 ITUSCCP(SS7) +17007 isode-dua +17219 chipper Chipper +18000 biimenu BeckmanInstruments,Inc. +19541 jcp JCPClient +21845 webphone webphone +21846 netspeak-is NetSpeakCorp.DirectoryServices +21847 netspeak-cs NetSpeakCorp.ConnectionServices +21848 netspeak-acd NetSpeakCorp.AutomaticCallDistribution +21849 netspeak-cps NetSpeakCorp.CreditProcessingSystem +22273 wnn6 wnn6 +22555 vocaltec-wconf VocaltecWebConference +22800 aws-brf TelerateInformationPlatformLAN +22951 brf-gw TelerateInformationPlatformWAN +24000 med-ltp med-ltp +24001 med-fsp-rx med-fsp-rx +24002 med-fsp-tx med-fsp-tx +24003 med-supp med-supp +24004 med-ovw med-ovw +24005 med-ci med-ci +24006 med-net-svc med-net-svc +25000 icl-twobase1 icl-twobase1 +25001 icl-twobase2 icl-twobase2 +25002 icl-twobase3 icl-twobase3 +25003 icl-twobase4 icl-twobase4 +25004 icl-twobase5 icl-twobase5 +25005 icl-twobase6 icl-twobase6 +25006 icl-twobase7 icl-twobase7 +25007 icl-twobase8 icl-twobase8 +25008 icl-twobase9 icl-twobase9 +25009 icl-twobase10 icl-twobase10 +25793 vocaltec-hos VocaltecAddressServer +26000 quake quake +26208 wnn6-ds wnn6-ds +27000 flex-lm +27001 flex-lm FLEXLM(1-10) +27002 flex-lm FLEXLM(1-10) +27003 flex-lm FLEXLM(1-10) +27004 flex-lm FLEXLM(1-10) +27005 flex-lm FLEXLM(1-10) +27006 flex-lm FLEXLM(1-10) +27007 flex-lm FLEXLM(1-10) +27008 flex-lm FLEXLM(1-10) +27009 flex-lm FLEXLM(1-10) +27999 tw-auth-key TWAuthentication/KeyDistributionand +33434 traceroute tracerouteuse +44818 rockwell-encap RockwellEncapsulation +45678 eba EBAPRISE +47557 dbbrowse DatabeamCorporation +47624 directplaysrvr DirectPlayServer +47806 ap ALCProtocol +47808 bacnet BuildingAutomationandControlNetworks diff --git a/perl/ipf-mrtg.pl b/perl/ipf-mrtg.pl new file mode 100644 index 0000000..cce30ab --- /dev/null +++ b/perl/ipf-mrtg.pl @@ -0,0 +1,22 @@ +#!/usr/local/bin/perl +# reads stats and uptime for ip-filter for mrtg +# ron@rosie.18james.com, 2 Jan 2000 + +my $firewall = "IP Filter v3.3.3"; +my($in_pkts,$out_pkts) = (0,0); + +open(FW, "/sbin/ipfstat -hi|") || die "cannot open ipfstat -hi\n"; +while (<FW>) { + $in_pkts += $1 if (/^(\d+)\s+pass\s+in\s+quick.*group\s+1\d0/); +} +close(FW); +open(FW, "/sbin/ipfstat -ho|") || die "cannot open ipfstat -ho\n"; +while (<FW>) { + $out_pkts += $1 if (/^(\d+)\s+pass\s+out\s+quick.*group\s+1\d0/); +} +print "$in_pkts\n", + "$out_pkts\n"; +my $uptime = `/usr/bin/uptime`; +$uptime =~ /^\s+(\d{1,2}:\d{2}..)\s+up\s+(\d+)\s+(......),/; +print "$2 $3\n", + "$firewall\n";
\ No newline at end of file diff --git a/perl/ipfmeta.pl b/perl/ipfmeta.pl new file mode 100644 index 0000000..1a7bb3f --- /dev/null +++ b/perl/ipfmeta.pl @@ -0,0 +1,210 @@ +#!/usr/bin/perl -w +# +# Written by Camiel Dobbelaar <cd@sentia.nl>, Aug-2000 +# ipfmeta is in the Public Domain. +# + +use strict; +use Getopt::Std; + +## PROCESS COMMANDLINE +our($opt_v); $opt_v=1; +getopts('v:') || die "usage: ipfmeta [-v verboselevel] [objfile]\n"; +my $verbose = $opt_v + 0; +my $objfile = shift || "ipf.objs"; +my $MAXRECURSION = 10; + +## READ OBJECTS +open(FH, "$objfile") || die "cannot open $objfile: $!\n"; +my @tokens; +while (<FH>) { + chomp; + s/#.*$//; # remove comments + s/^\s+//; # compress whitespace + s/\s+$//; + next if m/^$/; # skip empty lines + push (@tokens, split); +} +close(FH) || die "cannot close $objfile: $!\n"; +# link objects with their values +my $obj=""; +my %objs; +while (@tokens) { + my $token = shift(@tokens); + if ($token =~ m/^\[([^]]*)\]$/) { + # new object + $obj = $1; + } else { + # new value + push(@{$objs{$obj}}, $token) unless ($obj eq ""); + } +} + +# sort objects: longest first +my @objs = sort { length($b) <=> length($a) } keys %objs; + +## SUBSTITUTE OBJECTS WITH THEIR VALUES FROM STDIN +foreach (<STDIN>) { + foreach (expand($_, 0)) { + print; + } +} + +## END + +sub expand { + my $line = shift; + my $level = shift; + my @retlines = $line; + my $obj; + my $val; + + # coarse protection + if ($level > $MAXRECURSION) { + print STDERR "ERR: recursion exceeds $MAXRECURSION levels\n"; + return; + } + + foreach $obj (@objs) { + if ($line =~ m/$obj/) { + @retlines = ""; + if ($level < $verbose) { + # add metarule as a comment + push(@retlines, "# ".$line); + } + foreach $val (@{$objs{$obj}}) { + my $newline = $line; + $newline =~ s/$obj/$val/; + push(@retlines, expand($newline, $level+1)); + } + last; + } + } + + return @retlines; +} + +__END__ + +=head1 NAME + +B<ipfmeta> - use objects in IP filter files + +=head1 SYNOPSIS + +B<ipfmeta> [F<options>] [F<objfile>] + +=head1 DESCRIPTION + +B<ipfmeta> is used to simplify the maintenance of your IP filter +ruleset. It does this through the use of 'objects'. A matching +object gets replaced by its values at runtime. This is similar to +what a macro processor like m4 does. + +B<ipfmeta> is specifically geared towards IP filter. It is line +oriented, if an object has multiple values, the line with the object +is duplicated and substituted for each value. It is also recursive, +an object may have another object as a value. + +Rules to be processed are read from stdin, output goes to stdout. + +The verbose option allows for the inclusion of the metarules in the +output as comments. + +Definition