summaryrefslogtreecommitdiffstats
path: root/perl
diff options
context:
space:
mode:
Diffstat (limited to 'perl')
-rw-r--r--perl/Ipfanaly.pl639
-rw-r--r--perl/Isbgraph297
-rw-r--r--perl/LICENSE6
-rw-r--r--perl/Services2146
-rw-r--r--perl/ipf-mrtg.pl22
-rw-r--r--perl/ipfmeta.pl210
-rw-r--r--perl/logfilter.pl181
-rw-r--r--perl/plog1061
8 files changed, 4562 insertions, 0 deletions
diff --git a/perl/Ipfanaly.pl b/perl/Ipfanaly.pl
new file mode 100644
index 0000000..0fa7c17
--- /dev/null
+++ b/perl/Ipfanaly.pl
@@ -0,0 +1,639 @@
+#!/usr/local/bin/perl
+# (C) Copyright 1998 Ivan S. Bishop (isb@notoryus.genmagic.com)
+#
+############### START SUBROUTINE DECLARATIONS ###########
+
+
+sub usage {
+ print "\n" x 24;
+ print "USAGE: ipfanalyze.pl -h [-p port# or all] [-g] [-s] [-v] [-o] portnum -t [target ip address] [-f] logfilename\n";
+ print "\n arguments to -p -f -o REQUIRED\n";
+ print "\n -h show this help\n";
+ print "\n -p limit stats/study to this port number.(eg 25 not smtp)\n";
+ print " -g make graphs, one per 4 hour interval called outN.gif 1<=N<=5\n";
+ print " -s make security report only (no graphical or full port info generated) \n";
+ print " -o lowest port number incoming traffic can talk to and be regarded as safe\n";
+ print " -v verbose report with graphs and textual AND SECURITY REPORTS with -o 1024 set\n";
+ print " -t the ip address of the inerface on which you collected data!\n";
+ print " -f name ipfilter log file (compatible with V 3.2.9) [ipfilter.log]\n";
+ print " \nExample: ./ipfanalyze.pl -p all -g -f log1\n";
+ print "Will look at traffic to/from all ports and make graphs from file log1\n";
+ print " \nExample2 ./ipfanalyze.pl -p 25 -g -f log2\n";
+ print "Will look at SMTP traffic and make graphs from file log2\n";
+ print " \nExample3 ./ipfanalyze.pl -p all -g -f log3 -o 1024\n";
+ print "Will look at all traffic,make graphs from file log3 and log security info for anthing talking inwards below port 1024\n";
+ print " \nExample4 ./ipfanalyze.pl -p all -f log3 -v \n";
+ print "Report the works.....when ports below 1024 are contacted highlight (like -s -o 1024)\n";
+}
+
+
+
+
+sub makegifs {
+local ($maxin,$maxout,$lookat,$xmax)=@_;
+$YMAX=$maxin;
+$XMAX=$xmax;
+
+if ($maxout > $maxin)
+ { $YMAX=$maxout;}
+
+($dateis,$junk)=split " " , @recs[0];
+($dayis,$monthis,$yearis)=split "/",$dateis;
+$month=$months{$monthis};
+$dateis="$dayis " . "$month " . "$yearis ";
+# split graphs in to 6 four hour spans for 24 hours
+$numgraphs=int($XMAX/240);
+
+$junk=0;
+$junk=$XMAX - 240*($numgraphs);
+if($junk gt 0 )
+{
+$numgraphs++;
+}
+
+$cnt1=0;
+$end=0;
+$loop=0;
+
+while ($cnt1++ < $numgraphs)
+{
+ $filename1="in$cnt1.dat";
+ $filename2="out$cnt1.dat";
+ $filename3="graph$cnt1.conf";
+ open(OUTDATA,"> $filename2") || die "Couldnt open $filename2 for writing \n";
+ open(INDATA,"> $filename1") || die "Couldnt open $filename1 for writing \n";
+
+ $loop=$end;
+ $end=($end + 240);
+
+# write all files as x time coord from 1 to 240 minutes
+# set hour in graph via conf file
+ $arraycnt=0;
+ while ($loop++ < $end )
+ {
+ $arraycnt++;
+ $val1="";
+ $val2="";
+ $val1=$inwards[$loop] [1];
+ if($val1 eq "")
+ {$val1=0};
+ $val2=$outwards[$loop] [1];
+ if($val2 eq "")
+ {$val2=0};
+ print INDATA "$arraycnt:$val1\n";
+ print OUTDATA "$arraycnt:$val2\n";
+ }
+ close INDATA;
+ close OUTDATA;
+ $gnum=($cnt1 - 1);
+ open(INCONFIG,"> $filename3") || die "Couldnt open ./graph.conf for writing \n";
+ print INCONFIG "NUMBERYCELLGRIDSIZE:5\n";
+ print INCONFIG "MAXYVALUE:$YMAX\n";
+ print INCONFIG "MINYVALUE:0\n";
+ print INCONFIG "XCELLGRIDSIZE:1.3\n";
+ print INCONFIG "XMAX: 240\n";
+ print INCONFIG "Bar:0\n";
+ print INCONFIG "Average:0\n";
+ print INCONFIG "Graphnum:$gnum\n";
+ print INCONFIG "Title: port $lookat packets/minute to/from gatekeep on $dateis \n";
+ print INCONFIG "Transparent:no\n";
+ print INCONFIG "Rbgcolour:0\n";
+ print INCONFIG "Gbgcolour:255\n";
+ print INCONFIG "Bbgcolour:255\n";
+ print INCONFIG "Rfgcolour:0\n";
+ print INCONFIG "Gfgcolour:0\n";
+ print INCONFIG "Bfgcolour:0\n";
+ print INCONFIG "Rcolour:0\n";
+ print INCONFIG "Gcolour:0\n";
+ print INCONFIG "Bcolour:255\n";
+ print INCONFIG "Racolour:255\n";
+ print INCONFIG "Gacolour:255\n";
+ print INCONFIG "Bacolour:0\n";
+ print INCONFIG "Rincolour:100\n";
+ print INCONFIG "Gincolour:100\n";
+ print INCONFIG "Bincolour:60\n";
+ print INCONFIG "Routcolour:60\n";
+ print INCONFIG "Goutcolour:100\n";
+ print INCONFIG "Boutcolour:100\n";
+ close INCONFIG;
+
+}
+
+
+$cnt1=0;
+while ($cnt1++ < $numgraphs)
+{
+ $filename1="in$cnt1.dat";
+ $out="out$cnt1.gif";
+ $filename2="out$cnt1.dat";
+ $filename3="graph$cnt1.conf";
+ system( "cp ./$filename1 ./in.dat;
+ cp ./$filename2 ./out.dat;
+ cp ./$filename3 ./graph.conf");
+ system( "./isbgraph -conf graph.conf;mv graphmaker.gif $out");
+ system(" cp $out /isb/local/etc/httpd/htdocs/.");
+
+}
+
+} # end of subroutine make gifs
+
+
+
+
+sub packbytime {
+local ($xmax)=@_;
+$XMAX=$xmax;
+# pass in the dest port number or get graph for all packets
+# at 1 minute intervals
+# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76
+# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62
+#
+# dont uses hashes to store how many packets per minite as they
+# return random x coordinate order
+@inwards=();
+@outwards=();
+$cnt=-1;
+$value5=0;
+$maxin=0;
+$maxout=0;
+$xpos=0;
+while ($cnt++ <= $#recs )
+ {
+ ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$cnt];
+ $bit=substr(@recs[$cnt],11);
+ ($bit,$junkit)= split " " , $bit ;
+ ($hour,$minute,$sec,$junk) = split ":", $bit;
+#
+# covert the time to decimal minutes and bucket to nearest minute
+#
+ $xpos=($hour * 3600) + ($minute * 60) + ($sec) ;
+# xpos is number of seconds since 00:00:00 on day......
+ $xpos=int($xpos / 60);
+# if we just want to see all packet in/out activity
+ if("$lookat" eq "all")
+ {
+ if("$destip" eq "$gatekeep")
+ {
+# TO GATEKEEP port lookat
+# print "to gatekeep at $xpos\n";
+ $value5=$inwards[$xpos] [1];
+ $value5++ ;
+# $maxin = $value5 if $maxin < $value5 ;
+
+ if($value5 > $maxin)
+ {
+ $maxin=$value5;
+ $timemaxin="$hour:$minute";
+ }
+ $inwards[$xpos][1]=$value5;
+ }
+ else
+ {
+# FROM GATEKEEP to port lookat
+# print "from gatekeep at $xpos\n";
+ $value4=$outwards[$xpos] [1];
+ $value4++ ;
+# $maxout = $value4 if $maxout < $value4 ;
+ if($value4 > $maxout)
+ {
+ $maxout=$value4;
+ $timemaxout="$hour:$minute";
+ }
+
+ $outwards[$xpos][1]=$value4;
+ }
+ }
+
+
+
+
+ if("$destport" eq "$lookat")
+ {
+ if("$destip" eq "$gatekeep")
+ {
+# TO GATEKEEP port lookat
+# print "to gatekeep at $xpos\n";
+ $value5=$inwards[$xpos] [1];
+ $value5++ ;
+ $maxin = $value5 if $maxin < $value5 ;
+ $inwards[$xpos][1]=$value5;
+ }
+ else
+ {
+# FROM GATEKEEP to port lookat
+# print "from gatekeep at $xpos\n";
+ $value4=$outwards[$xpos] [1];
+ $value4++ ;
+ $maxout = $value4 if $maxout < $value4 ;
+ $outwards[$xpos][1]=$value4;
+ }
+ }
+ } # end while
+
+# now call gif making stuff
+if("$opt_g" eq "1")
+{
+ print "Making plots of in files outN.gif\n";;
+ makegifs($maxin,$maxout,$lookat,$#inwards);
+}
+if ("$timemaxin" ne "")
+{print "\nTime of peak packets/minute in was $timemaxin\n";}
+if ("$timemaxout" ne "")
+{print "\nTime of peak packets/minute OUT was $timemaxout\n";}
+
+} # end of subroutine packets by time
+
+
+
+
+
+sub posbadones {
+
+$safenam="";
+@dummy=$saferports;
+foreach $it (split " ",$saferports) {
+if ($it eq "icmp" )
+ {
+ $safenam = $safenam . " icmp";
+ }
+else
+ {
+ $safenam = $safenam . " $services{$it}" ;
+ }
+
+}
+print "\n\n########################################################################\n";
+print "well known ports are 0->1023\n";
+print "Registered ports are 1024->49151\n";
+print "Dynamic/Private ports are 49152->65535\n\n";
+print "Sites that contacted gatekeep on 'less safe' ports (<$ITRUSTABOVE)\n";
+
+print " 'safe' ports are $safenam \n";
+print "\n variables saferports and safehosts hardwire what/who we trust\n";
+print "########################################################################\n";
+
+$loop=-1;
+while ($loop++ <= $#recs )
+ {
+ ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop];
+ if ("$destip" eq "$gatekeep")
+ {
+ if ($destport < $ITRUSTABOVE )
+ {
+# if index not found (ie < 0) then we have a low port attach to gatekeep
+# that is not to a safer port (see top of this file)
+# ie no ports 25 (smtp), 53 (dns) , 113 (ident), 123 (ntp), icmp
+ $where=index($saferports,$destport);
+ if ($where < 0)
+ {
+ $nameis=$services{$destport};
+ if ("$nameis" eq "" )
+ {
+ $nameis=$destport;
+ }
+ print " Warning: $srcip contacted gatekeep $nameis\n";
+ }
+ }
+ }
+ }
+print "\n\n";
+} # end of subroutine posbadones
+
+
+
+
+sub toobusy_site {
+$percsafe=1;
+print "\n\n########################################################################\n";
+print "# Sites sending > $percsafe % of all packets to gatekeep MAY be attacking/probing\n";
+print "Trusted hosts are $safehosts\n";
+print "\nTOTAL packets were $#recs \n";
+print "########################################################################\n";
+while(($ipadd,$numpacketsent)=each %numpacks)
+{
+$perc=$numpacketsent/$#recs*100;
+if ($perc > $percsafe)
+# dont believe safehosts are attacking!
+ {
+ $where=index($safehosts,$ipadd);
+# if not found (ie < 0 then the source host IP address
+# isn't in the saferhosts list, a list we trust......
+ if ($where < 0 )
+ {
+ printf "$ipadd sent %4.1f (\045) of all packets to gatekeep\n",$perc;
+ }
+ }
+}
+
+print "\n\n";
+} # end of subroutine toobusy_site
+
+
+############### END SUBROUTINE DECLARATIONS ###########
+
+use Getopt::Std;
+
+getopt('pfot');
+
+if("$opt_t" eq "0")
+ {usage;print "\n---->ERROR: You must psecify the IP address of the interface that collected the data!\n";
+exit;
+}
+
+if("$opt_h" eq "1")
+ {usage;exit 0};
+if("$opt_H" eq "1")
+ {usage;exit 0};
+
+if("$opt_v" eq "1")
+{
+$ITRUSTABOVE=1024;
+$opt_s=1;
+$opt_o=$ITRUSTABOVE;
+print "\n" x 5;
+print "NOTE: when the final section of the verbose report is generated\n";
+print " every host IP address that contacted $gatekeep has \n";
+print " a tally of how many times packets from a particular port on that host\n";
+print " reached $gatekeep, and WHICH source port or source portname \n";
+print " these packets originated from.\n";
+print " Many non RFC obeying boxes do not use high ports and respond to requests from\n";
+print " $gatekeep using reserved low ports... hence you'll see things like\n";
+print " #### with 207.50.191.60 as the the source for packets ####\n";
+print " 1 connections from topx to gatekeep\n\n\n\n";
+
+}
+
+if("$opt_o" eq "")
+ {usage;print "\n---->ERROR: Must specify lowest safe port name for incoming trafic\n";exit 0}
+else
+{
+$ITRUSTABOVE=$opt_o;$opt_s=1;}
+
+if("$opt_f" eq "")
+ {usage;print "\n---->ERROR: Must specify filename with -f \n";exit 0};
+$FILENAME=$opt_f;
+
+if("$opt_p" eq "")
+ {usage;print "\n---->ERROR: Must specify port number or 'all' with -p \n";exit 0};
+
+# -p arg must be all or AN INTEGER in range 1<=N<=64K
+if ("$opt_p" ne "all")
+ {
+ $_=$opt_p;
+ unless (/^[+-]?\d+$/)
+ {
+ usage;
+ print "\n---->ERROR: Must specify port number (1-64K) or 'all' with -p \n";
+ exit 0;
+ }
+ }
+
+
+# if we get here then the port option is either 'all' or an integer...
+# good enough.....
+$lookat=$opt_p;
+
+# -o arg must be all or AN INTEGER in range 1<=N<=64K
+ $_=$opt_o;
+ unless (/^[+-]?\d+$/)
+ {
+ usage;
+ print "\n---->ERROR: Must specify port number (1-64K) with -o \n";
+ exit 0;
+ }
+
+
+#---------------------------------------------------------------------
+
+
+%danger=();
+%numpacks=();
+
+$saferports="25 53 113 123 icmp";
+$gatekeep="192.216.16.2";
+#genmagic is 192.216.25.254
+$safehosts="$gatekeep 192.216.25.254";
+
+
+
+# load hash with service numbers versus names
+
+# hash called $services
+print "Creating hash of service names / numbers \n";
+$SERV="./services";
+open (INFILE, $SERV) || die "Cant open $SERV: $!n";
+while(<INFILE>)
+{
+ ($servnum,$servname,$junk)=split(/ /,$_);
+# chop off null trailing.....
+ $servname =~ s/\n$//;
+ $services{$servnum}=$servname;
+}
+print "Create hash of month numbers as month names\n";
+%months=("01","January","02","February","03","March","04","April","05","May","06","June","07","July","08","August","09","September","10","October","11","November","12","December");
+
+print "Reading log file into an array\n";
+#$FILENAME="./ipfilter.log";
+open (REC, $FILENAME) || die "Cant open $FILENAME: \n";
+($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,$junk)=stat REC;
+print "Log file $FILENAME is $size bytes in size\n";
+#each record is an element of array rec[] now
+while(<REC>)
+ {
+ @recs[$numrec++]=$_;
+ }
+
+
+# get list of UNIQUE source IP addresses now, records look like
+# 192.216.25.254,62910 -> 192.216.16.2,113 PR tcp len 20 40 -R
+# this is slow on big log files, about 1minute for every 2.5M log file
+print "Making list of unique source IP addresses (1minute for every 2M log parsed)\n";
+$loop=-1;
+$where=-1;
+while ($loop++ < $#recs )
+ {
+# get the LHS = source IP address, need fiddle as icmp rcords are logged oddly
+ $bit=substr(@recs[$loop],39);
+ $bit =~ s/,/ /g;
+ ($sourceip,$junkit)= split " " , $bit ;
+
+# NOTE the . is the string concat command NOT + .......!!!!
+
+ $sourceip =~ split " ", $sourceip;
+ $where=index($allips,$sourceip);
+# if not found (ie < 0, add it)
+ if ($where < 0 )
+ {
+ $allips = $allips . "$sourceip " ;
+ }
+ }
+
+print "Put all unique ip addresses into a 1D array\n";
+@allips=split " ", $allips;
+
+#set loop back to -1 as first array element in recs is element 0 NOT 1 !!
+print "Making compact array of logged entries\n";
+$loop=-1;
+$icmp=" icmp ";
+$ptr=" -> ";
+$lenst=" len ";
+$numpackets=0;
+
+while ($loop++ < $#recs )
+ {
+# this prints from 39 char to EOR
+ $a=substr(@recs[$loop],39);
+ ($srcip,$dummy,$destip,$dummy2,$dummy3,$dummy4,$lenicmp)= split " " , $a ;
+# need to rewrite icmp ping records.... they dont have service numbers
+ $whereicmp=index($a,"PR icmp");
+ if($whereicmp > 0 )
+ {
+ $a = $srcip . $icmp . $ptr . $destip . $icmp . $icmp . $lenst . $lenicmp ;
+ }
+
+# dump the "->" and commas from logging
+ $a =~ s/->//g;
+ $a =~ s/PR//g;
+ $a =~ s/,/ /g;
+# shortrec has records that look like
+# 209.24.1.217 123 192.216.16.2 123 udp len 20 76
+ @shortrecs[$loop]= "$a";
+
+# count number packets from each IP address into hash
+ ($srcip,$junk) = split " ","$a";
+ $numpackets=$numpacks{"$srcip"};
+ $numpackets++ ;
+ $numpacks{"$srcip"}=$numpackets;
+
+}
+
+
+
+# call sub to analyse packets by time
+# @shortrecs has form 209.24.1.217 123 192.216.16.2 123 udp len 20 76
+# @recs has form 27/07/1998 00:01:05.216596 le0 @0:2 L 192.216.21.16,2733 -> 192.216.16.2,53 PR udp len 20 62
+packbytime($XMAX);
+
+if("$opt_s" eq "1")
+{
+# call subroutine to scan for connections to ports on gatekeep
+# other than those listed in saferports, connections to high
+# ports are assumed OK.....