of the objects and their values is done in a separate +file, the filename defaults to F<ipf.objs>. An object is delimited +by square brackets. A value is delimited by whitespace. Comments +start with '#' and end with a newline. Empty lines and extraneous +whitespace are allowed. A value belongs to the first object that +precedes it. + +It is recommended that you use all caps or another distinguishing +feature for object names. You can use B<ipfmeta> for NAT rules also, +for instance to keep them in sync with filter rules. Combine +B<ipfmeta> with a Makefile to save typing. + +=head1 OPTIONS + +=over 4 + +=item B<-v> I<verboselevel> + +Include metarules in output as comments. Default is 1, the top level +metarules. Higher levels cause expanded metarules to be included. +Level 0 does not add comments at all. + +=back + +=head1 BUGS + +A value can not have whitespace in it. + +=head1 EXAMPLE + +(this does not look good, formatted) + +I<ipf.objs> + +[PRIVATE] 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16 + +[MULTICAST] 224.0.0.0/4 + +[UNWANTED] PRIVATE MULTICAST + +[NOC] xxx.yy.zz.1/32 xxx.yy.zz.2/32 + +[WEBSERVERS] 192.168.1.1/32 192.168.1.2/32 + +[MGMT-PORTS] 22 23 + +I<ipf.metarules> + +block in from UNWANTED to any + +pass in from NOC to WEBSERVERS port = MGMT-PORTS + +pass out all + +I<Run> + +ipfmeta ipf.objs <ipf.metarules >ipf.rules + +I<Output> + +# block in from UNWANTED to any + +block in from 10.0.0.0/8 to any + +block in from 127.0.0.0/8 to any + +block in from 172.16.0.0/12 to any + +block in from 192.168.0.0/16 to any + +block in from 224.0.0.0/4 to any + +# pass in from NOC to WEBSERVERS port = MGMT-PORTS + +pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 22 + +pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 23 + +pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 22 + +pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 23 + +pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 22 + +pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 23 + +pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 22 + +pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 23 + +pass out all + +=head1 AUTHOR + +Camiel Dobbelaar <cd@sentia.nl>. B<ipfmeta> is in the Public Domain. + +=cut diff --git a/perl/logfilter.pl b/perl/logfilter.pl new file mode 100644 index 0000000..6ebe401 --- /dev/null +++ b/perl/logfilter.pl @@ -0,0 +1,181 @@ +#!perl.exe + +# Author: Chris Grant +# Copyright 1999, Codetalker Communications, Inc. +# +# This script takes a firewall log and breaks it into several +# different files. Each file is named based on the service that +# runs on the port that was recognized in log line. After +# this script has run, you should end up with several files. +# Of course you will have the original log file and then files +# such as web.log, telnet.log, pop3.log, imap.log, backorifice.log, +# netbus.log, and unknown.log. +# +# The number of entries in unknown.log should be minimal. The +# mappings of the port numbers and file names are stored in the bottom +# of this file in the data section. Simply look at the ports being hit, +# find out what these ports do, and add them to the data section. +# +# You may be wondering why I haven't simply parsed RFC1700 to come up +# with a list of port numbers and files. The reason is that I don't +# believe reading firewall logs should be all that automated. You +# should be familiar with what probes are hitting your system. By +# manually adding entries to the data section this ensures that I +# have at least educated myself about what this protocol is, what +# the potential exposure is, and why you might be seeing this traffic. + +%icmp = (); +%udp = (); +%tcp = (); +%openfiles = (); +$TIDBITSFILE = "unknown.log"; + +# Read the ports data from the end of this file and build the three hashes +while (<DATA>) { + chomp; # trim the newline + s/#.*//; # no comments + s/^\s+//; # no leading white + s/\s+$//; # no trailing white + next unless length; # anything left? + $_ = lc; # switch to lowercase + ($proto, $identifier, $filename) = m/(\S+)\s+(\S+)\s+(\S+)/; + SWITCH: { + if ($proto =~ m/^icmp$/) { $icmp{$identifier} = $filename; last SWITCH; }; + if ($proto =~ m/^udp$/) { $udp{$identifier} = $filename; last SWITCH; }; + if ($proto =~ m/^tcp$/) { $tcp{$identifier} = $filename; last SWITCH; }; + die "An unknown protocol listed in the proto defs\n$_\n"; + } +} + +$filename = shift; +unless (defined($filename)) { die "Usage: logfilter.pl <log file>\n"; } +open(LOGFILE, $filename) || die "Could not open the firewall log file.