+posbadones;
+
+# call subroutine to print out which sites had sent more than
+# a defined % of packets to gatekeep
+toobusy_site;
+}
+
+
+# verbose reporting?
+if ("$opt_v" eq "1")
+{
+$cnt=-1;
+# loop over ALL unique IP source destinations
+while ($cnt++ < $#allips)
+{
+ %tally=();
+ %unknownsrcports=();
+ $uniqip=@allips[$cnt];
+ $loop=-1;
+ $value=0;
+ $value1=0;
+ $value2=0;
+ $value3=0;
+ $set="N";
+
+ while ($loop++ < $#recs )
+ {
+# get src IP num, src port number,
+# destination IP num, destnation port number,protocol
+ ($srcip,$srcport,$destip,$destport,$pro)= split " " , @shortrecs[$loop];
+# loop over all records for the machine $uniqip
+# NOTE THE STRINGS ARE COMPARED WITH eq NOT cmp and NOT = !!!!
+ if( "$uniqip" eq "$srcip")
+ {
+# look up hash of service names to get key... IF ITS NOT THERE THEN WHAT???
+# its more than likely a request coming back in on a high port
+# ....So...
+# find out the destination port from the unknown (high) src port
+# and tally these as they may be a port attack
+ if ("$srcport" eq "icmp")
+ { $srcportnam="icmp";}
+ else
+ {
+ $srcportnam=$services{$srcport};
+ }
+# try and get dest portname, if not there, leave it as the
+# dest portnumber
+ if ("$destport" eq "icmp")
+ { $destportnam="icmp";}
+ else
+ {
+ $destportnam=$services{$destport};
+ }
+
+ if ($destportnam eq "")
+ {
+ $destportnam=$destport;
+ }
+
+ if ($srcportnam eq "")
+ {
+# increment number of times a (high)/unknown port has gone to destport
+ $value1=$unknownsrcports{$destportnam};
+ $value1++ ;
+ $unknownsrcports{$destportnam}=$value1;
+ }
+ else
+ {
+# want tally(srcport) counter to be increased by 1
+ $value3=$tally{$srcportnam};
+ $value3++ ;
+ $tally{$srcportnam}=$value3;
+ }
+ }
+
+
+ }
+# end of loop over ALL IP's
+
+if ($set eq "N")
+{
+$set="Y";
+
+print "\n#### with $uniqip as the the source for packets ####\n";
+while(($key,$value)=each %tally)
+ {
+ if (not "$uniqip" eq "$gatekeep")
+ {
+ print "$value connections from $key to gatekeep\n";
+ }
+ else
+ {
+ print "$value connections from gatekeep to $key\n";
+ }
+ }
+
+
+
+while(($key2,$value2)=each %unknownsrcports)
+ {
+ if (not "$uniqip" eq "$gatekeep")
+ {
+ print "$value2 high port connections to $key2 on gatekeep\n";
+ }
+ else
+ {
+ print "$value2 high port connections to $key2 from gatekeep\n";
+ }
+ }
+
+}
+# print if rests for UNIQIP IF flag is set to N then toggle flag
+
+} # end of all IPs loop
+} # end of if verbose option set block
+
+
+
diff --git a/perl/Isbgraph b/perl/Isbgraph
new file mode 100644
index 0000000..c68b672
--- /dev/null
+++ b/perl/Isbgraph
@@ -0,0 +1,297 @@
+#!/usr/local/bin/perl
+
+# isbgraph
+# an example in not so hot perl programming....
+# based around GraphMaker from Fabrizio Pivari
+# A graph maker perl script
+
+use GD;
+use Getopt::Long;
+$hr=0;
+
+sub main{
+
+$opt_conf="./graphmaker.cnf";
+
+@elem=("NUMBERYCELLGRIDSIZE","MAXYVALUE","MINYVALUE","XCELLGRIDSIZE","XMAX",
+ "Data","Graph","Bar","Average","Graphnum","Title","Transparent","Rbgcolour",
+ "Gbgcolour","Bbgcolour","Rfgcolour","Gfgcolour","Bfgcolour","Rcolour",
+ "Gcolour","Bcolour","Racolour","Gacolour","Bacolour");
+
+%option=(
+ NUMBERYCELLGRIDSIZE => '8',
+ MAXYVALUE => '7748',
+ MINYVALUE => '6500',
+ XCELLGRIDSIZE => '18',
+ XMAX => '1000',
+ Data => './graphmaker.dat',
+ Graph => './graphmaker.gif',
+ Bar => '1',
+ Average => '1',
+ Graphnum => '1',
+ Title => 'GraphMaker 2.1',
+ Transparent => 'yes',
+ Rbgcolour => '255',
+ Gbgcolour => '255',
+ Bbgcolour => '255',
+ Rfgcolour => '0',
+ Gfgcolour => '0',
+ Bfgcolour => '0',
+ Rcolour => '0',
+ Gcolour => '0',
+ Bcolour => '255',
+ Racolour => '255',
+ Gacolour => '255',
+ Bacolour => '0');
+
+&GetOptions("conf=s","help") || &printusage ;
+
+
+if ($opt_help) {&printusage};
+
+open (CNF, $opt_conf) || die;
+while (<CNF>) {
+s/\t/ /g; #replace tabs by space
+next if /^\s*\#/; #ignore comment lines
+next if /^\s*$/; #ignore empty lines
+foreach $elem (@elem)
+ {
+ if (/\s*$elem\s*:\s*(.*)/) { $option{$elem}=$1; }
+ }
+}
+close(CNF);
+#########################################
+#
+#
+#
+# number datapoints/24 hours is 1440 (minutes)
+#
+# Split into N graphs where each graph has max of 240 datapoints (4 hours)
+#
+
+$barset=0;
+$m=0;
+$YGRIDSIZE = 400;
+$YCELLGRIDSIZE = $YGRIDSIZE/$option{'NUMBERYCELLGRIDSIZE'};
+$XINIT = 30;
+$XEND = 8;
+$YINIT =20;
+$YEND = 20;
+#$XGRIDSIZE = ($option{'XMAX'}*$option{'XCELLGRIDSIZE'});
+#$XGRIDSIZE = (240*$option{'XCELLGRIDSIZE'});
+$XGRIDSIZE = 620;
+$XGIF = $XGRIDSIZE + $XINIT + $XEND;
+$XGRAPH = $XGRIDSIZE + $XINIT;
+$YGIF = $YGRIDSIZE + $YEND + $YINIT;
+$YGRAPH = $YGRIDSIZE + $YINIT;
+$RANGE=$option{'MAXYVALUE'}-$option{'MINYVALUE'};
+$SCALE=$YGRIDSIZE/$RANGE;
+
+# NEW IMAGE
+ $im=new GD::Image($XGIF,$YGIF);
+
+$white=$im->colorAllocate(255,255,255);
+$black=$im->colorAllocate(0,0,0);
+$pink=$im->colorAllocate(255,153,153);
+$red=$im->colorAllocate(255,0,0);
+$blue=$im->colorAllocate(0,0,255);
+$green=$im->colorAllocate(0,192,51);
+$orange=$im->colorAllocate(255,102,0);
+$pink=$im->colorAllocate(255,153,153);
+$teal=$im->colorAllocate(51,153,153);
+# gif background is $bg
+ $bg=$white;
+ $fg=$blue;
+# LINE COLOUR HELP BY VAR $colour
+ $colour=$red;
+ $acolour=$yellow;
+ # GRID
+ if ($option{'Transparent'} eq "yes") {$im->transparent($bg)};
+ $im->filledRectangle(0,0,$XGIF,$YGIF,$bg);
+
+# Dot style
+# vertical markers on Y axis grid
+ $im->setStyle($fg,$bg,$bg,$bg);
+ for $i (0..$option{'XMAX'})
+ {
+ $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*$i +$i;
+ # $im->line($xspace,$YINIT,$xspace,$YGRAPH,gdStyled);
+ $num = $i+1;
+
+ use integer;
+ {
+ $posis=$num - ($num/60)*60;
+ }
+ if ($posis eq 0)
+ {
+ $outhr=0;
+ $hr=($hr + 1) ;
+ $outhr=$hr+$option{'Graphnum'}*4;
+# shift minutes coords to correct stat hour!
+ $im->string(gdMediumBoldFont,$xspace-3,$YGRAPH,"$outhr",$fg);
+ }
+
+ } # end of scan over X values (minutes)
+
+ $YCELLVALUE=($option{'MAXYVALUE'}-$option{'MINYVALUE'})/$option{'NUMBERYCELLGRIDSIZE'};
+ for $i (0..$option{'NUMBERYCELLGRIDSIZE'})
+ {
+ $num=$option{'MINYVALUE'}+$YCELLVALUE*($option{'NUMBERYCELLGRIDSIZE'}-$i);
+ $im->string(gdMediumBoldFont,0,$YINIT+$YCELLGRIDSIZE*$i -6,"$num",$fg);
+ }
+ $im->string(gdSmallFont,$XGRIDSIZE/2-80,0,$option{'Title'},$fg);
+
+ $odd_even = $option{'XCELLGRIDSIZE'}%2;
+ #odd
+ if ($odd_even eq 1) {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;}
+ else {$middle = $option{'XCELLGRIDSIZE'}/2 +0.5;}
+
+# start reading data
+# open (DATA,$option{'Data'}) || die "cant open $option{'Data'}";
+# nextdata becomes Y on reading of second data set....
+$nextdata="N";
+@datafiles=("./in.dat" , "./out.dat" );
+ foreach ( @datafiles )
+{
+ $m=0;
+ $count=0;
+ $i=0;
+ $fname=$_;
+
+ print "fname $fname\n";
+# change entry for red in colour table to green for packets LEAVING target host
+
+ open (DATA,$_) || die "cant open $_";
+ print "$nextdata nextdata\n";
+ while (<DATA>)
+ {
+ /(.*):(.*)/;
+ if ($option{'Average'} eq 1) {$m+=$2;$i++;}
+ if ($count eq 0){$XOLD=$1;$YOLD=$2;$count=1;next}
+ $X=$1; $Y=$2;
+# +($X-1) are the pixel of the line
+ $xspace= $XINIT+$option{'XCELLGRIDSIZE'}*($X-1) +($X-1);
+ $xspaceold= $XINIT+$option{'XCELLGRIDSIZE'}*($XOLD-1) +($XOLD-1);
+ $yspace= $YGRAPH-($Y-$option{'MINYVALUE'})*$SCALE;
+ $yspaceold= $YGRAPH-($YOLD-$option{'MINYVALUE'})*$SCALE;
+ $barset=$option{'Bar'};
+ if ($barset eq 0)
+ {
+
+ if($nextdata eq "Y")
+ {
+
+ #$im->line($XINIT,$YGRAPH,$X,$Y,$orange);
+ $im->line($xspaceold,$yspaceold,$xspace,$yspace,$green);
+ }
+ else
+ {
+ $im->line($xspaceold,$yspaceold,$xspace,$yspace,$red);
+ }
+ }
+ else
+ {
+ if ($1 eq 2)
+ {
+ $im->filledRectangle($xspaceold,$yspaceold,
+ $xspaceold+$middle,$YGRAPH,$colour);
+ $im->rectangle($xspaceold,$yspaceold,
+ $xspaceold+$middle,$YGRAPH,$fg);
+ }
+ else
+ {
+ $im->filledRectangle($xspaceold-$middle,$yspaceold,
+ $xspaceold+$middle,$YGRAPH,$colour);
+ $im->rectangle($xspaceold-$middle,$yspaceold,
+ $xspaceold+$middle,$YGRAPH,$fg);
+ }
+ }
+ $XOLD=$X; $YOLD=$Y;
+
+ } # end of while DATA loop
+
+ $im->line(500,40,530,40,$red);
+ $im->line(500,60,530,60,$green);
+ $im->string(gdSmallFont,535,35,"Packets IN",$fg);
+ $im->string(gdSmallFont,535,55,"Packets OUT",$fg);
+
+ if ($option{'Bar'} ne 0)
+ {
+ if ($X eq $option{'XMAX'})
+ {
+ $im->filledRectangle($xspace-$middle,$yspace,
+ $xspace,$YGRAPH,$colour);
+ $im->rectangle($xspace-$middle,$yspace,
+ $xspace,$YGRAPH,$fg);
+ }
+ else
+ {
+ $im->filledRectangle($xspace-$middle,$yspace,
+ $xspace+$middle,$YGRAPH,$colour);
+ $im->rectangle($xspace-$middle,$yspace,
+ $xspace+$middle,$YGRAPH,$fg);
+ }
+ }
+ close (DATA);
+
+
+ $nextdata="Y";
+# TOP LEFT is 0,0 on GIF (image)
+# origin of plot is xinit,yinit
+ # print "little line\n";
+ $im->line($xspace,$yspace,$xspace,$YGRAPH,$blue);
+ $im->line($xspace,$YGRAPH,$XINIT,$YGRAPH,$blue);
+# (0,0) in cartesian space time=0 minutes, rate 0 packets/s
+ $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$blue);
+ $im->line($XINIT,$YGRAPH,$XINIT,$YGRAPH,$green);
+
+} # close foreach loop on data file names
+
+
+
+
+ if ($option{'Average'} eq 1)
+ {
+ # Line style
+ $im->setStyle($acolour,$acolour,$acolour,$acolour,$bg,$bg,$bg,$bg);
+ $m=$m/$i;
+ $ym=$YGRAPH-($m-$option{'MINYVALUE'})*$SCALE;
+ $im->line($XINIT,$ym,$XGRAPH,$ym,gdStyled)
+ }
+ $im->line($XINIT,$YINIT,$XINIT,$YGRAPH,$fg);
+ $im->line($XINIT,$YINIT,$XGRAPH,$YINIT,$fg);
+ $im->line($XGRAPH,$YINIT,$XGRAPH,$YGRAPH,$fg);
+ $im->line($XINIT,$YGRAPH,$XGRAPH,$YGRAPH,$fg);
+
+ $im->string(gdSmallFont,$XGIF-335,$YGIF - 12,"Time of Day (hours)",$fg);
+ open (GRAPH,">$option{'Graph'}") || die "Error: Grafico.gif - $!\n";
+ print GRAPH $im -> gif;
+ close (GRAPH);
+
+
+
+
+} # end of subroutine main
+
+main;
+exit(0);
+
+sub printusage {
+ print <<USAGEDESC;
+
+usage:
+ graphmaker [-options ...]
+
+where options include:
+ -help print out this message
+ -conf file the configuration file (default graphmaker.cnf)
+
+If you want to know more about this tool, you might want
+to read the docs. They came together with graphmaker!
+
+Home: http://www.geocities.com/CapeCanaveral/Lab/3469/graphmaker.html
+
+USAGEDESC
+ exit(1);
+}
+
diff --git a/perl/LICENSE b/perl/LICENSE
new file mode 100644
index 0000000..4ae42df
--- /dev/null
+++ b/perl/LICENSE
@@ -0,0 +1,6 @@
+These shell scripts are provided "as is" by Ivan S. Bishop and any
+express or implied warranties, including, but not limited to, the
+implied warranties of merchantability and fitness for a particular
+purpose are disclaimed.
+
+Permission has been granted for their redistribution within this package.