\n"; +$openfiles{$filename} = "LOGFILE"; + +$linenum = 0; +while($line = <LOGFILE>) { + + chomp($line); + $linenum++; + + # determine the protocol - send to unknown.log if not found + SWITCH: { + + ($line =~ m /\sicmp\s/) && do { + + # + # ICMP Protocol + # + # Extract the icmp packet information specifying the type. + # + # Note: Must check for ICMP first because this may be an ICMP reply + # to a TCP or UDP connection (eg Port Unreachable). + + ($icmptype) = $line =~ m/icmp (\d+)\/\d+/; + + $filename = $TIDBITSFILE; + $filename = $icmp{$icmptype} if (defined($icmp{$icmptype})); + + last SWITCH; + }; + + ($line =~ m /\stcp\s/) && do { + + # + # TCP Protocol + # + # extract the source and destination ports and compare them to + # known ports in the tcp hash. For the first match, place this + # line in the file specified by the tcp hash. Ignore one of the + # port matches if both ports happen to be known services. + + ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; + #print "$line\n" unless (defined($sport) && defined($dport)); + + $filename = $TIDBITSFILE; + $filename = $tcp{$sport} if (defined($tcp{$sport})); + $filename = $tcp{$dport} if (defined($tcp{$dport})); + + last SWITCH; + }; + + ($line =~ m /\sudp\s/) && do { + + # + # UDP Protocol - same procedure as with TCP, different hash + # + + ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/; + + $filename = $TIDBITSFILE; + $filename = $udp{$sport} if (defined($udp{$sport})); + $filename = $udp{$dport} if (defined($udp{$dport})); + + last SWITCH; + }; + + # + # The default case is that the protocol was unknown + # + $filename = $TIDBITSFILE; + } + + # + # write the line to the appropriate file as determined above + # + # check for filename in the openfiles hash. if it exists then write + # to the given handle. otherwise open a handle to the file and add + # it to the hash of open files. + + if (defined($openfiles{$filename})) { + $handle = $openfiles{$filename}; + } else { + $handle = "HANDLE" . keys %openfiles; + open ($handle, ">>".$filename) || die "Couldn't open|create the file $filename"; + $openfiles{$filename} = $handle; + } + print $handle "#$linenum\t $line\n"; + +} + +# close all open file handles + +foreach $key (keys %openfiles) { + close($openfiles{$key}); +} + +close(LOGFILE); + +__DATA__ +icmp 3 destunreach.log +icmp 8 ping.log +icmp 9 router.log +icmp 10 router.log +icmp 11 ttl.log +tcp 23 telnet.log +tcp 25 smtp.log +udp 25 smtp.log +udp 53 dns.log +tcp 80 http.log +tcp 110 pop3.log +tcp 111 rpc.log +udp 111 rpc.log +tcp 137 netbios.log +udp 137 netbios.log +tcp 143 imap.log +udp 161 snmp.log +udp 370 backweb.log +udp 371 backweb.log +tcp 443 https.log +udp 443 https.log +udp 512 syslog.log +tcp 635 nfs.log # NFS mount services +udp 635 nfs.log # NFS mount services +tcp 1080 socks.log +udp 1080 socks.log +tcp 6112 games.log # Battle net +tcp 6667 irc.log +tcp 7070 realaudio.log +tcp 8080 http.log +tcp 12345 netbus.log +udp 31337 backorifice.log
\ No newline at end of file diff --git a/perl/plog b/perl/plog new file mode 100644 index 0000000..208c6ea --- /dev/null +++ b/perl/plog @@ -0,0 +1,1061 @@ +#!/usr/bin/perl -wT +# +# Author: Jefferson Ogata (JO317) <jogata@pobox.com> +# Date: 2000/04/22 +# Version: 0.10 +# +# Please feel free to use or redistribute this program if you find it useful. +# If you have suggestions, or even better, bits of new code, send them to me +# and I will add them when I have time. The current version of this script +# can always be found at the URL: +# +# http://www.antibozo.net/ogata/webtools/plog.pl +# http://pobox.com/~ogata/webtools/plog.txt +# +# Parse ipmon output into a coherent form. This program only handles the +# lines regarding filter actions. It does not parse nat and state lines. +# +# Present lines from ipmon to this program on standard input. +# +# EXAMPLES +# +# plog -AF block,log < /var/log/ipf +# +# Generate source and destination reports of all packets logged with +# block or log actions, and report TCP flags and keep state actions. +# +# plog -S -s ./services www.example.com < /var/log/ipf +# +# Generate a source report of traffic to or from www.example.com using +# the additional services defined in ./services. +# +# plog -nSA block < /var/log/ipf +# +# Generate a source report of all blocked packets with no hostname +# lookups. This is handy for an initial pass to identify portscans or +# other aggressive traffic. +# +# plog -SFp 192.168.0.0/24 www.example.com/24 < /var/log/ipf +# +# Generate a source report of all packets whose source or destination +# address is either in 192.168.0.0/24 or an address associated with +# the host www.example.com, report packet flags and perform paranoid +# hostname lookups. This is a handy usage for examining traffic more +# closely after identifying a potential attack. +# +# TODO +# +# - Handle output from ipmon -v. +# - Handle timestamps from other locales. Anyone with a timestamp problem +# please email me the format of your timestamps. +# - It looks as though short TCP or UDP packets will break things, but I +# haven't seen any yet. +# +# CHANGES +# +# 2000/04/22 (0.10): +# - Restructured host name and address caches. Hosts are now cached using +# packed addresses as keys. Conversion to IPv6 should be simple now. +# - Added paranoid hostname lookups. +# - Added netmask qualifications for address arguments. +# - Tweaked usage info. +# 2000/04/20: +# - Added parsing and tracking of TCP and state flags. +# 2000/04/12 (0.9): +# - Wasn't handling underscore in hostname,servicename fields; these may be +# logged using ipmon -n. Observation by <ark@eltex.ru>. +# - Hadn't properly attributed observation and fix for repetition counter in +# 0.8 change log. Added John Ladwig to attribution. Thanks, John. +# +# 2000/04/10 (0.8): +# - Service names can also have hyphens, dummy. I wasn't allowing these +# either. Observation and fix thanks to Taso N. Devetzis +# <devetzis@snet.net>. +# - IP Filter now logs a repetition counter. Observation and fixes (changed +# slightly) from Andy Kreiling <Andy@ntcs-inc.com> and John Ladwig +# <jladwig@nts.umn.edu>. +# - Added fix to handle new Solaris log format, e.g.: +# Nov 30 04:49:37 raoul ipmon[121]: [ID 702911 local0.warning] 04:49:36.420541 hme0 @0:34 b 205.152.16.6,58596 -> 204.60.220.24,113 PR tcp len 20 44 +# Fix thanks to Taso N. Devetzis <devetzis@SNET.Net>. +# - Added services map option. +# - Added options for generating only source/destination tables. +# - Added verbosity option. +# - Added option for reporting traffic for specific hosts. +# - Added some more ICMP unreachable codes, and made code and type names +# match the ones in IP Filter parse.c. +# - Condensed output format somewhat. +# - Various minor improvements, perhaps slight speed improvements. +# - Documented new options in usage() and tried to improve wording. +# +# 1999/08/02 (0.7): +# - Hostnames can have hyphens, dummy. I wasn't allowing them in the syslog +# line. Fix from Antoine Verheijen <antoine.verheijen@ualberta.ca>. +# +# 1999/05/05 (0.6): +# - IRIX syslog prefixes the hostname with a severity code. Handle it. Fix +# from John Ladwig <jladwig@nts.umn.edu>. +# +# 1999/05/05 (0.5): +# - Protocols other than TCP, UDP, or ICMP have packet lengths reported in +# parentheses for some reason. The script now handles this. Thanks to +# Dispatcher <dispatch@blackhelicopters.org>. +# - I had mixed up info-request and info-reply ICMP codes, and omitted the +# traceroute code. Sorted this out. I had also missed code 0 for type 6 +# (alternate address for host). Thanks to John Ladwig <jladwig@nts.umn.edu>. +# +# 1999/05/03: +# - Now accepts hostnames in the source and destination address fields, as +# well as port names in the port fields. This allows the people who are +# using ipmon -n to still use plog. Note that if you are logging +# hostnames, you are vulnerable to forgery of DNS information, modified +# DNS information, and your log files will be larger also. If you are +# using this program you can have it look up the names for you (still +# vulnerable to forgery) and keep your logged addresses all in numeric +# format, so that packets from the same source will always show the same +# source address regardless of what's up with DNS. Obviously, I don't +# favor using ipmon -n. Nevertheless, some people wanted this, so here it +# is. +# - Added S and n flags to %acts hash. Thanks to Stephen J. Roznowski +# <sjr@home.net>. +# - Stopped reporting host IPs twice when numeric output was requested. +# Thanks, yet again, to Stephen J. Roznowski <sjr@home.net>. +# - Number of minor tweaks that might speed it up a bit, and some comments. +# - Put the script back up on the web site. I had moved the site and +# forgotten to move the tool. +# +# 1999/02/04: +# - Changed log line parser to accept fully-qualified name in the logging +# host field. Thanks to Stephen J. Roznowski <sjr@home.net>. +# +# 1999/01/22: +# - Changed high port strategy to use 65536 for unknown high ports so that +# they are sorted last. +# +# 1999/01/21: +# - Moved icmp parsing to output loop. +# - Added parsing of icmp codes, and more types. +# - Changed packet sort routine to sort by port number rather than service +# name. +# +# 1999/01/20: +# - Fixed problem matching ipmon log lines. Sometimes they have "/ipmon" in +# them, sometimes just "ipmon". +# - Added numeric parse option to turn off hostname lookups. +# - Moved summary to usage() sub. + +use strict; +use Socket; +use IO::File; + +select STDOUT; $| = 1; + +my %hosts; + +my $me = $0; +$me =~ s/^.*\///; + +# Map of log codes for various actions. Not all of these can occur, but +# I've included everything in print_ipflog() from ipmon.c. +my %acts = ( + 'p' => 'pass', + 'P' => 'pass', + 'b' => 'block', + 'B' => 'block', + 'L' => 'log', + 'S' => 'short', + 'n' => 'nomatch', +); + +# Map of ICMP types and their relevant codes. +my %icmpTypeMap = ( + 0 => +{ + name => 'echorep', + codes => +{0 => undef}, + }, + 3 => +{ + name => 'unreach', + codes => +{ + 0 => 'net-unr', + 1 => 'host-unr', + 2 => 'proto-unr', + 3 => 'port-unr', + 4 => 'needfrag', + 5 => 'srcfail', + 6 => 'net-unk', + 7 => 'host-unk', + 8 => 'isolate', + 9 => 'net-prohib', + 10 => 'host-prohib', + 11 => 'net-tos', + 12 => 'host-tos', + 13 => 'filter-prohib', + 14 => 'host-preced', + 15 => 'preced-cutoff', + }, + }, + 4 => +{ + name => 'squench', + codes => +{0 => undef}, + }, + 5 => +{ + name => 'redir', + codes => +{ + 0 => 'net', + 1 => 'host', + 2 => 'tos', + 3 => 'tos-host', + }, + }, + 6 => +{ + name => 'alt-host-addr', + codes => +{ + 0 => 'alt-addr' + }, + }, + 8 => +{ + name => 'echo', + codes => +{0 => undef}, + }, + 9 => +{ + name => 'routerad', + codes => +{0 => undef}, + }, + 10 => +{ + name => 'routersol', + codes => +{0 => undef}, + }, + 11 => +{ + name => 'timex', + codes => +{ + 0 => 'in-transit', + 1 => 'frag-assy', + }, + }, + 12 => +{ + name => 'paramprob', + codes => +{ + 0 => 