diff --git a/perl/Services b/perl/Services
new file mode 100644
index 0000000..401fff0
--- /dev/null
+++ b/perl/Services
@@ -0,0 +1,2146 @@
+1 tcpmux TCPPortServiceMultiplexer
+3 compressnet CompressionProcess
+5 rje RemoteJobEntry
+7 echo
+9 discard
+11 systat
+13 daytime
+15 netstat
+17 qotd QuoteoftheDay
+18 msp MessageSendProtocol
+19 chargen
+20 ftp-data
+21 ftp
+22 ssh SSHRemoteLoginProtocol
+23 telnet
+25 smtp
+27 nsw-fe NSWUserSystemFE
+29 msg-icp MSGICP
+31 msg-auth MSGAuthentication
+33 dsp DisplaySupportProtocol
+37 time Time
+38 rap RouteAccessProtocol
+39 rlp ResourceLocationProtocol
+41 graphics Graphics
+42 nameserver HostNameServer
+43 whois
+44 mpm-flags MPMFLAGSProtocol
+45 mpm MessageProcessingModule[recv]
+46 mpm-snd MPM[defaultsend]
+47 ni-ftp NIFTP
+48 auditd DigitalAuditDaemon
+49 tacacs LoginHostProtocol(TACACS)
+50 re-mail-ck RemoteMailCheckingProtocol
+51 la-maint IMPLogicalAddressMaintenance
+52 xns-time XNSTimeProtocol
+53 domain DomainNameServer
+54 xns-ch XNSClearinghouse
+55 isi-gl ISIGraphicsLanguage
+56 xns-auth XNSAuthentication
+58 xns-mail XNSMail
+61 ni-mail NIMAIL
+62 acas ACAServices
+63 whois++ whois++
+64 covia CommunicationsIntegrator(CI)
+65 tacacs-ds TACACS-DatabaseService
+66 sqlnet OracleSQL*NET
+67 bootps BootstrapProtocolServer
+68 bootpc BootstrapProtocolClient
+69 tftp TrivialFileTransfer
+70 gopher Gopher
+71 netrjs-1 RemoteJobService
+72 netrjs-2 RemoteJobService
+73 netrjs-3 RemoteJobService
+74 netrjs-4 RemoteJobService
+76 deos DistributedExternalObjectStore
+77 rje
+78 vettcp vettcp
+79 finger Finger
+80 www-http WorldWideWebHTTP
+81 hosts2-ns HOSTS2NameServer
+82 xfer XFERUtility
+83 mit-ml-dev MITMLDevice
+84 ctf CommonTraceFacility
+85 mit-ml-dev MITMLDevice
+86 mfcobol MicroFocusCobol
+87 link
+88 kerberos Kerberos
+89 su-mit-tg SU/MITTelnetGateway
+90 dnsix DNSIXSecuritAttributeTokenMap
+91 mit-dov MITDoverSpooler
+92 npp NetworkPrintingProtocol
+93 dcp DeviceControlProtocol
+94 objcall TivoliObjectDispatcher
+95 supdup SUPDUP
+96 dixie DIXIEProtocolSpecification
+97 swift-rvf SwiftRemoteVirturalFileProtocol
+98 tacnews TACNews
+99 metagram MetagramRelay
+100 newacct [unauthorizeduse]
+101 hostname NICHostNameServer
+102 iso-tsap ISO-TSAPClass0
+103 x400
+104 x400-snd
+105 cso CCSOnameserverprotocol
+106 3com-tsmux 3COM-TSMUX
+107 rtelnet RemoteTelnetService
+108 snagas SNAGatewayAccessServer
+109 pop2 PostOfficeProtocol-Version2
+110 pop3 PostOfficeProtocol-Version3
+111 sunrpc SUNRemoteProcedureCall
+112 mcidas McIDASDataTransmissionProtocol
+113 ident
+114 audionews AudioNewsMulticast
+115 sftp SimpleFileTransferProtocol
+116 ansanotify ANSAREXNotify
+117 uucp-path UUCPPathService
+118 sqlserv SQLServices
+119 nntp NetworkNewsTransferProtocol
+120 cfdptkt CFDPTKT
+121 erpc EncoreExpeditedRemotePro.Call
+122 smakynet SMAKYNET
+123 ntp NetworkTimeProtocol
+124 ansatrader ANSAREXTrader
+125 locus-map LocusPC-InterfaceNetMapSer
+126 unitary UnisysUnitaryLogin
+127 locus-con LocusPC-InterfaceConnServer
+128 gss-xlicen GSSXLicenseVerification
+129 pwdgen PasswordGeneratorProtocol
+130 cisco-fna ciscoFNATIVE
+131 cisco-tna ciscoTNATIVE
+132 cisco-sys ciscoSYSMAINT
+133 statsrv StatisticsService
+134 ingres-net INGRES-NETService
+135 epmap DCEendpointresolution
+136 profile PROFILENamingSystem
+137 netbios-ns NETBIOSNameService
+138 netbios-dgm NETBIOSDatagramService
+139 netbios-ssn NETBIOSSessionService
+140 emfis-data EMFISDataService
+141 emfis-cntl EMFISControlService
+142 bl-idm Britton-LeeIDM
+143 imap InternetMessageAccessProtocol
+144 NeWS
+145 uaac UAACProtocol
+146 iso-tp0 ISO-IP0
+147 iso-ip ISO-IP
+148 jargon Jargon
+149 aed-512 AED512EmulationService
+150 sql-net SQL-NET
+151 hems HEMS
+152 bftp BackgroundFileTransferProgram
+153 sgmp SGMP
+154 netsc-prod NETSC
+155 netsc-dev NETSC
+156 sqlsrv SQLService
+157 knet-cmp KNET/VMCommand/MessageProtocol
+158 pcmail-srv PCMailServer
+159 nss-routing NSS-Routing
+160 sgmp-traps SGMP-TRAPS
+161 snmp SNMP
+162 snmptrap SNMPTRAP
+163 cmip-man CMIP/TCPManager
+164 cmip-agent CMIP/TCPAgent
+165 xns-courier Xerox
+166 s-net SiriusSystems
+167 namp NAMP
+168 rsvd RSVD
+169 send SEND
+170 print-srv NetworkPostScript
+171 multiplex NetworkInnovationsMultiplex
+172 cl/1 NetworkInnovationsCL/1
+173 xyplex-mux Xyplex
+174 mailq MAILQ
+175 vmnet VMNET
+176 genrad-mux GENRAD-MUX
+177 xdmcp XDisplayManagerControlProtocol
+178 nextstep NextStepWindowServer
+179 bgp BorderGatewayProtocol
+180 ris Intergraph
+181 unify Unify
+182 audit UnisysAuditSITP
+183 ocbinder OCBinder
+184 ocserver OCServer
+185 remote-kis Remote-KIS
+186 kis KISProtocol
+187 aci ApplicationCommunicationInterface
+188 mumps PlusFive'sMUMPS
+189 qft QueuedFileTransport
+190 gacp GatewayAccessControlProtocol
+191 prospero ProsperoDirectoryService
+192 osu-nms OSUNetworkMonitoringSystem
+193 srmp SpiderRemoteMonitoringProtocol
+194 irc InternetRelayChatProtocol
+195 dn6-nlm-aud DNSIXNetworkLevelModuleAudit
+196 dn6-smm-red DNSIXSessionMgtModuleAuditRedir
+197 dls DirectoryLocationService
+198 dls-mon DirectoryLocationServiceMonitor
+199 smux SMUX
+200 src IBMSystemResourceController
+201 at-rtmp AppleTalkRoutingMaintenance
+202 at-nbp AppleTalkNameBinding
+203 at-3 AppleTalkUnused
+204 at-echo AppleTalkEcho
+205 at-5 AppleTalkUnused
+206 at-zis AppleTalkZoneInformation
+207 at-7 AppleTalkUnused
+208 at-8 AppleTalkUnused
+209 qmtp TheQuickMailTransferProtocol
+210 z39.50 ANSIZ39.50
+211 914c/g TexasInstruments914C/GTerminal
+212 anet ATEXSSTR
+213 ipx IPX
+214 vmpwscs VMPWSCS
+215 softpc InsigniaSolutions
+216 CAIlic ComputerAssociatesInt'lLicenseServer
+217 dbase dBASEUnix
+218 mpp NetixMessagePostingProtocol
+219 uarps UnisysARPs
+220 imap3 InteractiveMailAccessProtocolv3
+221 fln-spx BerkeleyrlogindwithSPXauth
+222 rsh-spx BerkeleyrshdwithSPXauth
+223 cdc CertificateDistributionCenter
+224 Reserved
+225 Reserved
+226 Reserved
+227 Reserved
+228 Reserved
+229 Reserved
+230 Reserved
+231 Reserved
+232 Reserved
+233 Reserved
+234 Reserved
+235 Reserved
+236 Reserved
+237 Reserved
+238 Reserved
+239 Reserved
+240 Reserved
+241 Reserved
+242 direct Direct
+243 sur-meas SurveyMeasurement
+244 dayna Dayna
+245 link LINK
+246 dsp3270 DisplaySystemsProtocol
+247 subntbcst_tftp SUBNTBCST_TFTP
+248 bhfhs bhfhs
+249
+250 Reserved
+251 Reserved
+252 Reserved
+253 Reserved
+254 Reserved
+255 Reserved
+256 rap RAP
+257 set SecureElectronicTransaction
+258 yak-chat YakWinsockPersonalChat
+259 esro-gen EfficientShortRemoteOperations
+260 openport Openport
+261 nsiiops IIOPNameServiceoverTLS/SSL
+262 arcisdms Arcisdms
+263 hdap HDAP
+280 http-mgmt http-mgmt
+281 personal-link PersonalLink
+282 cableport-ax CablePortA/X
+309 entrusttime EntrustTime
+310 bhmds bhmds
+311 asip-webadmin AppleShareIPWebAdmin
+312 vslmp VSLMP
+313 magenta-logic MagentaLogic
+314 opalis-robot OpalisRobot
+315 dpsi DPSI
+316 decauth decAuth
+317 zannet Zannet
+344 pdap ProsperoDataAccessProtocol
+345 pawserv PerfAnalysisWorkbench
+346 zserv Zebraserver
+347 fatserv FatmenServer
+348 csi-sgwp CabletronManagementProtocol
+349 mftp mftp
+350 matip-type-a MATIPTypeA
+351 bhoetty bhoetty(added5/21/97)
+352 dtag-ste-sb DTAG
+353 ndsauth NDSAUTH
+354 bh611 bh611
+355 datex-asn DATEX-ASN
+356 cloanto-net-1 CloantoNet1
+357 bhevent bhevent
+358 shrinkwrap Shrinkwrap
+359 tenebris_nts TenebrisNetworkTraceService
+360 scoi2odialog scoi2odialog
+361 semantix Semantix
+362 srssend SRSSend
+363 rsvp_tunnel RSVPTunnel
+364 aurora-cmgr AuroraCMGR
+365 dtk DTK
+366 odmr ODMR
+367 mortgageware MortgageWare
+368 qbikgdp QbikGDP
+369 rpc2portmap rpc2portmap
+370 codaauth2 codaauth2
+371 clearcase Clearcase
+372 ulistproc ListProcessor
+373 legent-1 LegentCorporation
+374 legent-2 LegentCorporation
+375 hassle Hassle
+376 nip AmigaEnvoyNetworkInquiryProto
+377 tnETOS NECCorporation
+378 dsETOS NECCorporation
+379 is99c TIA/EIA/IS-99modemclient
+380 is99s TIA/EIA/IS-99modemserver
+381 hp-collector hpperformancedatacollector
+382 hp-managed-node hpperformancedatamanagednode
+383 hp-alarm-mgr hpperformancedataalarmmanager
+384 arns ARemoteNetworkServerSystem
+385 ibm-app IBMApplication
+386 asa ASAMessageRouterObjectDef.
+387 aurp AppletalkUpdate-BasedRoutingPro.
+388 unidata-ldm UnidataLDMVersion4
+389 ldap LightweightDirectoryAccessProtocol
+390 uis UIS
+391 synotics-relay SynOpticsSNMPRelayPort
+392 synotics-broker SynOpticsPortBrokerPort
+393 dis DataInterpretationSystem
+394 embl-ndt EMBLNucleicDataTransfer
+395 netcp NETscoutControlProtocol
+396 netware-ip NovellNetwareoverIP
+397 mptn MultiProtocolTrans.Net.
+398 kryptolan Kryptolan
+399 iso-tsap-c2 ISOTransportClass2Non-Controlover
+400 work-sol WorkstationSolutions
+401 ups UninterruptiblePowerSupply
+402 genie GenieProtocol
+403 decap decap
+404 nced nced
+405 ncld ncld
+406 imsp InteractiveMailSupportProtocol
+407 timbuktu Timbuktu
+408 prm-sm ProsperoResourceManagerSys.Man.
+409 prm-nm ProsperoResourceManagerNodeMan.
+410 decladebug DECLadebugRemoteDebugProtocol
+411 rmt RemoteMTProtocol
+412 synoptics-trap TrapConventionPort
+413 smsp SMSP
+414 infoseek InfoSeek
+415 bnet BNet
+416 silverplatter Silverplatter
+417 onmux Onmux
+418 hyper-g Hyper-G
+419 ariel1 Ariel
+420 smpte SMPTE
+421 ariel2 Ariel
+422 ariel3 Ariel
+423 opc-job-start IBMOperationsPlanningandControlStart
+424 opc-job-track IBMOperationsPlanningandControlTrack
+425 icad-el ICAD
+426 smartsdp smartsdp
+427 svrloc ServerLocation
+428 ocs_cmu OCS_CMU
+429 ocs_amu OCS_AMU
+430 utmpsd UTMPSD
+431 utmpcd UTMPCD
+432 iasd IASD
+433 nnsp NNSP
+434 mobileip-agent MobileIP-Agent
+435 mobilip-mn MobilIP-MN
+436 dna-cml DNA-CML
+437 comscm comscm
+438 dsfgw dsfgw
+439 dasp daspThomasObermair
+440 sgcp sgcp
+441 decvms-sysmgt decvms-sysmgt
+442 cvc_hostd cvc_hostd
+443 https httpprotocoloverTLS/SSL
+444 snpp SimpleNetworkPagingProtocol
+445 microsoft-ds Microsoft-DS
+446 ddm-rdb DDM-RDB
+447 ddm-dfm DDM-RFM
+448 ddm-ssl DDM-SSL
+449 as-servermap ASServerMapper
+450 tserver TServer
+451 sfs-smp-net CrayNetworkSemaphoreserver
+452 sfs-config CraySFSconfigserver
+453 creativeserver CreativeServer
+454 contentserver ContentServer
+455 creativepartnr CreativePartnr
+456 macon-udp macon-udp
+457 scohelp scohelp
+458 appleqtc applequicktime
+459 ampr-rcmd ampr-rcmd
+460 skronk skronk
+461 datasurfsrv DataRampSrv
+462 datasurfsrvsec DataRampSrvSec
+463 alpes alpes
+464 kpasswd kpasswd
+465 smtps smtpprotocoloverTLS/SSL(wasssmtp)
+466 digital-vrc digital-vrc
+467 mylex-mapd mylex-mapd
+468 photuris proturis
+469 rcp RadioControlProtocol
+470 scx-proxy scx-proxy
+471 mondex Mondex
+472 ljk-login ljk-login
+473 hybrid-pop hybrid-pop
+474 tn-tl-w1 tn-tl-w1
+475 tcpnethaspsrv tcpnethaspsrv
+476 tn-tl-fd1 tn-tl-fd1
+477 ss7ns ss7ns
+478 spsc spsc
+479 iafserver iafserver
+480 iafdbase iafdbase
+481 ph Phservice
+482 bgs-nsi bgs-nsi
+483 ulpnet ulpnet
+484 integra-sme IntegraSoftwareManagementEnvironment
+485 powerburst AirSoftPowerBurst
+486 avian avian
+487 saft saftSimpleAsynchronousFileTransfer
+488 gss-http gss-http
+489 nest-protocol nest-protocol
+490 micom-pfs micom-pfs
+491 go-login go-login
+492 ticf-1 TransportIndependentConvergenceforFNA
+493 ticf-2 TransportIndependentConvergenceforFNA
+494 pov-ray POV-Ray
+495 intecourier intecourier
+496 pim-rp-disc PIM-RP-DISC
+497 dantz dantz
+498 siam siam
+499 iso-ill ISOILLProtocol
+500 isakmp isakmp
+501 stmf STMF
+502 asa-appl-proto asa-appl-proto
+503 intrinsa Intrinsa
+504 citadel citadel
+505 mailbox-lm mailbox-lm
+506 ohimsrv ohimsrv
+507 crs crs
+508 xvttp xvttp
+509 snare snare
+510 fcp FirstClassProtocol
+511 mynet mynet-as
+512 exec-or-biff
+513 login-or-who
+514 shell-or-syslog
+515 printer spooler
+516 videotex videotex
+517 talk liketenexlink,butacross
+518 ntalk
+519 utime unixtime
+520 route
+521 ripng ripng
+522 ulp ULP
+523 ibm-db2 IBM-DB2
+524 ncp NCP
+525 timed timeserver
+526 tempo newdate
+527 stx StockIXChange
+528 custix CustomerIXChange
+529 irc-serv IRC-SERV
+530 courier rpc
+531 conference chat
+532 netnews readnews
+533 netwall foremergencybroadcasts
+534 mm-admin MegaMediaAdmin
+535 iiop iiop
+536 opalis-rdv opalis-rdv
+537 nmsp NetworkedMediaStreamingProtocol
+538 gdomap gdomap
+539 apertus-ldp ApertusTechnologiesLoadDetermination
+540 uucp uucpd
+541 uucp-rlogin uucp-rlogin
+542 commerce commerce
+543 klogin
+544 kshell krcmd
+545 appleqtcsrvr appleqtcsrvr
+546 dhcpv6-client DHCPv6Client
+547 dhcpv6-server DHCPv6Server
+548 afpovertcp AFPoverTCP
+549 idfp IDFP
+550 new-rwho new-who
+551 cybercash cybercash
+552 deviceshare deviceshare
+553 pirp pirp
+554 rtsp RealTimeStreamControlProtocol
+555 dsf
+556 remotefs rfsserver
+557 openvms-sysipc openvms-sysipc
+558 sdnskmp SDNSKMP
+559 teedtap TEEDTAP
+560 rmonitor rmonitord
+561 monitor
+562 chshell chcmd
+563 nntps nntpprotocoloverTLS/SSL(wassnntp)
+564 9pfs plan9fileservice
+565 whoami whoami
+566 streettalk streettalk
+567 banyan-rpc banyan-rpc
+568 ms-shuttle microsoftshuttle
+569 ms-rome microsoftrome
+570 meter demon
+571 meter udemon
+573 banyan-vip banyan-vip
+574 ftp-agent FTPSoftwareAgentSystem
+575 vemmi VEMMI
+576 ipcd ipcd
+577 vnas vnas
+578 ipdd ipdd
+579 decbsrv decbsrv
+580 sntp-heartbeat SNTPHEARTBEAT
+581 bdp BundleDiscoveryProtocol
+582 scc-security SCCSecurity
+583 philips-vc PhilipsVideo-Conferencing
+584 keyserver KeyServer
+585 imap4-ssl IMAP4+SSL(use993instead)
+586 password-chg PasswordChange
+587 submission Submission
+588 cal CAL
+589 eyelink EyeLink
+590 tns-cml TNSCML
+591 http-alt FileMaker,Inc.-HTTPAlternate(see
+592 eudora-set EudoraSet
+593 http-rpc-epmap HTTPRPCEpMap
+594 tpip TPIP
+595 cab-protocol CABProtocol
+596 smsd SMSD
+597 ptcnameservice PTCNameService
+598 sco-websrvrmg3 SCOWebServerManager3
+599 acp AeolonCoreProtocol
+600 ipcserver SunIPCserver
+606 urm CrayUnifiedResourceManager
+607 nqs nqs
+608 sift-uft Sender-Initiated/UnsolicitedFileTransfer
+609 npmp-trap npmp-trap
+610 npmp-local npmp-local
+611 npmp-gui npmp-gui
+612 hmmp-ind HMMPIndication
+613 hmmp-op HMMPOperation
+614 sshell SSLshell
+615 sco-inetmgr InternetConfigurationManager
+616 sco-sysmgr SCOSystemAdministrationServer
+617 sco-dtmgr SCODesktopAdministrationServer
+618 dei-icda DEI-ICDA
+619 digital-evm DigitalEVM
+620 sco-websrvrmgr SCOWebServerManager
+621 escp-ip ESCP
+622 collaborator Collaborator
+623 aux_bus_shunt AuxBusShunt
+624 cryptoadmin CryptoAdmin
+625 dec_dlm DECDLM
+626 asia ASIA
+627 cks-tivioli CKS&TIVIOLI
+628 qmqp QMQP
+629 3com-amp3 3ComAMP3
+630 rda RDA
+631 ipp IPP(InternetPrintingProtocol)
+632 bmpp bmpp
+633 servstat ServiceStatusupdate(SterlingSoftware)
+634 ginad ginad
+635 rlzdbase RLZDBase
+636 ldaps ldapprotocoloverTLS/SSL(wassldap)
+637 lanserver lanserver
+638 mcns-sec mcns-sec
+639 msdp MSDP
+666 mdqs
+667 disclose campaigncontributiondisclosures-SDRTechnologies
+668 mecomm MeComm
+669 meregister MeRegister
+670 vacdsm-sws VACDSM-SWS
+671 vacdsm-app VACDSM-APP
+672 vpps-qua VPPS-QUA
+673 cimplex CIMPLEX
+674 acap ACAP
+675 dctp DCTP
+676 vpps-via VPPSVia
+704 elcsd errlogcopy/serverdaemon
+705 agentx AgentX
+707 borland-dsj BorlandDSJ
+709 entrust-kmsh EntrustKeyManagementServiceHandler
+710 entrust-ash EntrustAdministrationServiceHandler
+711 cisco-tdp CiscoTDP
+729 netviewdm1 IBMNetViewDM/6000Server/Client
+730 netviewdm2 IBMNetViewDM/6000send
+731 netviewdm3 IBMNetViewDM/6000receive
+741 netgw netGW
+742 netrcs NetworkbasedRev.Cont.Sys.
+744 flexlm FlexibleLicenseManager
+747 fujitsu-dev FujitsuDeviceControl
+748 ris-cm RussellInfoSciCalendarManager
+749 kerberos-adm kerberosadministration
+750 kerberos-iv kerberosversioniv
+751 pump
+752 qrh
+753 rrh
+754 tell send
+758 nlogin
+759 con
+760 ns
+761 rxe
+762 quotad
+763 cycleserv
+764 omserv
+765 webster
+767 phonebook phone
+769 vid
+770 cadlock
+771 rtip
+772 cycleserv2
+773 notify
+774 rpasswd
+775 acmaint_transd
+776 wpages
+780 wpgs
+786 concert Concert
+787 qsc QSC
+800 mdbs_daemon
+801 device
+829 pkix-3-ca-ra PKIX-3CA/RA
+873 rsync rsync
+886 iclcnet-locate ICLcoNETionlocateserver
+887 iclcnet_svinfo ICLcoNETionserverinfo
+888 accessbuilder AccessBuilder
+900 omginitialrefs OMGInitialRefs
+911 xact-backup xact-backup
+989 ftps-data ftpprotocol,data,overTLS/SSL
+990 ftps ftpprotocol,control,overTLS/SSL
+991 nas NetnewsAdministrationSystem
+992 telnets telnetprotocoloverTLS/SSL
+993 imaps imap4protocoloverTLS/SSL
+994 ircs ircprotocoloverTLS/SSL
+995 pop3s pop3protocoloverTLS/SSL(wasspop3)
+996 vsinet vsinet
+997 maitrd
+998 busboy
+999 garcon
+1000 cadlock
+1008 ufsd
+1010 surf surf
+1011 Reserved
+1012 Reserved
+1013 Reserved
+1014 Reserved
+1015 Reserved
+1016 Reserved
+1017 Reserved
+1018 Reserved
+1019 Reserved
+1020 Reserved
+1021 Reserved
+1022 Reserved
+1025 blackjack networkblackjack
+1030 iad1 BBNIAD
+1031 iad2 BBNIAD
+1032 iad3 BBNIAD
+1047 neod1 Sun'sNEOObjectRequestBroker
+1048 neod2 Sun'sNEOObjectRequestBroker
+1058 nim nim
+1059 nimreg nimreg
+1067 instl_boots InstallationBootstrapProto.Serv.
+1068 instl_bootc InstallationBootstrapProto.Cli.
+1080 socks Socks
+1083 ansoft-lm-1 AnasoftLicenseManager
+1084 ansoft-lm-2 AnasoftLicenseManager
+1099 rmiSun
+1103 xaudio
+1110 nfsd-status Clusterstatusinfo
+1111 lmsocialserver LMSocialServer
+1123 murray Murray
+1155 nfa NetworkFileAccess
+1161 health-polling HealthPolling
+1162 health-trap HealthTrap
+1180 mc-client MillicentClientProxy
+1212 lupa lupa
+1222 nerv SNIR&Dnetwork
+1234 search-agent InfoseekSearchAgent
+1239 nmsd NMSD
+1248 hermes
+1300 h323hostcallsc H323HostCallSecure
+1313 bmc_patroldb BMC_PATROLDB
+1314 pdps PhotoscriptDistributedPrintingSystem
+1345 vpjp VPJP
+1346 alta-ana-lm AltaAnalyticsLicenseManager
+1347 bbn-mmc multimediaconferencing
+1348 bbn-mmx multimediaconferencing
+1349 sbook RegistrationNetworkProtocol
+1350 editbench RegistrationNetworkProtocol
+1351 equationbuilder DigitalToolWorks(MIT)
+1352 lotusnote LotusNote
+1353 relief ReliefConsulting
+1354 rightbrain RightBrainSoftware
+1355 intuitive-edge IntuitiveEdge
+1356 cuillamartin CuillaMartinCompany
+1357 pegboard ElectronicPegBoard
+1358 connlcli CONNLCLI
+1359 ftsrv FTSRV
+1360 mimer MIMER
+1361 linx LinX
+1362 timeflies TimeFlies
+1363 ndm-requester NetworkDataMoverRequester
+1364 ndm-server NetworkDataMoverServer
+1365 adapt-sna NetworkSoftwareAssociates
+1366 netware-csp NovellNetWareCommServicePlatform
+1367 dcs DCS
+1368 screencast ScreenCast
+1369 gv-us GlobalViewtoUnixShell
+1370 us-gv UnixShelltoGlobalView
+1371 fc-cli FujitsuConfigProtocol
+1372 fc-ser FujitsuConfigProtocol
+1373 chromagrafx Chromagrafx
+1374 molly EPISoftwareSystems
+1375 bytex Bytex
+1376 ibm-pps IBMPersontoPersonSoftware
+1377 cichlid CichlidLicenseManager
+1378 elan ElanLicenseManager
+1379 dbreporter IntegritySolutions
+1380 telesis-licman TelesisNetworkLicenseManager
+1381 apple-licman AppleNetworkLicenseManager
+1382 udt_os
+1383 gwha GWHannawayNetworkLicenseManager
+1384 os-licman ObjectiveSolutionsLicenseManager
+1385 atex_elmd AtexPublishingLicenseManager
+1386 checksum CheckSumLicenseManager
+1387 cadsi-lm ComputerAidedDesignSoftwareIncLM
+1388 objective-dbc ObjectiveSolutionsDataBaseCache
+1389 iclpv-dm DocumentManager
+1390 iclpv-sc StorageController
+1391 iclpv-sas StorageAccessServer
+1392 iclpv-pm PrintManager
+1393 iclpv-nls NetworkLogServer
+1394 iclpv-nlc NetworkLogClient
+1395 iclpv-wsm PCWorkstationManagersoftware
+1396 dvl-activemail DVLActiveMail
+1397 audio-activmail AudioActiveMail
+1398 video-activmail VideoActiveMail
+1399 cadkey-licman CadkeyLicenseManager
+1400 cadkey-tablet CadkeyTabletDaemon
+1401 goldleaf-licman GoldleafLicenseManager
+1402 prm-sm-np ProsperoResourceManager
+1403 prm-nm-np ProsperoResourceManager
+1404 igi-lm InfiniteGraphicsLicenseManager
+1405 ibm-res IBMRemoteExecutionStarter
+1406 netlabs-lm NetLabsLicenseManager
+1407 dbsa-lm DBSALicenseManager
+1408 sophia-lm SophiaLicenseManager
+1409 here-lm HereLicenseManager
+1410 hiq HiQLicenseManager
+1411 af AudioFile
+1412 innosys InnoSys
+1413 innosys-acl Innosys-ACL
+1414 ibm-mqseries IBMMQSeries
+1415 dbstar DBStar
+1416 novell-lu6.2 NovellLU6.2
+1417 timbuktu-srv1 TimbuktuService1Port
+1418 timbuktu-srv2 TimbuktuService2Port
+1419 timbuktu-srv3 TimbuktuService3Port
+1420 timbuktu-srv4 TimbuktuService4Port
+1421 gandalf-lm GandalfLicenseManager
+1422 autodesk-lm AutodeskLicenseManager
+1423 essbase EssbaseArborSoftware
+1424 hybrid HybridEncryptionProtocol
+1425 zion-lm ZionSoftwareLicenseManager
+1426 sais Satellite-dataAcquisitionSystem1
+1427 mloadd mloaddmonitoringtool
+1428 informatik-lm InformatikLicenseManager
+1429 nms HypercomNMS
+1430 tpdu HypercomTPDU
+1431 rgtp ReverseGossipTransport
+1432 blueberry-lm BlueberrySoftwareLicenseManager
+1433 ms-sql-s Microsoft-SQL-Server
+1434 ms-sql-m Microsoft-SQL-Monitor
+1435 ibm-cics IBMCICS
+1436 saism Satellite-dataAcquisitionSystem2
+1437 tabula Tabula
+1438 eicon-server EiconSecurityAgent/Server
+1439 eicon-x25 EiconX25/SNAGateway
+1440 eicon-slp EiconServiceLocationProtocol
+1441 cadis-1 CadisLicenseManagement
+1442 cadis-2 CadisLicenseManagement
+1443 ies-lm IntegratedEngineeringSoftware
+1444 marcam-lm MarcamLicenseManagement
+1445 proxima-lm ProximaLicenseManager
+1446 ora-lm OpticalResearchAssociatesLicenseManager
+1447 apri-lm AppliedParallelResearchLM
+1448 oc-lm OpenConnectLicenseManager
+1449 peport PEport
+1450 dwf TandemDistributedWorkbenchFacility
+1451 infoman IBMInformationManagement
+1452 gtegsc-lm GTEGovernmentSystemsLicenseMan
+1453 genie-lm GenieLicenseManager
+1454 interhdl_elmd interHDLLicenseManager
+1455 esl-lm ESLLicenseManager
+1456 dca DCA
+1457 valisys-lm ValisysLicenseManager
+1458 nrcabq-lm NicholsResearchCorp.
+1459 proshare1 ProshareNotebookApplication
+1460 proshare2 ProshareNotebookApplication
+1461 ibm_wrless_lan IBMWirelessLAN
+1462 world-lm WorldLicenseManager
+1463 nucleus Nucleus
+1464 msl_lmd MSLLicenseManager
+1465 pipes PipesPlatformmfarlin@peerlogic.com
+1466 oceansoft-lm OceanSoftwareLicenseManager
+1467 csdmbase CSDMBASE
+1468 csdm CSDM
+1469 aal-lm ActiveAnalysisLimitedLicenseManager
+1470 uaiact UniversalAnalytics
+1471 csdmbase csdmbase
+1472 csdm csdm
+1473 openmath OpenMath
+1474 telefinder Telefinder
+1475 taligent-lm TaligentLicenseManager
+1476 clvm-cfg clvm-cfg
+1477 ms-sna-server ms-sna-server
+1478 ms-sna-base ms-sna-base
+1479 dberegister dberegister
+1480 pacerforum PacerForum
+1481 airs AIRS
+1482 miteksys-lm MiteksysLicenseManager
+1483 afs AFSLicenseManager
+1484 confluent ConfluentLicenseManager
+1485 lansource LANSource
+1486 nms_topo_serv nms_topo_serv
+1487 localinfosrvr LocalInfoSrvr
+1488 docstor DocStor
+1489 dmdocbroker dmdocbroker
+1490 insitu-conf insitu-conf
+1491 anynetgateway anynetgateway
+1492 stone-design-1 stone-design-1
+1493 netmap_lm netmap_lm
+1494 ica ica
+1495 cvc cvc
+1496 liberty-lm liberty-lm
+1497 rfx-lm rfx-lm
+1498 sybase-sqlany SybaseSQLAny
+1499 fhc FedericoHeinzConsultora
+1500 vlsi-lm VLSILicenseManager
+1501 saiscm Satellite-dataAcquisitionSystem3
+1502 shivadiscovery Shiva
+1503 imtc-mcs Databeam
+1504 evb-elm EVBSoftwareEngineeringLicenseManager
+1505 funkproxy FunkSoftware,Inc.
+1506 utcd UniversalTimedaemon(utcd)
+1507 symplex symplex
+1508 diagmond diagmond
+1509 robcad-lm Robcad,Ltd.LicenseManager
+1510 mvx-lm MidlandValleyExplorationLtd.Lic.Man.
+1511 3l-l1 3l-l1
+1512 wins Microsoft'sWindowsInternetNameService
+1513 fujitsu-dtc FujitsuSystemsBusinessofAmerica,Inc
+1514 fujitsu-dtcns FujitsuSystemsBusinessofAmerica,Inc
+1515 ifor-protocol ifor-protocol
+1516 vpad VirtualPlacesAudiodata
+1517 vpac VirtualPlacesAudiocontrol
+1518 vpvd VirtualPlacesVideodata
+1519 vpvc VirtualPlacesVideocontrol
+1520 atm-zip-office atmzipoffice
+1521 ncube-lm nCubeLicenseManager
+1522 ricardo-lm RicardoNorthAmericaLicenseManager
+1523 cichild-lm cichild
+1524 ingreslock ingres
+1525 orasrv oracle
+1526 pdap-np ProsperoDataAccessProtnon-priv
+1527 tlisrv oracle
+1528 mciautoreg micautoreg
+1529 coauthor oracle
+1530 rap-service rap-service
+1531 rap-listen rap-listen
+1532 miroconnect miroconnect
+1533 virtual-places VirtualPlacesSoftware
+1534 micromuse-lm micromuse-lm
+1535 ampr-info ampr-info
+1536 ampr-inter ampr-inter
+1537 sdsc-lm isi-lm
+1538 3ds-lm 3ds-lm
+1539 intellistor-lm IntellistorLicenseManager
+1540 rds rds
+1541 rds2 rds2
+1542 gridgen-elmd gridgen-elmd
+1543 simba-cs simba-cs
+1544 aspeclmd aspeclmd
+1545 vistium-share vistium-share
+1546 abbaccuray abbaccuray
+1547 laplink laplink
+1548 axon-lm AxonLicenseManager
+1549 shivahose ShivaHose
+1550 3m-image-lm ImageStoragelicensemanager3MCompany
+1551 hecmtl-db HECMTL-DB
+1552 pciarray pciarray
+1553 sna-cs sna-cs
+1554 caci-lm CACIProductsCompanyLicenseManager
+1555 livelan livelan
+1556 ashwin AshWinCITecnologies
+1557 arbortext-lm ArborTextLicenseManager
+1558 xingmpeg xingmpeg
+1559 web2host web2host
+1560 asci-val asci-val
+1561 facilityview facilityview
+1562 pconnectmgr pconnectmgr
+1563 cadabra-lm CadabraLicenseManager
+1564 pay-per-view Pay-Per-View
+1565 winddlb WinDD
+1566 corelvideo CORELVIDEO
+1567 jlicelmd jlicelmd
+1568 tsspmap tsspmap
+1569 ets ets
+1570 orbixd orbixd
+1571 rdb-dbs-disp OracleRemoteDataBase
+1572 chip-lm ChipcomLicenseManager
+1573 itscomm-ns itscomm-ns
+1574 mvel-lm mvel-lm
+1575 oraclenames oraclenames
+1576 moldflow-lm moldflow-lm
+1577 hypercube-lm hypercube-lm
+1578 jacobus-lm JacobusLicenseManager
+1579 ioc-sea-lm ioc-sea-lm
+1580 tn-tl-r2 tn-tl-r2
+1581 mil-2045-47001 MIL-2045-47001
+1582 msims MSIMS
+1583 simbaexpress simbaexpress
+1584 tn-tl-fd2 tn-tl-fd2
+1585 intv intv
+1586 ibm-abtact ibm-abtact
+1587 pra_elmd pra_elmd
+1588 triquest-lm triquest-lm
+1589 vqp VQP
+1590 gemini-lm gemini-lm
+1591 ncpm-pm ncpm-pm
+1592 commonspace commonspace
+1593 mainsoft-lm mainsoft-lm
+1594 sixtrak sixtrak
+1595 radio radio
+1596 radio-bc radio-bc
+1597 orbplus-iiop orbplus-iiop
+1598 picknfs picknfs
+1599 simbaservices simbaservices
+1600 issd
+1601 aas aas
+1602 inspect inspect
+1603 picodbc pickodbc
+1604 icabrowser icabrowser
+1605 slp SalutationManager(SalutationProtocol)
+1606 slm-api SalutationManager(SLM-API)
+1607 stt stt
+1608 smart-lm SmartCorp.LicenseManager
+1609 isysg-lm isysg-lm
+1610 taurus-wh taurus-wh
+1611 ill InterLibraryLoan
+1612 netbill-trans NetBillTransactionServer
+1613 netbill-keyrep NetBillKeyRepository
+1614 netbill-cred NetBillCredentialServer
+1615 netbill-auth NetBillAuthorizationServer
+1616 netbill-prod NetBillProductServer
+1617 nimrod-agent NimrodInter-AgentCommunication
+1618 skytelnet skytelnet
+1619 xs-openstorage xs-openstorage
+1620 faxportwinport faxportwinport
+1621 softdataphone softdataphone
+1622 ontime ontime
+1623 jaleosnd jaleosnd
+1624 udp-sr-port udp-sr-port
+1625 svs-omagent svs-omagent
+1630 oraclenet8cman OracleNet8Cman
+1636 cncp CableNetControlProtocol
+1637 cnap CableNetAdminProtocol
+1638 cnip CableNetInfoProtocol
+1639 cert-initiator cert-initiator
+1640 cert-responder cert-responder
+1641 invision InVision
+1642 isis-am isis-am
+1643 isis-ambc isis-ambc
+1644 saiseh Satellite-dataAcquisitionSystem4
+1645 datametrics datametrics
+1646 sa-msg-port sa-msg-port
+1647 rsap rsap
+1648 concurrent-lm concurrent-lm
+1649 inspect inspect
+1650 nkd nkd
+1651 shiva_confsrvr shiva_confsrvr
+1652 xnmp xnmp
+1653 alphatech-lm alphatech-lm
+1654 stargatealerts stargatealerts
+1655 dec-mbadmin dec-mbadmin
+1656 dec-mbadmin-h dec-mbadmin-h
+1657 fujitsu-mmpdc fujitsu-mmpdc
+1658 sixnetudr sixnetudr
+1659 sg-lm SiliconGrailLicenseManager
+1660 skip-mc-gikreq skip-mc-gikreq
+1661 netview-aix-1 netview-aix-1
+1662 netview-aix-2 netview-aix-2
+1663 netview-aix-3 netview-aix-3
+1664 netview-aix-4 netview-aix-4
+1665 netview-aix-5 netview-aix-5
+1666 netview-aix-6 netview-aix-6
+1667 netview-aix-7 netview-aix-7
+1668 netview-aix-8 netview-aix-8
+1669 netview-aix-9 netview-aix-9
+1670 netview-aix-10 netview-aix-10
+1671 netview-aix-11 netview-aix-11
+1672 netview-aix-12 netview-aix-12
+1673 proshare-mc-1 IntelProshareMulticast
+1674 proshare-mc-2 IntelProshareMulticast
+1675 pdp PacificDataProducts
+1676 netcomm1 netcomm1
+1677 groupwise groupwise
+1678 prolink prolink
+1679 darcorp-lm darcorp-lm
+1680 microcom-sbp microcom-sbp
+1681 sd-elmd sd-elmd
+1682 lanyon-lantern lanyon-lantern
+1683 ncpm-hip ncpm-hip
+1684 snaresecure SnareSecure
+1685 n2nremote n2nremote
+1686 cvmon cvmon
+1687 nsjtp-ctrl nsjtp-ctrl
+1688 nsjtp-data nsjtp-data
+1689 firefox firefox
+1690 ng-umds ng-umds
+1691 empire-empuma empire-empuma
+1692 sstsys-lm sstsys-lm
+1693 rrirtr rrirtr
+1694 rrimwm rrimwm
+1695 rrilwm rrilwm
+1696 rrifmm rrifmm
+1697 rrisat rrisat
+1698 rsvp-encap-1 RSVP-ENCAPSULATION-1
+1699 rsvp-encap-2 RSVP-ENCAPSULATION-2
+1700 mps-raft mps-raft
+1701 l2f l2f
+1702 deskshare deskshare
+1703 hb-engine hb-engine
+1704 bcs-broker bcs-broker
+1705 slingshot slingshot
+1706 jetform jetform
+1707 vdmplay vdmplay
+1708 gat-lmd gat-lmd
+1709 centra centra
+1710 impera impera
+1711 pptconference pptconference
+1712 registrar resourcemonitoringservice
+1713 conferencetalk ConferenceTalk
+1714 sesi-lm sesi-lm
+1715 houdini-lm houdini-lm
+1716 xmsg xmsg
+1717 fj-hdnet fj-hdnet
+1718 h323gatedisc h323gatedisc
+1719 h323gatestat h323gatestat
+1720 h323hostcall h323hostcall
+1721 caicci caicci
+1722 hks-lm HKSLicenseManager
+1723 pptp pptp
+1724 csbphonemaster csbphonemaster
+1725 iden-ralp iden-ralp
+1726 iberiagames IBERIAGAMES
+1727 winddx winddx
+1728 telindus TELINDUS
+1729 citynl CityNLLicenseManagement
+1730 roketz roketz
+1731 msiccp MSICCP