'ptr-err', + 1 => 'miss-opt', + 2 => 'bad-len', + }, + }, + 13 => +{ + name => 'timest', + codes => +{0 => undef}, + }, + 14 => +{ + name => 'timestrep', + codes => +{0 => undef}, + }, + 15 => +{ + name => 'inforeq', + codes => +{0 => undef}, + }, + 16 => +{ + name => 'inforep', + codes => +{0 => undef}, + }, + 17 => +{ + name => 'maskreq', + codes => +{0 => undef}, + }, + 18 => +{ + name => 'maskrep', + codes => +{0 => undef}, + }, + 30 => +{ + name => 'tracert', + codes => +{ }, + }, + 31 => +{ + name => 'dgram-conv-err', + codes => +{ }, + }, + 32 => +{ + name => 'mbl-host-redir', + codes => +{ }, + }, + 33 => +{ + name => 'ipv6-whereru?', + codes => +{ }, + }, + 34 => +{ + name => 'ipv6-iamhere', + codes => +{ }, + }, + 35 => +{ + name => 'mbl-reg-req', + codes => +{ }, + }, + 36 => +{ + name => 'mbl-reg-rep', + codes => +{ }, + }, +); + +# Arguments we will parse from argument list. +my $numeric = 0; # Don't lookup hostnames. +my $paranoid = 0; # Do paranoid hostname lookups. +my $verbosity = 0; # Bla' bla' bla'. +my $sTable = 0; # Generate source table. +my $dTable = 0; # Generate destination table. +my @services = (); # Preload services tables. +my $showFlags = 0; # Show TCP flag combinations. +my %selectAddrs; # Limit report to these hosts. +my %selectActs; # Limit report to these actions. + +# Parse argument list. +while (defined ($_ = shift)) +{ + if (s/^-//) + { + while (s/^([vnpSD\?hsAF])//) + { + my $flag = $1; + if ($flag eq 'v') + { + ++$verbosity; + } + elsif ($flag eq 'n') + { + $numeric = 1; + } + elsif ($flag eq 'p') + { + $paranoid = 1; + } + elsif ($flag eq 'S') + { + $sTable = 1; + } + elsif ($flag eq 'D') + { + $dTable = 1; + } + elsif ($flag eq 'F') + { + $showFlags = 1; + } + elsif (($flag eq '?') || ($flag eq 'h')) + { + &usage (0); + } + else + { + my $arg = shift; + defined ($arg) || &usage (1, qq{-$flag requires an argument}); + if ($flag eq 's') + { + push (@services, $arg); + } + elsif ($flag eq 'A') + { + my @acts = split (/,/, $arg); + my $a; + foreach $a (@acts) + { + my $aa; + my $match = 0; + foreach $aa (keys (%acts)) + { + if ($acts{$aa} eq $a) + { + ++$match; + $selectActs{$aa} = $a; + } + } + $match || &usage (1, qq{unknown action $a}); + } + } + } + } + + &usage (1, qq{unknown option: -$_}) if (length); + + next; + } + + # Add host to hash of hosts we're interested in. + (/^(.+)\/([\d+\.]+)$/) || (/^(.+)$/) || &usage (1, qq{invalid CIDR address $_}); + my ($addr, $mask) = ($1, $2); + my @addr = &hostAddrs ($addr); + (scalar (@addr)) || &usage (1, qq{cannot resolve hostname $_}); + if (!defined ($mask)) + { + $mask = (2 ** 32) - 1; + } + elsif (($mask =~ /^\d+$/) && ($mask <= 32)) + { + $mask = (2 ** 32) - 1 - ((2 ** (32 - $mask)) - 1); + } + elsif (defined ($mask = &isDottedAddr ($mask))) + { + $mask = &integerAddr ($mask); + } + else + { + &usage (1, qq{invalid CIDR address $_}); + } + foreach $addr (@addr) + { + # Save mask unless we already have a less specific one for this address. + my $a = &integerAddr ($addr) & $mask; + $selectAddrs{$a} = $mask unless (exists ($selectAddrs{$a}) && ($selectAddrs{$a} < $mask)); + } +} + +# Which tables will we generate? +$dTable = $sTable = 1 unless ($dTable || $sTable); +my @dirs; +push (@dirs, 'd') if ($dTable); +push (@dirs, 's') if ($sTable); + +# Are we interested in specific hosts? +my $selectAddrs = scalar (keys (%selectAddrs)); + +# Are we interested in specific actions? +if (scalar (keys (%selectActs)) == 0) +{ + %selectActs = %acts; +} + +# We use this hash to cache port name -> number and number -> name mappings. +# Isn't it cool that we can use the same hash for both? +my %pn; + +# Preload any services maps. +my $sm; +foreach $sm (@services) +{ + my $sf = new IO::File ($sm, "r"); + defined ($sf) || &quit (1, qq{cannot open services file $sm}); + + while (defined ($_ = $sf->getline ())) + { + my $text = $_; + chomp; + s/#.*$//; + s/\s+$//; + next unless (length); + my ($name, $spec, @aliases) = split (/\s+/); + ($spec =~ /^([\w\-]+)\/([\w\-]+)$/) + || &quit (1, qq{$sm:$.: invalid definition: $text}); + my ($pnum, $proto) = ($1, $2); + + # Enter service definition in pn hash both forwards and backwards. + my $port; + my $pname; + foreach $port ($name, @aliases) + { + $pname = "$pnum/$proto"; + $pn{$pname} = $port; + } + $pname = "$name/$proto"; + $pn{$pname} = $pnum; + } + + $sf->close (); +} + +# Cache for host name -> addr mappings. +my %ipAddr; + +# Cache for host addr -> name mappings. +my %ipName; + +# Hash for protocol number <--> name mappings. +my %pr; + +# Under IPv4 port numbers are unsigned shorts. The value below is higher +# than the maximum value of an unsigned short, and is used in place of +# high port numbers that don't correspond to known services. This makes +# high ports get sorted behind all others. +my $highPort = 0x10000; + +while (<STDIN>) +{ + chomp; + + # For ipmon output that came through syslog, we'll have an asctime + # timestamp, an optional severity code (IRIX), the hostname, + # "ipmon"[process id]: prefixed to the line. For output that was + # written directly to a file by ipmon, we'll have a date prefix as + # dd/mm/yyyy (no y2k problem here!). Both formats then have a packet + # timestamp and the log info. + my ($log); + if (s/^\w+\s+\d+\s+\d+:\d+:\d+\s+(?:\d\w:)?