+1732 proxim proxim
+1733 siipat SIMS-SIIPATProtocolforAlarm
+1734 cambertx-lm CamberCorporationLicenseManagement
+1735 privatechat PrivateChat
+1736 street-stream street-stream
+1737 ultimad ultimad
+1738 gamegen1 GameGen1
+1739 webaccess webaccess
+1740 encore encore
+1741 cisco-net-mgmt cisco-net-mgmt
+1742 3Com-nsd 3Com-nsd
+1743 cinegrfx-lm CinemaGraphicsLicenseManager
+1744 ncpm-ft ncpm-ft
+1745 remote-winsock remote-winsock
+1746 ftrapid-1 ftrapid-1
+1747 ftrapid-2 ftrapid-2
+1748 oracle-em1 oracle-em1
+1749 aspen-services aspen-services
+1750 sslp SimpleSocketLibrary'sPortMaster
+1751 swiftnet SwiftNet
+1752 lofr-lm LeapofFaithResearchLicenseManager
+1753 translogic-lm TranslogicLicenseManager
+1754 oracle-em2 oracle-em2
+1755 ms-streaming ms-streaming
+1756 capfast-lmd capfast-lmd
+1757 cnhrp cnhrp
+1758 tftp-mcast tftp-mcast
+1759 spss-lm SPSSLicenseManager
+1760 www-ldap-gw www-ldap-gw
+1761 cft-0 cft-0
+1762 cft-1 cft-1
+1763 cft-2 cft-2
+1764 cft-3 cft-3
+1765 cft-4 cft-4
+1766 cft-5 cft-5
+1767 cft-6 cft-6
+1768 cft-7 cft-7
+1769 bmc-net-adm bmc-net-adm
+1770 bmc-net-svc bmc-net-svc
+1771 vaultbase vaultbase
+1772 essweb-gw EssWebGateway
+1773 kmscontrol KMSControl
+1774 global-dtserv global-dtserv
+1775 Unknown
+1776 femis FederalEmergencyManagementInformationSystem
+1777 powerguardian powerguardian
+1778 prodigy-intrnet prodigy-internet
+1779 pharmasoft pharmasoft
+1780 dpkeyserv dpkeyserv
+1781 answersoft-lm answersoft-lm
+1782 hp-hcip hp-hcip
+1783 fjris FujitsuRemoteInstallService
+1784 finle-lm FinleLicenseManager
+1785 windlm WindRiverSystemsLicenseManager
+1786 funk-logger funk-logger
+1787 funk-license funk-license
+1788 psmond psmond
+1789 hello hello
+1790 nmsp NarrativeMediaStreamingProtocol
+1791 ea1 EA1
+1792 ibm-dt-2 ibm-dt-2
+1793 rsc-robot rsc-robot
+1794 cera-bcm cera-bcm
+1795 dpi-proxy dpi-proxy
+1796 vocaltec-admin VocaltecServerAdministration
+1797 uma UMA
+1798 etp EventTransferProtocol
+1799 netrisk NETRISK
+1800 ansys-lm ANSYS-Licensemanager
+1801 msmq MicrosoftMessageQue
+1802 concomp1 ConComp1
+1803 hp-hcip-gwy HP-HCIP-GWY
+1804 enl ENL
+1805 enl-name ENL-Name
+1806 musiconline Musiconline
+1807 fhsp FujitsuHotStandbyProtocol
+1808 oracle-vp2 Oracle-VP2
+1809 oracle-vp1 Oracle-VP1
+1810 jerand-lm JerandLicenseManager
+1811 scientia-sdb Scientia-SDB
+1812 radius RADIUS
+1813 radius-acct RADIUSAccounting
+1814 tdp-suite TDPSuite
+1815 mmpft MMPFT
+1816 harp HARP
+1818 etftp EnhancedTrivialFileTransferProtocol
+1819 plato-lm PlatoLicenseManager
+1820 mcagent mcagent
+1821 donnyworld donnyworld
+1822 es-elmd es-elmd
+1823 unisys-lm UnisysNaturalLanguageLicenseManager
+1824 metrics-pas metrics-pas
+1850 gsi GSI
+1860 sunscalar-svc SunSCALARServices
+1861 lecroy-vicp LeCroyVICP
+1862 techra-server techra-server
+1863 msnp MSNP
+1864 paradym-31port Paradym31Port
+1865 entp ENTP
+1870 sunscalar-dns SunSCALARDNSService
+1881 ibm-mqseries2 IBMMQSeries
+1901 fjicl-tep-a FujitsuICLTerminalEmulatorProgramA
+1902 fjicl-tep-b FujitsuICLTerminalEmulatorProgramB
+1903 linkname LocalLinkNameResolution
+1904 fjicl-tep-c FujitsuICLTerminalEmulatorProgramC
+1905 sugp SecureUP.LinkGatewayProtocol
+1906 tpmd TPortMapperReq
+1907 intrastar IntraSTAR
+1908 dawn Dawn
+1909 global-wlink GlobalWorldLink
+1911 mtp StarlightNetworksMultimediaTransportProtocol
+1913 armadp armadp
+1914 elm-momentum Elm-Momentum
+1915 facelink FACELINK
+1916 persona PersoftPersona
+1917 noagent nOAgent
+1918 can-nds CandleDirectoryService-NDS
+1919 can-dch CandleDirectoryService-DCH
+1920 can-ferret CandleDirectoryService-FERRET
+1921 noadmin NoAdmin
+1944 close-combat close-combat
+1945 dialogic-elmd dialogic-elmd
+1946 tekpls tekpls
+1947 hlserver hlserver
+1948 eye2eye eye2eye
+1949 ismaeasdaqlive ISMAEasdaqLive
+1950 ismaeasdaqtest ISMAEasdaqTest
+1951 bcs-lmserver bcs-lmserver
+1973 dlsrap DataLinkSwitchingRemoteAccessProtocol
+1985 hsrp HotStandbyRouterProtocol
+1986 licensedaemon ciscolicensemanagement
+1987 tr-rsrb-p1 ciscoRSRBPriority1port
+1988 tr-rsrb-p2 ciscoRSRBPriority2port
+1989 tr-rsrb-p3 ciscoRSRBPriority3port
+1990 stun-p1 ciscoSTUNPriority1port
+1991 stun-p2 ciscoSTUNPriority2port
+1992 stun-p3 ciscoSTUNPriority3port
+1993 snmp-tcp-port ciscoSNMPTCPport
+1994 stun-port ciscoserialtunnelport
+1995 perf-port ciscoperfport
+1996 tr-rsrb-port ciscoRemoteSRBport
+1997 gdp-port ciscoGatewayDiscoveryProtocol
+1998 x25-svc-port ciscoX.25service(XOT)
+1999 tcp-id-port ciscoidentificationport
+2000 callbook
+2001 dc
+2002 globe
+2004 mailbox
+2005 berknet
+2006 invokator
+2007 dectalk
+2008 conf
+2009 news
+2010 search
+2011 raid-cc raid
+2012 ttyinfo
+2013 raid-am
+2014 troff
+2015 cypress
+2016 bootserver
+2017 cypress-stat
+2018 terminaldb
+2019 whosockami
+2020 xinupageserver
+2021 servexec
+2022 down
+2023 xinuexpansion3
+2024 xinuexpansion4
+2025 ellpack
+2026 scrabble
+2027 shadowserver
+2028 submitserver
+2030 device2
+2032 blackboard
+2033 glogger
+2034 scoremgr
+2035 imsldoc
+2038 objectmanager
+2040 lam
+2041 interbase
+2042 isis isis
+2043 isis-bcast isis-bcast
+2044 rimsl
+2045 cdfunc
+2046 sdfunc
+2047 dls
+2048 dls-monitor
+2049 nfsd-or-shilp
+2065 dlsrpn DataLinkSwitchReadPortNumber
+2067 dlswpn DataLinkSwitchWritePortNumber
+2090 lrp LoadReportProtocol
+2091 prp PRP
+2102 zephyr-srv Zephyrserver
+2103 zephyr-clt Zephyrserv-hmconnection
+2104 zephyr-hm Zephyrhostmanager
+2105 minipay MiniPay
+2180 mc-gt-srv MillicentVendorGatewayServer
+2200 ici ICI
+2201 ats AdvancedTrainingSystemProgram
+2202 imtc-map Int.MultimediaTeleconferencingCosortium
+2213 kali Kali
+2220 ganymede Ganymede
+2221 unreg-ab1 Allen-Bradleyunregisteredport
+2222 unreg-ab2 Allen-Bradleyunregisteredport
+2223 inreg-ab3 Allen-Bradleyunregisteredport
+2232 ivs-video IVSVideodefault
+2233 infocrypt INFOCRYPT
+2234 directplay DirectPlay
+2235 sercomm-wlink Sercomm-WLink
+2236 nani Nani
+2237 optech-port1-lm OptechPort1LicenseManager
+2238 aviva-sna AVIVASNASERVER
+2239 imagequery ImageQuery
+2240 recipe RECIPe
+2241 ivsd IVSDaemon
+2242 foliocorp FolioRemoteServer
+2279 xmquery xmquery
+2280 lnvpoller LNVPOLLER
+2281 lnvconsole LNVCONSOLE
+2282 lnvalarm LNVALARM
+2283 lnvstatus LNVSTATUS
+2284 lnvmaps LNVMAPS
+2285 lnvmailmon LNVMAILMON
+2286 nas-metering NAS-Metering
+2287 dna DNA
+2288 netml NETML
+2295 advant-lm AdvantLicenseManager
+2296 theta-lm ThetaLicenseManager(Rainbow)
+2297 d2k-datamover1 D2KDataMover1
+2298 d2k-datamover2 D2KDataMover2
+2299 pc-telecommute PCTelecommute
+2300 cvmmon CVMMON
+2301 cpq-wbem CompaqHTTP
+2302 binderysupport BinderySupport
+2303 proxy-gateway ProxyGateway
+2304 attachmate-uts AttachmateUTS
+2305 mt-scaleserver MTScaleServer
+2306 tappi-boxnet TAPPIBoxNet
+2307 pehelp pehelp
+2308 sdhelp sdhelp
+2309 sdserver SDServer
+2310 sdclient SDClient
+2311 messageservice MessageService
+2313 iapp IAPP(InterAccessPointProtocol)
+2314 cr-websystems CRWebSystems
+2315 precise-sft PreciseSft.
+2316 sent-lm SENTLicenseManager
+2317 attachmate-g32 AttachmateG32
+2318 cadencecontrol CadenceControl
+2319 infolibria InfoLibria
+2320 siebel-ns SiebelNS
+2321 rdlap RDLAPoverUDP
+2322 ofsd ofsd
+2323 3d-nfsd 3d-nfsd
+2324 cosmocall Cosmocall
+2325 designspace-lm DesignSpaceLicenseManagement
+2326 idcp IDCP
+2327 xingcsm xingcsm
+2328 netrix-sftm NetrixSFTM
+2329 nvd NVD
+2330 tscchat TSCCHAT
+2331 agentview AGENTVIEW
+2332 rcc-host RCCHost
+2333 snapp SNAPP
+2334 ace-client ACEClientAuth
+2335 ace-proxy ACEProxy
+2336 appleugcontrol AppleUGControl
+2337 ideesrv ideesrv
+2338 norton-lambert NortonLambert
+2339 3com-webview 3ComWebView
+2340 wrs_registry WRSRegistry
+2341 xiostatus XIOStatus
+2342 manage-exec SeagateManageExec
+2343 nati-logos natilogos
+2344 fcmsys fcmsys
+2345 dbm dbm
+2346 redstorm_join GameConnectionPort
+2347 redstorm_find GameAnnouncementandLocation
+2348 redstorm_info Informationtoqueryforgamestatus
+2349 redstorm_diag DisgnosticsPort
+2350 psbserver psbserver
+2351 psrserver psrserver
+2352 pslserver pslserver
+2353 pspserver pspserver
+2354 psprserver psprserver
+2355 psdbserver psdbserver
+2356 gxtelmd GXTLicenseManagemant
+2357 unihub-server UniHubServer
+2358 futrix Futrix
+2359 flukeserver FlukeServer
+2389 ovsessionmgr OpenViewSessionMgr
+2390 rsmtp RSMTP
+2391 3com-net-mgmt 3COMNetManagement
+2392 tacticalauth TacticalAuth
+2393 ms-olap1 MSOLAP1
+2394 ms-olap2 MSOLAP2
+2395 lan900_remote LAN900Remote
+2396 wusage Wusage
+2397 ncl NCL
+2398 orbiter Orbiter
+2399 fmpro-fdal FileMaker,Inc.-DataAccessLayer
+2400 opequus-server OpEquusServer
+2401 cvspserver cvspserver
+2402 taskmaster2000 TaskMaster2000Server
+2403 taskmaster2000 TaskMaster2000Web
+2404 iec870-5-104 IEC870-5-104
+2405 trc-netpoll TRCNetpoll
+2406 jediserver JediServer
+2407 orion Orion
+2408 optimanet OptimaNet
+2409 sns-protocol SNSProtocol
+2410 vrts-registry VRTSRegistry
+2411 netwave-ap-mgmt NetwaveAPManagement
+2412 cdn CDN
+2413 orion-rmi-reg orion-rmi-reg
+2414 interlingua Interlingua
+2415 comtest COMTEST
+2416 rmtserver RMTServer
+2417 composit-server CompositServer
+2418 cas cas
+2419 attachmate-s2s AttachmateS2S
+2420 dslremote-mgmt DSLRemoteManagement
+2421 g-talk G-Talk
+2422 crmsbits CRMSBITS
+2423 rnrp RNRP
+2424 kofax-svr KOFAX-SVR
+2425 fjitsuappmgr FujitsuAppManager
+2426 appliantudp AppliantUDP
+2427 stgcp SimpletelephonyGatewayControlProtocol
+2428 ott OneWayTripTime
+2429 ft-role FT-ROLE
+2430 venus venus
+2431 venus-se venus-se
+2432 codasrv codasrv
+2433 codasrv-se codasrv-se
+2434 pxc-epmap pxc-epmap
+2435 optilogic OptiLogic
+2436 topx TOP/X
+2437 unicontrol UniControl
+2438 msp MSP
+2439 sybasedbsynch SybaseDBSynch
+2440 spearway SpearwayLockser
+2441 pvsw-inet pvsw-inet
+2442 netangel Netangel
+2500 rtsserv ResourceTrackingsystemserver
+2501 rtsclient ResourceTrackingsystemclient
+2524 optiwave-lm OptiwaveLicenseManagement
+2525 ms-v-worlds MSV-Worlds
+2526 ema-sent-lm EMALicenseManager
+2527 iqserver IQServer
+2528 ncr_ccl NCRCCL
+2529 utsftp UTSFTP
+2530 vrcommerce VRCommerce
+2531 ito-e-gui ITO-EGUI
+2532 ovtopmd OVTOPMD
+2534 combox-web-acc ComboxWebAccess
+2564 hp-3000-telnet HP3000NS/VTblockmodetelnet
+2592 netrek netrek
+2593 mns-mail MNSMailNoticeService
+2628 dict DICT
+2629 sitaraserver SitaraServer
+2630 sitaramgmt SitaraManagement
+2631 sitaradir SitaraDir
+2632 irdg-post IRdgPost
+2633 interintelli InterIntelli
+2634 pk-electronics PKElectronics
+2635 backburner BackBurner
+2636 solve Solve
+2637 imdocsvc ImportDocumentService
+2638 sybaseanywhere SybaseAnywhere
+2639 aminet AMInet
+2640 sai_sentlm SabbaghAssociatesLicenceManager
+2641 hdl-srv HDLServer
+2642 tragic Tragic
+2643 gte-samp GTE-SAMP
+2644 travsoft-ipx-t TravsoftIPXTunnel
+2645 novell-ipx-cmd NovellIPXCMD
+2646 and-lm ANDLicenceManager
+2647 syncserver SyncServer
+2648 upsnotifyprot Upsnotifyprot
+2649 vpsipport VPSIPPORT
+2650 eristwoguns eristwoguns
+2651 ebinsite EBInSite
+2652 interpathpanel InterPathPanel
+2653 sonus Sonus
+2654 corel_vncadmin CorelVNCAdmin
+2655 unglue UNIXNtGlue
+2656 kana Kana
+2657 sns-dispatcher SNSDispatcher
+2658 sns-admin SNSAdmin
+2659 sns-query SNSQuery
+2700 tqdata tqdata
+2766 listen
+2784 www-dev worldwideweb-development
+2785 aic-np aic-np
+2786 aic-oncrpc aic-oncrpc-DestinyMCDdatabase
+2787 piccolo piccolo-CornerstoneSoftware
+2788 fryeserv NetWareLoadableModule-SeagateSoftware
+2908 mao mao
+2909 funk-dialout FunkDialout
+2910 tdaccess TDAccess
+2911 blockade Blockade
+2912 epicon Epicon
+2913 boosterware BoosterWare
+2914 gamelobby GameLobby
+2915 tksocket TKSocket
+2916 elvin_server ElvinServer
+2917 elvin_client ElvinClient
+2918 kastenchasepad KastenChasePad
+2971 netclip NetClip
+2972 pmsm-webrctl PMSMWebrctl
+2973 svnetworks SVNetworks
+2974 signal Signal
+2975 fjmpcm FujitsuConfigurationManagementService
+2998 realsecure RealSecure
+3000 hbci HBCI
+3001 redwood-broker RedwoodBroker
+3002 exlm-agent EXLMAgent
+3003 cgms CGMS
+3004 csoftragent CsoftAgent
+3005 geniuslm GeniusLicenseManager
+3006 ii-admin InstantInternetAdmin
+3007 lotusmtap LotusMailTrackingAgentProtocol
+3008 midnight-tech MidnightTechnologies
+3009 pxc-ntfy PXC-NTFY
+3010 gw TelerateWorkstation
+3011 trusted-web TrustedWeb
+3012 twsdss TrustedWebClient
+3013 gilatskysurfer GilatSkySurfer
+3014 broker_service BrokerService
+3015 nati-dstp NATIDSTP
+3016 notify_srvr NotifyServer
+3017 event_listener EventListener
+3018 srvc_registry ServiceRegistry
+3019 resource_mgr ResourceManager
+3020 cifs CIFS
+3021 agriserver AGRIServer
+3047 hlserver FastSecurityHLServer
+3048 pctrader SierraNetPCTrader
+3049 nsws NSWS
+3080 stm_pproc stm_pproc
+3105 cardbox Cardbox
+3106 cardbox-http CardboxHTTP
+3130 icpv2 ICPv2
+3131 netbookmark NetBookMark
+3141 vmodem VMODEM
+3142 rdc-wh-eos RDCWHEOS
+3143 seaview SeaView
+3144 tarantella Tarantella
+3145 csi-lfap CSI-LFAP
+3147 rfio RFIO
+3180 mc-brk-srv MillicentBrokerServer
+3264 ccmail cc:mail/lotus
+3265 altav-tunnel AltavTunnel
+3266 ns-cfg-server NSCFGServer
+3267 ibm-dial-out IBMDialOut
+3268 msft-gc MicrosoftGlobalCatalog
+3269 msft-gc-ssl MicrosoftGlobalCatalogwithLDAP/SSL
+3270 verismart Verismart
+3271 csoft-prev CSoftPrevPort
+3272 user-manager FujitsuUserManager
+3273 sxmp SimpleExtensibleMultiplexedProtocol
+3274 ordinox-server OrdinoxServer
+3275 samd SAMD
+3276 maxim-asics MaximASICs
+3277 awg-proxy AWGProxy
+3278 lkcmserver LKCMServer
+3279 admind admind
+3280 vs-server VSServer
+3281 sysopt SYSOPT
+3282 datusorb Datusorb
+3283 net-assistant NetAssistant
+3284 4talk 4Talk
+3285 plato Plato
+3286 e-net E-Net
+3287 directvdata DIRECTVDATA
+3288 cops COPS
+3289 enpc ENPC
+3290 caps-lm CAPSLOGISTICSTOOLKIT-LM
+3291 sah-lm SAHolditch&Associates-
+3292 cart-o-rama CartORama
+3293 fg-fps fg-fps
+3294 fg-gip fg-gip
+3295 dyniplookup DynamicIPLookup
+3296 rib-slm RibLicenseManager
+3297 cytel-lm CytelLicenseManager
+3298 transview Transview
+3299 pdrncs pdrncs
+3300 bmcpatrolagent BMCPatrolAgent
+3301 bmcpatrolrnvu BMCPatrolRendezvous
+3302 mcs-fastmail MCSFastmail
+3303 opsession-clnt OPSessionClient
+3304 opsession-srvr OPSessionServer
+3305 odette-ftp ODETTE-FTP
+3306 mysql MySQL
+3307 opsession-prxy OPSessionProxy
+3308 tns-server TNSServer
+3309 tns-adv TNDADV
+3310 dyna-access DynaAccess
+3311 mcns-tel-ret MCNSTelRet
+3312 appman-server ApplicationManagementServer
+3313 uorb UnifyObjectBroker
+3314 uohost UnifyObjectHost
+3315 cdid CDID
+3316 aicc-cmi AICC/CMI
+3317 vsaiport VSAIPORT
+3318 ssrip SwithtoSwithRoutingInformationProtocol
+3319 sdt-lmd SDTLicenseManager
+3320 officelink2000 OfficeLink2000
+3321 vnsstr VNSSTR
+3322 active-net
+3323 active-net
+3324 active-net
+3325 active-net
+3326 sftu SFTU
+3327 bbars BBARS
+3328 egptlm EaglepointLicenseManager
+3329 hp-device-disc HPDeviceDisc
+3330 mcs-calypsoicf MCSCalypsoICF
+3331 mcs-messaging MCSMessaging
+3332 mcs-mailsvr MCSMailServer
+3333 dec-notes DECNotes
+3334 directv-web DirectTVWebcasting
+3335 directv-soft DirectTVSoftwareUpdates
+3336 directv-tick DirectTVTickers
+3337 directv-catlg DirectTVDataCatalog
+3338 anet-b OMFdatab
+3339 anet-l OMFdatal
+3340 anet-m OMFdatam
+3341 anet-h OMFdatah
+3342 webtie WebTIE
+3343 ms-cluster-net MSClusterNet
+3344 bnt-manager BNTManager
+3345 influence Influence
+3346 trnsprntproxy TrnsprntProxy
+3347 phoenix-rpc PhoenixRPC
+3348 pangolin-laser PangolinLaser
+3349 chevinservices ChevinServices
+3350 findviatv FINDVIATV
+3351 btrieve BTRIEVE
+3352 ssql SSQL
+3353 fatpipe FATPIPE
+3354 suitjd SUITJD
+3355 ordinox-dbase OrdinoxDbase
+3356 upnotifyps UPNOTIFYPS
+3357 adtech-test AdtechTestIP
+3358 mpsysrmsvr MpSysRmsvr
+3359 wg-netforce WGNetForce
+3360 kv-server KVServer
+3361 kv-agent KVAgent
+3362 dj-ilm DJILM
+3363 nati-vi-server NATIViServer
+3364 creativeserver CreativeServer
+3365 contentserver ContentServer
+3366 creativepartnr CreativePartner
+3367 satvid-dtalnk
+3368 satvid-dtalnk
+3369 satvid-dtalnk
+3370 satvid-dtalnk
+3371 satvid-dtalnk
+3372 tip2 TIP2
+3373 lavenir-lm LavenirLicenseManager
+3374 cluster-disc ClusterDisc
+3375 vsnm-agent VSNMAgent
+3376 cdbroker CDBroker
+3377 cogsys-lm CogsysNetworkLicenseManager
+3378 wsicopy WSICOPY
+3379 socorfs SOCORFS
+3380 sns-channels SNSChannels
+3381 geneous Geneous
+3382 fujitsu-neat FujitsuNetworkEnhancedAntitheftfunction
+3383 esp-lm EnterpriseSoftwareProductsLicenseManager
+3384 hp-clic HardwareManagement
+3385 qnxnetman qnxnetman
+3386 gprs-sig GPRSSIG
+3387 backroomnet BackRoomNet
+3388 cbserver CBServer
+3389 ms-wbt-server MSWBTServer
+3390 dsc DistributedServiceCoordinator
+3391 savant SAVANT
+3392 efi-lm EFILicenseManagement
+3393 d2k-tapestry1 D2KTapestryClienttoServer
+3394 d2k-tapestry2 D2KTapestryServertoServer
+3395 dyna-lm DynaLicenseManager(Elam)
+3396 printer_agent PrinterAgent
+3397 cloanto-lm CloantoLicenseManager
+3398 mercantile Mercantile
+3421 bmap BullAppriseportmapper
+3454 mira AppleRemoteAccessProtocol
+3455 prsvp RSVPPort
+3456 vat VATdefaultdata
+3457 vat-control VATdefaultcontrol
+3458 d3winosfi DsWinOSFI
+3459 integral Integral
+3460 edm-manager EDMManger
+3461 edm-stager EDMStager
+3462 edm-std-notify EDMSTDNotify
+3463 edm-adm-notify EDMADMNotify
+3464 edm-mgr-sync EDMMGRSync
+3465 edm-mgr-cntrl EDMMGRCntrl
+3466 workflow WORKFLOW
+3563 watcomdebug WatcomDebug
+3900 udt_os UnidataUDTOS
+3984 mapper-nodemgr MAPPERnetworknodemanager
+3985 mapper-mapethd MAPPERTCP/IPserver
+3986 mapper-ws_ethd MAPPERworkstationserver
+3987 centerline Centerline
+4000 terabase Terabase
+4001 newoak NewOak
+4008 netcheque NetChequeaccounting
+4009 chimera-hwm ChimeraHWM
+4010 samsung-unidex SamsungUnidex
+4011 altserviceboot AlternateServiceBoot
+4012 pda-gate PDAGate
+4013 acl-manager ACLManager
+4014 taiclock TAICLOCK
+4045 lockd
+4096 bre BRE(BridgeRelayElement)
+4132 nuts_dem NUTSDaemon
+4133 nuts_bootp NUTSBootpServer
+4134 nifty-hmi NIFTY-ServeHMIprotocol
+4141 oirtgsvc WorkflowServer
+4142 oidocsvc DocumentServer
+4143 oidsr DocumentReplication
+4200 VRML
+4201 VRML
+4202 VRML
+4203 VRML
+4204 VRML
+4205 VRML
+4206 VRML
+4207 VRML
+4208 VRML
+4209 VRML
+4210 VRML
+4211 VRML
+4212 VRML
+4213 VRML
+4214 VRML
+4215 VRML
+4216 VRML
+4217 VRML
+4218 VRML
+4219 VRML
+4220 VRML
+4221 VRML
+4222 VRML
+4223 VRML
+4224 VRML
+4225 VRML
+4226 VRML
+4227 VRML
+4228 VRML
+4229 VRML
+4230 VRML
+4231 VRML
+4232 VRML
+4233 VRML
+4234 VRML
+4235 VRML
+4236 VRML
+4237 VRML
+4238 VRML
+4239 VRML
+4240 VRML
+4241 VRML
+4242 VRML
+4243 VRML
+4244 VRML
+4245 VRML
+4246 VRML
+4247 VRML
+4248 VRML
+4249 VRML
+4250 VRML
+4251 VRML
+4252 VRML
+4253 VRML
+4254 VRML
+4255 VRML
+4256 VRML
+4257 VRML
+4258 VRML
+4259 VRML
+4260 VRML
+4261 VRML
+4262 VRML
+4263 VRML
+4264 VRML
+4265 VRML
+4266 VRML
+4267 VRML
+4268 VRML
+4269 VRML
+4270 VRML
+4271 VRML
+4272 VRML
+4273 VRML
+4274 VRML
+4275 VRML
+4276 VRML
+4277 VRML
+4278 VRML
+4279 VRML
+4280 VRML
+4281 VRML
+4282 VRML
+4283 VRML
+4284 VRML
+4285 VRML
+4286 VRML
+4287 VRML
+4288 VRML
+4289 VRML
+4290 VRML
+4291 VRML
+4292 VRML
+4293 VRML
+4294 VRML
+4295 VRML
+4296 VRML
+4297 VRML
+4298 VRML
+4299 VRML
+4300 corelccam CorelCCam
+4321 rwhois RemoteWhoIs
+4343 unicall UNICALL
+4344 vinainstall VinaInstall
+4345 m4-network-as Macro4NetworkAS
+4346 elanlm ELANLM
+4347 lansurveyor LANSurveyor
+4348 itose ITOSE
+4349 fsportmap FileSystemPortMap
+4350 net-device NetDevice
+4351 plcy-net-svcs PLCYNetServices
+4444 krb524 KRB524
+4445 upnotifyp UPNOTIFYP
+4446 n1-fwp N1-FWP
+4447 n1-rmgmt N1-RMGMT
+4448 asc-slmd ASCLicenceManager
+4449 privatewire PrivateWire
+4450 camp Camp
+4451 ctisystemmsg CTISystemMsg
+4452 ctiprogramload CTIProgramLoad
+4453 nssalertmgr NSSAlertManager
+4454 nssagentmgr NSSAgentManager
+4455 prchat-user PRChatUser
+4456 prchat-server PRChatServer
+4457 prRegister PRRegister
+4500 sae-urn sae-urn
+4501 urn-x-cdchoice urn-x-cdchoice
+4545 highscore Highscore
+4546 sf-lm SFLicenseManager(Sentinel)
+4547 lanner-lm LannerLicenseManager
+4672 rfa remotefileaccessserver
+4800 iims IconaInstantMessengingSystem
+4801 iwec IconaWebEmbeddedChat
+4802 ilss IconaLicenseSystemServer
+4827 htcp HTCP
+4868 phrelay PhotonRelay
+4869 phrelaydbg PhotonRelayDebug
+4885 abbs ABBS
+5000 commplex-main
+5001 commplex-link
+5002 rfe radiofreeethernet
+5003 fmpro-internal FileMaker,Inc.-Proprietarynamebinding
+5004 avt-profile-1 avt-profile-1
+5005 avt-profile-2 avt-profile-2
+5010 telelpathstart TelepathStart
+5011 telelpathattack TelepathAttack
+5020 zenginkyo-1 zenginkyo-1
+5021 zenginkyo-2 zenginkyo-2
+5050 mmcc multimediaconferencecontroltool
+5051 ita-agent ITAAgent
+5052 ita-manager ITAManager
+5060 sip SIP
+5145 rmonitor_secure
+5150 atmp AscendTunnelManagementProtocol
+5190 aol America-Online
+5191 aol-1 AmericaOnline1
+5192 aol-2 AmericaOnline2
+5193 aol-3 AmericaOnline3
+5236 padl2sim
+5272 pk PK
+5300 hacl-hb #HAclusterheartbeat
+5301 hacl-gs #HAclustergeneralservices
+5302 hacl-cfg #HAclusterconfiguration
+5303 hacl-probe #HAclusterprobing
+5304 hacl-local #HAClusterCommands
+5305 hacl-test #HAClusterTest
+5306 sun-mc-grp SunMCGroup
+5307 sco-aip SCOAIP
+5308 cfengine CFengine
+5309 jprinter JPrinter
+5310 outlaws Outlaws
+5311 tmlogin TMLogin
+5400 excerpt ExcerptSearch
+5401 excerpts ExcerptSearchSecure
+5402 mftp MFTP
+5403 hpoms-ci-lstn HPOMS-CI-LSTN
+5404 hpoms-dps-lstn HPOMS-DPS-LSTN
+5405 netsupport NetSupport
+5406 systemics-sox SystemicsSox
+5407 foresyte-clear Foresyte-Clear
+5408 foresyte-sec Foresyte-Sec
+5409 salient-dtasrv SalientDataServer
+5410 salient-usrmgr SalientUserManager
+5411 actnet ActNet
+5412 continuus Continuus
+5413 wwiotalk WWIOTALK
+5414 statusd StatusD
+5415 ns-server NSServer
+5416 sns-gateway SNSGateway
+5417 sns-agent SNSAgent
+5418 mcntp MCNTP
+5419 dj-ice DJ-ICE
+5420 cylink-c Cylink-C
+5500 fcp-addr-srvr1 fcp-addr-srvr1
+5501 fcp-addr-srvr2 fcp-addr-srvr2
+5502 fcp-srvr-inst1 fcp-srvr-inst1
+5503 fcp-srvr-inst2 fcp-srvr-inst2
+5504 fcp-cics-gw1 fcp-cics-gw1
+5555 personal-agent PersonalAgent
+5599 esinstall EnterpriseSecurityRemoteInstall
+5600 esmmanager EnterpriseSecurityManager
+5601 esmagent EnterpriseSecurityAgent
+5602 a1-msc A1-MSC
+5603 a1-bs A1-BS
+5604 a3-sdunode A3-SDUNode
+5605 a4-sdunode A4-SDUNode
+5631 pcanywheredata pcANYWHEREdata
+5632 pcanywherestat pcANYWHEREstat
+5678 rrac RemoteReplicationAgentConnection
+5679 dccm DirectCableConnectManager
+5713 proshareaudio proshareconfaudio
+5714 prosharevideo proshareconfvideo
+5715 prosharedata proshareconfdata
+5716 prosharerequest proshareconfrequest
+5717 prosharenotify proshareconfnotify
+5729 openmail OpenmailUserAgentLayer
+5741 ida-discover1 IDADiscoverPort1
+5742 ida-discover2 IDADiscoverPort2
+5745 fcopy-server fcopy-server
+5746 fcopys-server fcopys-server
+5755 openmailg OpenMailDeskGatewayserver
+5757 x500ms OpenMailX.500DirectoryServer
+5766 openmailns OpenMailNewMailServer
+5767 s-openmail OpenMailSuerAgentLayer(Secure)
+5768 openmailpxy OpenMailCMTSServer
+6000 X11
+6001 X11
+6002 X11
+6003 X11
+6004 X11
+6005 X11
+6006 X11
+6007 X11
+6008 X11
+6009 X11
+6010 X11
+6011 X11
+6012 X11
+6013 X11
+6014 X11
+6015 X11
+6016 X11
+6017 X11
+6018 X11
+6019 X11
+6020 X11
+6021 X11
+6022 X11
+6023 X11
+6024 X11
+6025 X11
+6026 X11
+6027 X11
+6028 X11
+6029 X11
+6030 X11
+6031 X11
+6032 X11
+6033 X11
+6034 X11
+6035 X11
+6036 X11
+6037 X11
+6038 X11
+6039 X11
+6040 X11
+6041 X11
+6042 X11
+6043 X11
+6044 X11
+6045 X11
+6046 X11
+6047 X11
+6048 X11
+6049 X11
+6050 X11
+6051 X11
+6052 X11
+6053 X11
+6054 X11
+6055 X11
+6056 X11
+6057 X11
+6058 X11
+6059 X11
+6060 X11
+6061 X11
+6062 X11
+6063 X11
+6110 softcm HPSoftBenchCM
+6111 spc HPSoftBenchSub-ProcessControl
+6112 dtspcd dtspcd
+6123 backup-express BackupExpress
+6141 meta-corp MetaCorporationLicenseManager
+6142 aspentec-lm AspenTechnologyLicenseManager
+6143 watershed-lm WatershedLicenseManager
+6144 statsci1-lm StatSciLicenseManager-1
+6145 statsci2-lm StatSciLicenseManager-2
+6146 lonewolf-lm LoneWolfSystemsLicenseManager
+6147 montage-lm MontageLicenseManager
+6148 ricardo-lm RicardoNorthAmericaLicenseManager
+6149 tal-pod tal-pod
+6253 crip CRIP
+6389 clariion-evr01 clariion-evr01
+6455 skip-cert-recv SKIPCertificateReceive
+6456 skip-cert-send SKIPCertificateSend
+6471 lvision-lm LVisionLicenseManager
+6500 boks BoKSMaster
+6501 boks_servc BoKSServc
+6502 boks_servm BoKSServm
+6503 boks_clntd BoKSClntd
+6505 badm_priv BoKSAdminPrivatePort
+6506 badm_pub BoKSAdminPublicPort
+6507 bdir_priv BoKSDirServer,PrivatePort
+6508 bdir_pub BoKSDirServer,PublicPort
+6558 xdsxdm
+6665 ircu
+6666 ircu
+6667 ircu
+6668 ircu
+6669 ircu IRCU
+6670 vocaltec-gold VocaltecGlobalOnlineDirectory
+6672 vision_server vision_server
+6673 vision_elmd vision_elmd
+6701 kti-icad-srvr KTI/ICADNameserver
+6790 hnmp HNMP
+6831 ambit-lm ambit-lm
+6969 acmsoda acmsoda
+7000 afs3-fileserver fileserveritself
+7001 afs3-callback callbackstocachemanagers
+7002 afs3-prserver users&groupsdatabase
+7003 afs3-vlserver volumelocationdatabase
+7004 afs3-kaserver AFS/Kerberosauthenticationservice
+7005 afs3-volser volumemanagementserver
+7006 afs3-errors errorinterpretationservice
+7007 afs3-bos basicoverseerprocess
+7008 afs3-update server-to-serverupdater
+7009 afs3-rmtsys remotecachemanagerservice
+7010 ups-onlinet onlinetuninterruptablepowersupplies
+7020 dpserve DPServe
+7021 dpserveadmin DPServeAdmin
+7070 arcp ARCP
+7099 lazy-ptop lazy-ptop
+7100 font-service XFontService
+7121 virprot-lm VirtualPrototypesLicenseManager
+7174 clutild Clutild
+7200 fodms FODMSFLIP
+7201 dlip DLIP
+7395 winqedit winqedit
+7426 pmdmgr OpenViewDMPostmasterManager
+7427 oveadmgr OpenViewDMEventAgentManager
+7428 ovladmgr OpenViewDMLogAgentManager
+7429 opi-sock OpenViewDMrqtcommunication
+7430 xmpv7 OpenViewDMxmpv7apipipe
+7431 pmd OpenViewDMovc/xmpv3apipipe
+7491 telops-lmd telops-lmd
+7511 pafec-lm pafec-lm
+7544 nta-ds FlowAnalyzerDisplayServer
+7545 nta-us FlowAnalyzerUtilityServer
+7570 aries-kfinder AriesKfinder
+7588 sun-lm SunLicenseManager
+7777 cbt cbt
+7781 accu-lmgr accu-lmgr
+7932 t2-drm Tier2DataResourceManager
+7933 t2-brm Tier2BusinessRulesManager
+7980 quest-vista QuestVista
+7999 irdmi2 iRDMI2
+8000 irdmi iRDMI
+8001 vcom-tunnel VCOMTunnel
+8008 http-alt HTTPAlternate
+8032 pro-ed ProEd
+8033 mindprint MindPrint
+8080 http-alt HTTPAlternate(seeport80)
+8200 trivnet1 TRIVNET
+8201 trivnet2 TRIVNET
+8376 cruise-enum CruiseENUM
+8377 cruise-swroute CruiseSWROUTE
+8378 cruise-config CruiseCONFIG
+8379 cruise-diags CruiseDIAGS
+8380 cruise-update CruiseUPDATE
+8400 cvd cvd
+8401 sabarsd sabarsd
+8402 abarsd abarsd
+8403 admind admind
+8450 npmp npmp
+8473 vp2p VitualPointtoPoint
+8554 rtsp-alt RTSPAlternate(seeport554)
+8765 ultraseek-http UltraseekHTTP
+8880 cddbp-alt CDDBP
+8888 ddi-tcp-1 NewsEDGEserverTCP(TCP1)
+8889 ddi-tcp-2 DesktopDataTCP1
+8890 ddi-tcp-3 DesktopDataTCP2
+8891 ddi-tcp-4 DesktopDataTCP3:NESSapplication
+8892 ddi-tcp-5 DesktopDataTCP4:FARMproduct
+8893 ddi-tcp-6 DesktopDataTCP5:NewsEDGE/Webapplication
+8894 ddi-tcp-7 DesktopDataTCP6:COALapplication
+9000 cslistener CSlistener
+9006 sctp SCTP
+9090 websm WebSM
+9535 man
+9594 msgsys MessageSystem
+9595 pds PingDiscoveryService
+9876 sd SessionDirector
+9888 cyborg-systems CYBORGSystems
+9898 monkeycom MonkeyCom
+9992 palace Palace
+9993 palace Palace
+9994 palace Palace
+9995 palace Palace
+9996 palace Palace
+9997 palace Palace
+9998 distinct32 Distinct32
+9999 distinct distinct
+10000 ndmp NetworkDataManagementProtocol
+10007 mvs-capacity MVSCapacity
+11001 metasys Metasys
+11367 atm-uhas ATMUHAS
+12000 entextxid IBMEnterpriseExtenderSNAXIDExchange
+12001 entextnetwk IBMEnterpriseExtenderSNACOSNetwork
+12002 entexthigh IBMEnterpriseExtenderSNACOSHigh
+12003 entextmed IBMEnterpriseExtenderSNACOSMedium
+12004 entextlow IBMEnterpriseExtenderSNACOSLow
+12753 tsaf tsafport
+13160 i-zipqd I-ZIPQD
+13720 bprd BPRDProtocol(VERITASNetBackup)
+13721 bpbrm BPBRMProtocol(VERITASNetBackup)
+13782 bpcd VERITASNetBackup
+13818 dsmcc-config DSMCCConfig
+13819 dsmcc-session DSMCCSessionMessages
+13820 dsmcc-passthru DSMCCPass-ThruMessages
+13821 dsmcc-download DSMCCDownloadProtocol
+13822 dsmcc-ccp DSMCCChannelChangeProtocol
+14001 itu-sccp-ss7 ITUSCCP(SS7)
+17007 isode-dua
+17219 chipper Chipper
+18000 biimenu BeckmanInstruments,Inc.