[\w\.\-]+\s+\S*ipmon\[\d+\]:\s+(?:\[ID\s+\d+\s+[\w\.]+\]\s+)?\d+:\d+:\d+\.\d+\s+//) + { + $log = $_; + } + elsif (s/^(?:\d+\/\d+\/\d+)\s+(?:\d+:\d+:\d+\.\d+)\s+//) + { + $log = $_; + } + else + { + # It don't look like no ipmon output to me, baby. + next; + } + next unless (defined ($log)); + + print STDERR "$log\n" if ($verbosity); + + # Parse the log line. We're expecting interface name, rule group and + # number, an action code, a source host name or IP with possible port + # name or number, a destination host name or IP with possible port + # number, "PR", a protocol name or number, "len", a header length, a + # packet length (which will be in parentheses for protocols other than + # TCP, UDP, or ICMP), and maybe some additional info. + my @fields = ($log =~ /^(?:(\d+)x)?\s*(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([\w\-\.,]+)\s+->\s+([\w\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+\(?(\d+)\)?\s*(.*)$/ox); + unless (scalar (@fields)) + { + print STDERR "$me:$.: cannot parse: $_\n"; + next; + } + my ($count, $if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) = @fields; + + # Skip actions we're not interested in. + next unless (exists ($selectActs{$act})); + + # Packet count defaults to 1. + $count = 1 unless (defined ($count)); + + my ($sport, $dport, @flags); + + if ($proto eq 'icmp') + { + if ($more =~ s/^icmp (\d+)\/(\d+)\s*//) + { + # We save icmp type and code in both sport and dport. This + # allows us to sort icmp packets using the normal port-sorting + # code. + $dport = $sport = "$1.$2"; + } + else + { + $sport = ''; + $dport = ''; + } + } + else + { + if ($showFlags) + { + if (($proto eq 'tcp') && ($more =~ s/^\-([A-Z]+)\s*//)) + { + push (@flags, $1); + } + if ($more =~ s/^K\-S\s*//) + { + push (@flags, 'state'); + } + } + if ($src =~ s/,([\-\w]+)$//) + { + $sport = &portSimplify ($1, $proto); + } + else + { + $sport = ''; + } + if ($dest =~ s/,([\-\w]+)$//) + { + $dport = &portSimplify ($1, $proto); + } + else + { + $dport = ''; + } + } + + # Make sure addresses are numeric at this point. We want to sort by + # IP address later. If the hostname doesn't resolve, punt. If you + # must use ipmon -n, be ready for weirdness. Use only the first + # address returned. + my $x; + $x = (&hostAddrs ($src))[0]; + unless (defined ($x)) + { + print STDERR "$me:$.: cannot resolve hostname $src\n"; + next; + } + $src = $x; + $x = (&hostAddrs ($dest))[0]; + unless (defined ($x)) + { + print STDERR "$me:$.: cannot resolve hostname $dest\n"; + next; + } + $dest = $x; + + # Skip hosts we're not interested in. + if ($selectAddrs) + { + my ($a, $m); + my $s = &integerAddr ($src); + my $d = &integerAddr ($dest); + my $cute = 0; + while (($a, $m) = each (%selectAddrs)) + { + if ((($s & $m) == $a) || (($d & $m) == $a)) + { + $cute = 1; + last; + } + } + next unless ($cute); + } + + # Convert proto to proto number. + $proto = &protoNumber ($proto); + + sub countPacket + { + my ($host, $dir, $peer, $proto, $count, $packet, @flags) = @_; + + # Make sure host is in the hosts hash. + $hosts{$host} = + +{ + 'd' => +{ }, + 's' => +{ }, + } unless (exists ($hosts{$host})); + + # Get the source/destination traffic hash for the host in question. + my $trafficHash = $hosts{$host}->{$dir}; + + # Make sure there's a hash for the peer. + $trafficHash->{$peer} = +{ } unless (exists ($trafficHash->{$peer})); + + # Make sure the peer hash has a hash for the protocol number. + my $peerHash = $trafficHash->{$peer}; + $peerHash->{$proto} = +{ } unless (exists ($peerHash->{$proto})); + + # Make sure there's a counter for this packet type in the proto hash. + my $protoHash = $peerHash->{$proto}; + $protoHash->{$packet} = +{ '' => 0 } unless (exists ($protoHash->{$packet})); + + # Increment the counter and mark flags. + my $packetHash = $protoHash->{$packet}; + $packetHash->{''} += $count; + map { $packetHash->{$_} = undef; } (@flags); + } + + # Count the packet as outgoing traffic from the source address. + &countPacket ($src, 's', $dest, $proto, $count, "$sport:$dport:$if:$act", @flags) if ($sTable); + + # Count the packet as incoming traffic to the destination address. + &countPacket ($dest, 'd', $src, $proto, $count, "$dport:$sport:$if:$act", @flags) if ($dTable); +} + +my $dir; +foreach $dir (@dirs) +{ + my $order = ($dir eq 's' ? 'source' : 'destination'); + my $arrow = ($dir eq 's' ? '->' : '<-'); + + print "###\n"; + print "### Traffic by $order address:\n"; + print "###\n"; + + sub ipSort + { + &integerAddr ($a) <=> &integerAddr ($b); + } + + sub packetSort + { + my ($asport, $adport, $aif, $aact) = split (/:/, $a); + my ($bsport, $bdport, $bif, $bact) = split (/:/, $b); + $bact cmp $aact || $aif cmp $bif || $asport <=> $bsport || $adport <=> $bdport; + } + + my $host; + foreach $host (sort ipSort (keys %hosts)) + { + my $traffic = $hosts{$host}->{$dir}; + + # Skip hosts with no traffic. + next unless (scalar (keys (%{$traffic}))); + + if ($numeric) + { + print &dottedAddr ($host), "\n"; + } + else + { + print &hostName ($host), " \[", &dottedAddr ($host), "\]\n"; + } + + my $peer; + foreach $peer (sort ipSort (keys %{$traffic})) + { + my $peerHash = $traffic->{$peer}; + my $peerName = ($numeric ? &dottedAddr ($peer) : &hostName ($peer)); + my $proto; + foreach $proto (sort (keys (%{$peerHash}))) + { + my $protoHash = $peerHash->{$proto}; + my $protoName = &protoName ($proto); + + my $packet; + foreach $packet (sort packetSort (keys %{$protoHash})) + { + my ($sport, $dport, $if, $act) = split (/:/, $packet); + my $packetHash = $protoHash->{$packet}; + my $count = $packetHash->{''}; + $act = '?' unless (defined ($act = $acts{$act})); + if (($protoName eq 'tcp') || ($protoName eq 'udp')) + { + printf (" %-6s %7s %4d %4s %16s %2s %s.