+19541 jcp JCPClient
+21845 webphone webphone
+21846 netspeak-is NetSpeakCorp.DirectoryServices
+21847 netspeak-cs NetSpeakCorp.ConnectionServices
+21848 netspeak-acd NetSpeakCorp.AutomaticCallDistribution
+21849 netspeak-cps NetSpeakCorp.CreditProcessingSystem
+22273 wnn6 wnn6
+22555 vocaltec-wconf VocaltecWebConference
+22800 aws-brf TelerateInformationPlatformLAN
+22951 brf-gw TelerateInformationPlatformWAN
+24000 med-ltp med-ltp
+24001 med-fsp-rx med-fsp-rx
+24002 med-fsp-tx med-fsp-tx
+24003 med-supp med-supp
+24004 med-ovw med-ovw
+24005 med-ci med-ci
+24006 med-net-svc med-net-svc
+25000 icl-twobase1 icl-twobase1
+25001 icl-twobase2 icl-twobase2
+25002 icl-twobase3 icl-twobase3
+25003 icl-twobase4 icl-twobase4
+25004 icl-twobase5 icl-twobase5
+25005 icl-twobase6 icl-twobase6
+25006 icl-twobase7 icl-twobase7
+25007 icl-twobase8 icl-twobase8
+25008 icl-twobase9 icl-twobase9
+25009 icl-twobase10 icl-twobase10
+25793 vocaltec-hos VocaltecAddressServer
+26000 quake quake
+26208 wnn6-ds wnn6-ds
+27000 flex-lm
+27001 flex-lm FLEXLM(1-10)
+27002 flex-lm FLEXLM(1-10)
+27003 flex-lm FLEXLM(1-10)
+27004 flex-lm FLEXLM(1-10)
+27005 flex-lm FLEXLM(1-10)
+27006 flex-lm FLEXLM(1-10)
+27007 flex-lm FLEXLM(1-10)
+27008 flex-lm FLEXLM(1-10)
+27009 flex-lm FLEXLM(1-10)
+27999 tw-auth-key TWAuthentication/KeyDistributionand
+33434 traceroute tracerouteuse
+44818 rockwell-encap RockwellEncapsulation
+45678 eba EBAPRISE
+47557 dbbrowse DatabeamCorporation
+47624 directplaysrvr DirectPlayServer
+47806 ap ALCProtocol
+47808 bacnet BuildingAutomationandControlNetworks
diff --git a/perl/ipf-mrtg.pl b/perl/ipf-mrtg.pl
new file mode 100644
index 0000000..cce30ab
--- /dev/null
+++ b/perl/ipf-mrtg.pl
@@ -0,0 +1,22 @@
+#!/usr/local/bin/perl
+# reads stats and uptime for ip-filter for mrtg
+# ron@rosie.18james.com, 2 Jan 2000
+
+my $firewall = "IP Filter v3.3.3";
+my($in_pkts,$out_pkts) = (0,0);
+
+open(FW, "/sbin/ipfstat -hi|") || die "cannot open ipfstat -hi\n";
+while (<FW>) {
+ $in_pkts += $1 if (/^(\d+)\s+pass\s+in\s+quick.*group\s+1\d0/);
+}
+close(FW);
+open(FW, "/sbin/ipfstat -ho|") || die "cannot open ipfstat -ho\n";
+while (<FW>) {
+ $out_pkts += $1 if (/^(\d+)\s+pass\s+out\s+quick.*group\s+1\d0/);
+}
+print "$in_pkts\n",
+ "$out_pkts\n";
+my $uptime = `/usr/bin/uptime`;
+$uptime =~ /^\s+(\d{1,2}:\d{2}..)\s+up\s+(\d+)\s+(......),/;
+print "$2 $3\n",
+ "$firewall\n"; \ No newline at end of file
diff --git a/perl/ipfmeta.pl b/perl/ipfmeta.pl
new file mode 100644
index 0000000..1a7bb3f
--- /dev/null
+++ b/perl/ipfmeta.pl
@@ -0,0 +1,210 @@
+#!/usr/bin/perl -w
+#
+# Written by Camiel Dobbelaar <cd@sentia.nl>, Aug-2000
+# ipfmeta is in the Public Domain.
+#
+
+use strict;
+use Getopt::Std;
+
+## PROCESS COMMANDLINE
+our($opt_v); $opt_v=1;
+getopts('v:') || die "usage: ipfmeta [-v verboselevel] [objfile]\n";
+my $verbose = $opt_v + 0;
+my $objfile = shift || "ipf.objs";
+my $MAXRECURSION = 10;
+
+## READ OBJECTS
+open(FH, "$objfile") || die "cannot open $objfile: $!\n";
+my @tokens;
+while (<FH>) {
+ chomp;
+ s/#.*$//; # remove comments
+ s/^\s+//; # compress whitespace
+ s/\s+$//;
+ next if m/^$/; # skip empty lines
+ push (@tokens, split);
+}
+close(FH) || die "cannot close $objfile: $!\n";
+# link objects with their values
+my $obj="";
+my %objs;
+while (@tokens) {
+ my $token = shift(@tokens);
+ if ($token =~ m/^\[([^]]*)\]$/) {
+ # new object
+ $obj = $1;
+ } else {
+ # new value
+ push(@{$objs{$obj}}, $token) unless ($obj eq "");
+ }
+}
+
+# sort objects: longest first
+my @objs = sort { length($b) <=> length($a) } keys %objs;
+
+## SUBSTITUTE OBJECTS WITH THEIR VALUES FROM STDIN
+foreach (<STDIN>) {
+ foreach (expand($_, 0)) {
+ print;
+ }
+}
+
+## END
+
+sub expand {
+ my $line = shift;
+ my $level = shift;
+ my @retlines = $line;
+ my $obj;
+ my $val;
+
+ # coarse protection
+ if ($level > $MAXRECURSION) {
+ print STDERR "ERR: recursion exceeds $MAXRECURSION levels\n";
+ return;
+ }
+
+ foreach $obj (@objs) {
+ if ($line =~ m/$obj/) {
+ @retlines = "";
+ if ($level < $verbose) {
+ # add metarule as a comment
+ push(@retlines, "# ".$line);
+ }
+ foreach $val (@{$objs{$obj}}) {
+ my $newline = $line;
+ $newline =~ s/$obj/$val/;
+ push(@retlines, expand($newline, $level+1));
+ }
+ last;
+ }
+ }
+
+ return @retlines;
+}
+
+__END__
+
+=head1 NAME
+
+B<ipfmeta> - use objects in IP filter files
+
+=head1 SYNOPSIS
+
+B<ipfmeta> [F<options>] [F<objfile>]
+
+=head1 DESCRIPTION
+
+B<ipfmeta> is used to simplify the maintenance of your IP filter
+ruleset. It does this through the use of 'objects'. A matching
+object gets replaced by its values at runtime. This is similar to
+what a macro processor like m4 does.
+
+B<ipfmeta> is specifically geared towards IP filter. It is line
+oriented, if an object has multiple values, the line with the object
+is duplicated and substituted for each value. It is also recursive,
+an object may have another object as a value.
+
+Rules to be processed are read from stdin, output goes to stdout.
+
+The verbose option allows for the inclusion of the metarules in the
+output as comments.
+
+Definition of the objects and their values is done in a separate
+file, the filename defaults to F<ipf.objs>. An object is delimited
+by square brackets. A value is delimited by whitespace. Comments
+start with '#' and end with a newline. Empty lines and extraneous
+whitespace are allowed. A value belongs to the first object that
+precedes it.
+
+It is recommended that you use all caps or another distinguishing
+feature for object names. You can use B<ipfmeta> for NAT rules also,
+for instance to keep them in sync with filter rules. Combine
+B<ipfmeta> with a Makefile to save typing.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-v> I<verboselevel>
+
+Include metarules in output as comments. Default is 1, the top level
+metarules. Higher levels cause expanded metarules to be included.
+Level 0 does not add comments at all.
+
+=back
+
+=head1 BUGS
+
+A value can not have whitespace in it.
+
+=head1 EXAMPLE
+
+(this does not look good, formatted)
+
+I<ipf.objs>
+
+[PRIVATE] 10.0.0.0/8 127.0.0.0/8 172.16.0.0/12 192.168.0.0/16
+
+[MULTICAST] 224.0.0.0/4
+
+[UNWANTED] PRIVATE MULTICAST
+
+[NOC] xxx.yy.zz.1/32 xxx.yy.zz.2/32
+
+[WEBSERVERS] 192.168.1.1/32 192.168.1.2/32
+
+[MGMT-PORTS] 22 23
+
+I<ipf.metarules>
+
+block in from UNWANTED to any
+
+pass in from NOC to WEBSERVERS port = MGMT-PORTS
+
+pass out all
+
+I<Run>
+
+ipfmeta ipf.objs <ipf.metarules >ipf.rules
+
+I<Output>
+
+# block in from UNWANTED to any
+
+block in from 10.0.0.0/8 to any
+
+block in from 127.0.0.0/8 to any
+
+block in from 172.16.0.0/12 to any
+
+block in from 192.168.0.0/16 to any
+
+block in from 224.0.0.0/4 to any
+
+# pass in from NOC to WEBSERVERS port = MGMT-PORTS
+
+pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 22
+
+pass in from xxx.yy.zz.1/32 to 192.168.1.1/32 port = 23
+
+pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 22
+
+pass in from xxx.yy.zz.1/32 to 192.168.1.2/32 port = 23
+
+pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 22
+
+pass in from xxx.yy.zz.2/32 to 192.168.1.1/32 port = 23
+
+pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 22
+
+pass in from xxx.yy.zz.2/32 to 192.168.1.2/32 port = 23
+
+pass out all
+
+=head1 AUTHOR
+
+Camiel Dobbelaar <cd@sentia.nl>. B<ipfmeta> is in the Public Domain.
+
+=cut
diff --git a/perl/logfilter.pl b/perl/logfilter.pl
new file mode 100644
index 0000000..6ebe401
--- /dev/null
+++ b/perl/logfilter.pl
@@ -0,0 +1,181 @@
+#!perl.exe
+
+# Author: Chris Grant
+# Copyright 1999, Codetalker Communications, Inc.
+#
+# This script takes a firewall log and breaks it into several
+# different files. Each file is named based on the service that
+# runs on the port that was recognized in log line. After
+# this script has run, you should end up with several files.
+# Of course you will have the original log file and then files
+# such as web.log, telnet.log, pop3.log, imap.log, backorifice.log,
+# netbus.log, and unknown.log.
+#
+# The number of entries in unknown.log should be minimal. The
+# mappings of the port numbers and file names are stored in the bottom
+# of this file in the data section. Simply look at the ports being hit,
+# find out what these ports do, and add them to the data section.
+#
+# You may be wondering why I haven't simply parsed RFC1700 to come up
+# with a list of port numbers and files. The reason is that I don't
+# believe reading firewall logs should be all that automated. You
+# should be familiar with what probes are hitting your system. By
+# manually adding entries to the data section this ensures that I
+# have at least educated myself about what this protocol is, what
+# the potential exposure is, and why you might be seeing this traffic.
+
+%icmp = ();
+%udp = ();
+%tcp = ();
+%openfiles = ();
+$TIDBITSFILE = "unknown.log";
+
+# Read the ports data from the end of this file and build the three hashes
+while (<DATA>) {
+ chomp; # trim the newline
+ s/#.*//; # no comments
+ s/^\s+//; # no leading white
+ s/\s+$//; # no trailing white
+ next unless length; # anything left?
+ $_ = lc; # switch to lowercase
+ ($proto, $identifier, $filename) = m/(\S+)\s+(\S+)\s+(\S+)/;
+ SWITCH: {
+ if ($proto =~ m/^icmp$/) { $icmp{$identifier} = $filename; last SWITCH; };
+ if ($proto =~ m/^udp$/) { $udp{$identifier} = $filename; last SWITCH; };
+ if ($proto =~ m/^tcp$/) { $tcp{$identifier} = $filename; last SWITCH; };
+ die "An unknown protocol listed in the proto defs\n$_\n";
+ }
+}
+
+$filename = shift;
+unless (defined($filename)) { die "Usage: logfilter.pl <log file>\n"; }
+open(LOGFILE, $filename) || die "Could not open the firewall log file.\n";
+$openfiles{$filename} = "LOGFILE";
+
+$linenum = 0;
+while($line = <LOGFILE>) {
+
+ chomp($line);
+ $linenum++;
+
+ # determine the protocol - send to unknown.log if not found
+ SWITCH: {
+
+ ($line =~ m /\sicmp\s/) && do {
+
+ #
+ # ICMP Protocol
+ #
+ # Extract the icmp packet information specifying the type.
+ #
+ # Note: Must check for ICMP first because this may be an ICMP reply
+ # to a TCP or UDP connection (eg Port Unreachable).
+
+ ($icmptype) = $line =~ m/icmp (\d+)\/\d+/;
+
+ $filename = $TIDBITSFILE;
+ $filename = $icmp{$icmptype} if (defined($icmp{$icmptype}));
+
+ last SWITCH;
+ };
+
+ ($line =~ m /\stcp\s/) && do {
+
+ #
+ # TCP Protocol
+ #
+ # extract the source and destination ports and compare them to
+ # known ports in the tcp hash. For the first match, place this
+ # line in the file specified by the tcp hash. Ignore one of the
+ # port matches if both ports happen to be known services.
+
+ ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/;
+ #print "$line\n" unless (defined($sport) && defined($dport));
+
+ $filename = $TIDBITSFILE;
+ $filename = $tcp{$sport} if (defined($tcp{$sport}));
+ $filename = $tcp{$dport} if (defined($tcp{$dport}));
+
+ last SWITCH;
+ };
+
+ ($line =~ m /\sudp\s/) && do {
+
+ #
+ # UDP Protocol - same procedure as with TCP, different hash
+ #
+
+ ($sport, $dport) = $line =~ m/\d+\.\d+\.\d+\.\d+,(\d+) -> \d+\.\d+\.\d+\.\d+,(\d+)/;
+
+ $filename = $TIDBITSFILE;
+ $filename = $udp{$sport} if (defined($udp{$sport}));
+ $filename = $udp{$dport} if (defined($udp{$dport}));
+
+ last SWITCH;
+ };
+
+ #
+ # The default case is that the protocol was unknown
+ #
+ $filename = $TIDBITSFILE;
+ }
+
+ #
+ # write the line to the appropriate file as determined above
+ #
+ # check for filename in the openfiles hash. if it exists then write
+ # to the given handle. otherwise open a handle to the file and add
+ # it to the hash of open files.