%s", $if, $act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &portName ($dport, $protoName)); + } + elsif ($protoName eq 'icmp') + { + printf (" %-6s %7s %4d %4s %16s %2s %s", $if, $act, $count, $protoName, &icmpType ($sport), $arrow, $peerName); + } + else + { + printf (" %-6s %7s %4d %4s %16s %2s %s", $if, $act, $count, $protoName, '', $arrow, $peerName); + } + if ($showFlags) + { + my @flags = sort (keys (%{$packetHash})); + if (scalar (@flags)) + { + shift (@flags); + print ' (', join (',', @flags), ')' if (scalar (@flags)); + } + } + print "\n"; + } + } + } + } + + print "\n"; +} + +exit (0); + +# Translates a numeric port/named protocol to a port name. Reserved ports +# that do not have an entry in the services database are left numeric. High +# ports that do not have an entry in the services database are mapped +# to '<high>'. +sub portName +{ + my $port = shift; + my $proto = shift; + my $pname = "$port/$proto"; + unless (exists ($pn{$pname})) + { + my $name = getservbyport ($port, $proto); + $pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '<high>')); + } + return $pn{$pname}; +} + +# Translates a named port/protocol to a port number. +sub portNumber +{ + my $port = shift; + my $proto = shift; + my $pname = "$port/$proto"; + unless (exists ($pn{$pname})) + { + my $number = getservbyname ($port, $proto); + unless (defined ($number)) + { + # I don't think we need to recover from this. How did the port + # name get into the log file if we can't find it? Log file from + # a different machine? Fix /etc/services on this one if that's + # your problem. + die ("Unrecognized port name \"$port\" at $."); + } + $pn{$pname} = $number; + } + return $pn{$pname}; +} + +# Convert all unrecognized high ports to the same value so they are treated +# identically. The protocol should be by name. +sub portSimplify +{ + my $port = shift; + my $proto = shift; + + # Make sure port is numeric. + $port = &portNumber ($port, $proto) + unless ($port =~ /^\d+$/); + + # Look up port name. + my $portName = &portName ($port, $proto); + + # Port is an unknown high port. Return a value that is too high for a + # port number, so that high ports get sorted last. + return $highPort if ($portName eq '<high>'); + + # Return original port number. + return $port; +} + +# Translates a numeric address into a hostname. Pass only packed numeric +# addresses to this routine. +sub hostName +{ + my $ip = shift; + return $ipName{$ip} if (exists ($ipName{$ip})); + + # Do an inverse lookup on the address. + my $name = gethostbyaddr ($ip, AF_INET); + unless (defined ($name)) + { + # Inverse lookup failed, so map the IP address to its dotted + # representation and cache that. + $ipName{$ip} = &dottedAddr ($ip); + return $ipName{$ip}; + } + + # For paranoid hostname lookups. + if ($paranoid) + { + # If this address already matches, we're happy. + unless (exists ($ipName{$ip}) && (lc ($ipName{$ip}) eq lc ($name))) + { + # Do a forward lookup on the resulting name. + my @addr = &hostAddrs ($name); + my $match = 0; + + # Cache the forward lookup results for future inverse lookups, + # but don't stomp on inverses we've already cached, even if they + # are questionable. We want to generate consistent output, and + # the cache is growing incrementally. + foreach (@addr) + { + $ipName{$_} = $name unless (exists ($ipName{$_})); + $match = 1 if ($_ eq $ip); + } + + # Was this one of the addresses? If not, tack on a ?. + $name .= '?' unless ($match); + } + } + else + { + # Just believe it and cache it. + $ipName{$ip} = $name; + } + + return $name; +} + +# Translates a hostname or dotted address into a list of packed numeric +# addresses. +sub hostAddrs +{ + my $name = shift; + my $ip; + + # Check if it's a dotted representation. + return ($ip) if (defined ($ip = &isDottedAddr ($name))); + + # Return result from cache. + $name = lc ($name); + return @{$ipAddr{$name}} if (exists ($ipAddr{$name})); + + # Look up the addresses. + my @addr = gethostbyname ($name); + splice (@addr, 0, 4); + + unless (scalar (@addr)) + { + # Again, I don't think we need to recover from this gracefully. + # If we can't resolve a hostname that ended up in the log file, + # punt. We want to be able to sort hosts by IP address later, + # and letting hostnames through will snarl up that code. Users + # of ipmon -n will have to grin and bear it for now. The + # functions that get undef back should treat it as an error or + # as some default address, e.g. 0 just to make things work. + return (); + } + + $ipAddr{$name} = [ @addr ]; + return @{$ipAddr{$name}}; +} + +# If the argument is a valid dotted address, returns the corresponding +# packed numeric address, otherwise returns undef. +sub isDottedAddr +{ + my $addr = shift; + if ($addr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) + { + my @a = (int ($1), int ($2), int ($3), int ($4)); + foreach (@a) + { + return undef if ($_ >= 256); + } + return pack ('C*', @a); + } + return undef; +} + +# Unpacks a packed numeric address and returns an integer representation. +sub integerAddr +{ + my $addr = shift; + return unpack ('N', $addr); + + # The following is for generalized IPv4/IPv6 stuff. For now, it's a + # lot faster to assume IPv4. + my @a = unpack ('C*', $addr); + my $a = 0; + while (scalar (@a)) + { + $a = ($a << 8) | shift (@a); + } + return $a; +} + +# Unpacks a packed numeric address into a dotted representation. +sub dottedAddr +{ + my $addr = shift; + my @a = unpack ('C*', $addr); + return join ('.', @a); +} + +# Translates a protocol number into a protocol name, or a number if no name +# is found in the protocol database. +sub protoName +{ + my $code = shift; + return $code if ($code !~ /^\d+$/); + unless (exists ($pr{$code})) + { + my $name = scalar (getprotobynumber ($code)); + if (defined ($name)) + { + $pr{$code} = $name; + } + else + { + $pr{$code} = $code; + } + } + return $pr{$code}; +} + +# Translates a protocol name or number into a protocol number. +sub protoNumber +{ + my $name = shift; + return $name if ($name =~ /^\d+$/); + unless (exists ($pr{$name})) + { + my $code = scalar (getprotobyname ($name)); + if (defined ($code)) + { + $pr{$name} = $code; + } + else + { + $pr{$name} = $name; + } + } + return $pr{$name}; +} + +sub icmpType +{ + my $typeCode = shift; + my ($type, $code) = split ('\.', $typeCode); + + return "?" unless (defined ($code)); + + my $info = $icmpTypeMap{$type}; + + return "\(type=$type/$code?\)" unless (defined ($info)); + + my $typeName = $info->{name}; + my $codeName; + if (exists ($info->{codes}->{$code})) + { + $codeName = $info->{codes}->{$code}; + $codeName = (defined ($codeName) ? "/$codeName" : ''); + } + else + { + $codeName = "/$code"; + } + return "$typeName$codeName"; +} + +sub quit +{ + my $ec = shift; + my $msg = shift; + + print STDERR "$me: $msg\n"; + exit ($ec); +} + +sub usage +{ + my $ec = shift; + my @msg = @_; + + if (scalar (@msg)) + { + print STDERR "$me: ", join ("\n", @msg), "\n\n"; + } + + print <<EOT; +usage: $me [-nSDF] [-s servicemap] [-A act1,...] [address...] + +Parses logging from ipmon and presents it in a comprehensible format. This +program generates two reports: one organized by source address and another +organized by destination address. For the first report, source addresses are +sorted by IP address. For each address, all packets originating at the address +are presented in a tabular form, where all packets with the same source and +destination address and port are counted as a single entry. Any port number +greater than 1023 that does not match an entry in the services table is treated +as a "high" port; all high ports are coalesced into the same entry. The fields +for the source address report are: + iface action packet-count proto src-port dest-host.dest-port \[\(flags\)\] +The fields for the destination address report are: + iface action packet-count proto dest-port src-host.src-port \[\(flags\)\] + +Options are: +-n Disable hostname lookups, and report only IP addresses. +-p Perform paranoid hostname lookups. +-S Generate a source address report. +-D Generate a destination address report. +-F Show all flag combinations associated with packets. +-s map Supply an alternate services map to be preloaded. The map should + be in the same format as /etc/services. Any service name not found + in the map will be looked for in the system services file. +-A act1,... Limit the report to the specified actions. The possible actions + are pass, block, log, short, and nomatch. + +If any addresses are supplied on the command line, the report is limited to +these hosts. Addresses may be given as dotted IP addresses or hostnames, and +may be qualified with netmasks in CIDR \(/24\) or dotted \(/255.255.255.0\) format. +If a hostname resolves to multiple addresses, all addresses are used. + +If neither -S nor -D is given, both reports are generated. + +Note: if you are logging traffic with ipmon -n, ipmon will already have looked +up and logged addresses as hostnames where possible. This has an important side +effect: this program will translate the hostnames back into IP addresses which +may not match the original addresses of the logged packets because of numerous +DNS issues. If you care about where packets are really coming from, you simply +cannot rely on ipmon -n. An attacker with control of his reverse DNS can map +the reverse lookup to anything he likes. If you haven't logged the numeric IP +address, there's no way to discover the source of an attack reliably. For this +reason, I strongly recommend that you run ipmon without the -n option, and use +this or a similar script to do reverse lookups during analysis, rather than +during logging. +EOT + + exit ($ec); +} + |