+
+ if (defined($openfiles{$filename})) {
+ $handle = $openfiles{$filename};
+ } else {
+ $handle = "HANDLE" . keys %openfiles;
+ open ($handle, ">>".$filename) || die "Couldn't open|create the file $filename";
+ $openfiles{$filename} = $handle;
+ }
+ print $handle "#$linenum\t $line\n";
+
+}
+
+# close all open file handles
+
+foreach $key (keys %openfiles) {
+ close($openfiles{$key});
+}
+
+close(LOGFILE);
+
+__DATA__
+icmp 3 destunreach.log
+icmp 8 ping.log
+icmp 9 router.log
+icmp 10 router.log
+icmp 11 ttl.log
+tcp 23 telnet.log
+tcp 25 smtp.log
+udp 25 smtp.log
+udp 53 dns.log
+tcp 80 http.log
+tcp 110 pop3.log
+tcp 111 rpc.log
+udp 111 rpc.log
+tcp 137 netbios.log
+udp 137 netbios.log
+tcp 143 imap.log
+udp 161 snmp.log
+udp 370 backweb.log
+udp 371 backweb.log
+tcp 443 https.log
+udp 443 https.log
+udp 512 syslog.log
+tcp 635 nfs.log # NFS mount services
+udp 635 nfs.log # NFS mount services
+tcp 1080 socks.log
+udp 1080 socks.log
+tcp 6112 games.log # Battle net
+tcp 6667 irc.log
+tcp 7070 realaudio.log
+tcp 8080 http.log
+tcp 12345 netbus.log
+udp 31337 backorifice.log \ No newline at end of file
diff --git a/perl/plog b/perl/plog
new file mode 100644
index 0000000..208c6ea
--- /dev/null
+++ b/perl/plog
@@ -0,0 +1,1061 @@
+#!/usr/bin/perl -wT
+#
+# Author: Jefferson Ogata (JO317) <jogata@pobox.com>
+# Date: 2000/04/22
+# Version: 0.10
+#
+# Please feel free to use or redistribute this program if you find it useful.
+# If you have suggestions, or even better, bits of new code, send them to me
+# and I will add them when I have time. The current version of this script
+# can always be found at the URL:
+#
+# http://www.antibozo.net/ogata/webtools/plog.pl
+# http://pobox.com/~ogata/webtools/plog.txt
+#
+# Parse ipmon output into a coherent form. This program only handles the
+# lines regarding filter actions. It does not parse nat and state lines.
+#
+# Present lines from ipmon to this program on standard input.
+#
+# EXAMPLES
+#
+# plog -AF block,log < /var/log/ipf
+#
+# Generate source and destination reports of all packets logged with
+# block or log actions, and report TCP flags and keep state actions.
+#
+# plog -S -s ./services www.example.com < /var/log/ipf
+#
+# Generate a source report of traffic to or from www.example.com using
+# the additional services defined in ./services.
+#
+# plog -nSA block < /var/log/ipf
+#
+# Generate a source report of all blocked packets with no hostname
+# lookups. This is handy for an initial pass to identify portscans or
+# other aggressive traffic.
+#
+# plog -SFp 192.168.0.0/24 www.example.com/24 < /var/log/ipf
+#
+# Generate a source report of all packets whose source or destination
+# address is either in 192.168.0.0/24 or an address associated with
+# the host www.example.com, report packet flags and perform paranoid
+# hostname lookups. This is a handy usage for examining traffic more
+# closely after identifying a potential attack.
+#
+# TODO
+#
+# - Handle output from ipmon -v.
+# - Handle timestamps from other locales. Anyone with a timestamp problem
+# please email me the format of your timestamps.
+# - It looks as though short TCP or UDP packets will break things, but I
+# haven't seen any yet.
+#
+# CHANGES
+#
+# 2000/04/22 (0.10):
+# - Restructured host name and address caches. Hosts are now cached using
+# packed addresses as keys. Conversion to IPv6 should be simple now.
+# - Added paranoid hostname lookups.
+# - Added netmask qualifications for address arguments.
+# - Tweaked usage info.
+# 2000/04/20:
+# - Added parsing and tracking of TCP and state flags.
+# 2000/04/12 (0.9):
+# - Wasn't handling underscore in hostname,servicename fields; these may be
+# logged using ipmon -n. Observation by <ark@eltex.ru>.
+# - Hadn't properly attributed observation and fix for repetition counter in
+# 0.8 change log. Added John Ladwig to attribution. Thanks, John.
+#
+# 2000/04/10 (0.8):
+# - Service names can also have hyphens, dummy. I wasn't allowing these
+# either. Observation and fix thanks to Taso N. Devetzis
+# <devetzis@snet.net>.
+# - IP Filter now logs a repetition counter. Observation and fixes (changed
+# slightly) from Andy Kreiling <Andy@ntcs-inc.com> and John Ladwig
+# <jladwig@nts.umn.edu>.
+# - Added fix to handle new Solaris log format, e.g.:
+# Nov 30 04:49:37 raoul ipmon[121]: [ID 702911 local0.warning] 04:49:36.420541 hme0 @0:34 b 205.152.16.6,58596 -> 204.60.220.24,113 PR tcp len 20 44
+# Fix thanks to Taso N. Devetzis <devetzis@SNET.Net>.
+# - Added services map option.
+# - Added options for generating only source/destination tables.
+# - Added verbosity option.
+# - Added option for reporting traffic for specific hosts.
+# - Added some more ICMP unreachable codes, and made code and type names
+# match the ones in IP Filter parse.c.
+# - Condensed output format somewhat.
+# - Various minor improvements, perhaps slight speed improvements.
+# - Documented new options in usage() and tried to improve wording.
+#
+# 1999/08/02 (0.7):
+# - Hostnames can have hyphens, dummy. I wasn't allowing them in the syslog
+# line. Fix from Antoine Verheijen <antoine.verheijen@ualberta.ca>.
+#
+# 1999/05/05 (0.6):
+# - IRIX syslog prefixes the hostname with a severity code. Handle it. Fix
+# from John Ladwig <jladwig@nts.umn.edu>.
+#
+# 1999/05/05 (0.5):
+# - Protocols other than TCP, UDP, or ICMP have packet lengths reported in
+# parentheses for some reason. The script now handles this. Thanks to
+# Dispatcher <dispatch@blackhelicopters.org>.
+# - I had mixed up info-request and info-reply ICMP codes, and omitted the
+# traceroute code. Sorted this out. I had also missed code 0 for type 6
+# (alternate address for host). Thanks to John Ladwig <jladwig@nts.umn.edu>.
+#
+# 1999/05/03:
+# - Now accepts hostnames in the source and destination address fields, as
+# well as port names in the port fields. This allows the people who are
+# using ipmon -n to still use plog. Note that if you are logging
+# hostnames, you are vulnerable to forgery of DNS information, modified
+# DNS information, and your log files will be larger also. If you are
+# using this program you can have it look up the names for you (still
+# vulnerable to forgery) and keep your logged addresses all in numeric
+# format, so that packets from the same source will always show the same
+# source address regardless of what's up with DNS. Obviously, I don't
+# favor using ipmon -n. Nevertheless, some people wanted this, so here it
+# is.
+# - Added S and n flags to %acts hash. Thanks to Stephen J. Roznowski
+# <sjr@home.net>.
+# - Stopped reporting host IPs twice when numeric output was requested.
+# Thanks, yet again, to Stephen J. Roznowski <sjr@home.net>.
+# - Number of minor tweaks that might speed it up a bit, and some comments.
+# - Put the script back up on the web site. I had moved the site and
+# forgotten to move the tool.
+#
+# 1999/02/04:
+# - Changed log line parser to accept fully-qualified name in the logging
+# host field. Thanks to Stephen J. Roznowski <sjr@home.net>.
+#
+# 1999/01/22:
+# - Changed high port strategy to use 65536 for unknown high ports so that
+# they are sorted last.
+#
+# 1999/01/21:
+# - Moved icmp parsing to output loop.
+# - Added parsing of icmp codes, and more types.
+# - Changed packet sort routine to sort by port number rather than service
+# name.
+#
+# 1999/01/20:
+# - Fixed problem matching ipmon log lines. Sometimes they have "/ipmon" in
+# them, sometimes just "ipmon".
+# - Added numeric parse option to turn off hostname lookups.
+# - Moved summary to usage() sub.
+
+use strict;
+use Socket;
+use IO::File;
+
+select STDOUT; $| = 1;
+
+my %hosts;
+
+my $me = $0;
+$me =~ s/^.*\///;
+
+# Map of log codes for various actions. Not all of these can occur, but
+# I've included everything in print_ipflog() from ipmon.c.
+my %acts = (
+ 'p' => 'pass',
+ 'P' => 'pass',
+ 'b' => 'block',
+ 'B' => 'block',
+ 'L' => 'log',
+ 'S' => 'short',
+ 'n' => 'nomatch',
+);
+
+# Map of ICMP types and their relevant codes.
+my %icmpTypeMap = (
+ 0 => +{
+ name => 'echorep',
+ codes => +{0 => undef},
+ },
+ 3 => +{
+ name => 'unreach',
+ codes => +{
+ 0 => 'net-unr',
+ 1 => 'host-unr',
+ 2 => 'proto-unr',
+ 3 => 'port-unr',
+ 4 => 'needfrag',
+ 5 => 'srcfail',
+ 6 => 'net-unk',
+ 7 => 'host-unk',
+ 8 => 'isolate',
+ 9 => 'net-prohib',
+ 10 => 'host-prohib',
+ 11 => 'net-tos',
+ 12 => 'host-tos',
+ 13 => 'filter-prohib',
+ 14 => 'host-preced',
+ 15 => 'preced-cutoff',
+ },
+ },
+ 4 => +{
+ name => 'squench',
+ codes => +{0 => undef},
+ },
+ 5 => +{
+ name => 'redir',
+ codes => +{
+ 0 => 'net',
+ 1 => 'host',
+ 2 => 'tos',
+ 3 => 'tos-host',
+ },
+ },
+ 6 => +{
+ name => 'alt-host-addr',
+ codes => +{
+ 0 => 'alt-addr'
+ },
+ },
+ 8 => +{
+ name => 'echo',
+ codes => +{0 => undef},
+ },
+ 9 => +{
+ name => 'routerad',
+ codes => +{0 => undef},
+ },
+ 10 => +{
+ name => 'routersol',
+ codes => +{0 => undef},
+ },
+ 11 => +{
+ name => 'timex',
+ codes => +{
+ 0 => 'in-transit',
+ 1 => 'frag-assy',
+ },
+ },
+ 12 => +{
+ name => 'paramprob',
+ codes => +{
+ 0 => 'ptr-err',
+ 1 => 'miss-opt',
+ 2 => 'bad-len',
+ },
+ },
+ 13 => +{
+ name => 'timest',
+ codes => +{0 => undef},
+ },
+ 14 => +{
+ name => 'timestrep',
+ codes => +{0 => undef},
+ },
+ 15 => +{
+ name => 'inforeq',
+ codes => +{0 => undef},
+ },
+ 16 => +{
+ name => 'inforep',
+ codes => +{0 => undef},
+ },
+ 17 => +{
+ name => 'maskreq',
+ codes => +{0 => undef},
+ },
+ 18 => +{
+ name => 'maskrep',
+ codes => +{0 => undef},
+ },
+ 30 => +{
+ name => 'tracert',
+ codes => +{ },
+ },
+ 31 => +{
+ name => 'dgram-conv-err',
+ codes => +{ },
+ },
+ 32 => +{
+ name => 'mbl-host-redir',
+ codes => +{ },
+ },
+ 33 => +{
+ name => 'ipv6-whereru?',
+ codes => +{ },
+ },
+ 34 => +{
+ name => 'ipv6-iamhere',
+ codes => +{ },
+ },
+ 35 => +{
+ name => 'mbl-reg-req',
+ codes => +{ },
+ },
+ 36 => +{
+ name => 'mbl-reg-rep',
+ codes => +{ },
+ },
+);
+
+# Arguments we will parse from argument list.
+my $numeric = 0; # Don't lookup hostnames.
+my $paranoid = 0; # Do paranoid hostname lookups.
+my $verbosity = 0; # Bla' bla' bla'.
+my $sTable = 0; # Generate source table.
+my $dTable = 0; # Generate destination table.
+my @services = (); # Preload services tables.
+my $showFlags = 0; # Show TCP flag combinations.
+my %selectAddrs; # Limit report to these hosts.
+my %selectActs; # Limit report to these actions.
+
+# Parse argument list.
+while (defined ($_ = shift))
+{
+ if (s/^-//)
+ {
+ while (s/^([vnpSD\?hsAF])//)
+ {
+ my $flag = $1;
+ if ($flag eq 'v')
+ {
+ ++$verbosity;
+ }
+ elsif ($flag eq 'n')
+ {
+ $numeric = 1;
+ }
+ elsif ($flag eq 'p')
+ {
+ $paranoid = 1;
+ }
+ elsif ($flag eq 'S')
+ {
+ $sTable = 1;
+ }
+ elsif ($flag eq 'D')
+ {
+ $dTable = 1;
+ }
+ elsif ($flag eq 'F')
+ {
+ $showFlags = 1;
+ }
+ elsif (($flag eq '?') || ($flag eq 'h'))
+ {
+ &usage (0);
+ }
+ else
+ {
+ my $arg = shift;
+ defined ($arg) || &usage (1, qq{-$flag requires an argument});
+ if ($flag eq 's')
+ {
+ push (@services, $arg);
+ }
+ elsif ($flag eq 'A')
+ {
+ my @acts = split (/,/, $arg);
+ my $a;
+ foreach $a (@acts)
+ {
+ my $aa;
+ my $match = 0;
+ foreach $aa (keys (%acts))
+ {
+ if ($acts{$aa} eq $a)
+ {
+ ++$match;
+ $selectActs{$aa} = $a;
+ }
+ }
+ $match || &usage (1, qq{unknown action $a});
+ }
+ }
+ }
+ }
+
+ &usage (1, qq{unknown option: -$_}) if (length);
+
+ next;
+ }
+
+ # Add host to hash of hosts we're interested in.
+ (/^(.+)\/([\d+\.]+)$/) || (/^(.+)$/) || &usage (1, qq{invalid CIDR address $_});
+ my ($addr, $mask) = ($1, $2);
+ my @addr = &hostAddrs ($addr);
+ (scalar (@addr)) || &usage (1, qq{cannot resolve hostname $_});
+ if (!defined ($mask))
+ {
+ $mask = (2 ** 32) - 1;
+ }
+ elsif (($mask =~ /^\d+$/) && ($mask <= 32))
+ {
+ $mask = (2 ** 32) - 1 - ((2 ** (32 - $mask)) - 1);
+ }
+ elsif (defined ($mask = &isDottedAddr ($mask)))
+ {
+ $mask = &integerAddr ($mask);
+ }
+ else
+ {
+ &usage (1, qq{invalid CIDR address $_});
+ }
+ foreach $addr (@addr)
+ {
+ # Save mask unless we already have a less specific one for this address.
+ my $a = &integerAddr ($addr) & $mask;
+ $selectAddrs{$a} = $mask unless (exists ($selectAddrs{$a}) && ($selectAddrs{$a} < $mask));
+ }
+}
+
+# Which tables will we generate?
+$dTable = $sTable = 1 unless ($dTable || $sTable);
+my @dirs;
+push (@dirs, 'd') if ($dTable);
+push (@dirs, 's') if ($sTable);
+
+# Are we interested in specific hosts?
+my $selectAddrs = scalar (keys (%selectAddrs));
+
+# Are we interested in specific actions?
+if (scalar (keys (%selectActs)) == 0)
+{
+ %selectActs = %acts;
+}
+
+# We use this hash to cache port name -> number and number -> name mappings.
+# Isn't it cool that we can use the same hash for both?
+my %pn;
+
+# Preload any services maps.
+my $sm;
+foreach $sm (@services)
+{
+ my $sf = new IO::File ($sm, "r");
+ defined ($sf) || &quit (1, qq{cannot open services file $sm});
+
+ while (defined ($_ = $sf->getline ()))
+ {
+ my $text = $_;
+ chomp;
+ s/#.*$//;
+ s/\s+$//;
+ next unless (length);
+ my ($name, $spec, @aliases) = split (/\s+/);
+ ($spec =~ /^([\w\-]+)\/([\w\-]+)$/)
+ || &quit (1, qq{$sm:$.: invalid definition: $text});
+ my ($pnum, $proto) = ($1, $2);
+
+ # Enter service definition in pn hash both forwards and backwards.
+ my $port;
+ my $pname;
+ foreach $port ($name, @aliases)
+ {
+ $pname = "$pnum/$proto";
+ $pn{$pname} = $port;
+ }
+ $pname = "$name/$proto";
+ $pn{$pname} = $pnum;
+ }
+
+ $sf->close ();
+}
+
+# Cache for host name -> addr mappings.
+my %ipAddr;
+
+# Cache for host addr -> name mappings.
+my %ipName;
+
+# Hash for protocol number <--> name mappings.
+my %pr;
+
+# Under IPv4 port numbers are unsigned shorts. The value below is higher
+# than the maximum value of an unsigned short, and is used in place of
+# high port numbers that don't correspond to known services. This makes
+# high ports get sorted behind all others.
+my $highPort = 0x10000;
+
+while (<STDIN>)
+{
+ chomp;
+
+ # For ipmon output that came through syslog, we'll have an asctime
+ # timestamp, an optional severity code (IRIX), the hostname,
+ # "ipmon"[process id]: prefixed to the line. For output that was
+ # written directly to a file by ipmon, we'll have a date prefix as
+ # dd/mm/yyyy (no y2k problem here!). Both formats then have a packet
+ # timestamp and the log info.
+ my ($log);
+ if (s/^\w+\s+\d+\s+\d+:\d+:\d+\s+(?:\d\w:)?[\w\.\-]+\s+\S*ipmon\[\d+\]:\s+(?:\[ID\s+\d+\s+[\w\.]+\]\s+)?\d+:\d+:\d+\.\d+\s+//)
+ {
+ $log = $_;
+ }
+ elsif (s/^(?:\d+\/\d+\/\d+)\s+(?:\d+:\d+:\d+\.\d+)\s+//)
+ {
+ $log = $_;
+ }
+ else
+ {
+ # It don't look like no ipmon output to me, baby.
+ next;
+ }
+ next unless (defined ($log));
+
+ print STDERR "$log\n" if ($verbosity);
+
+ # Parse the log line. We're expecting interface name, rule group and
+ # number, an action code, a source host name or IP with possible port
+ # name or number, a destination host name or IP with possible port
+ # number, "PR", a protocol name or number, "len", a header length, a
+ # packet length (which will be in parentheses for protocols other than
+ # TCP, UDP, or ICMP), and maybe some additional info.
+ my @fields = ($log =~ /^(?:(\d+)x)?\s*(\w+)\s+@(\d+):(\d+)\s+(\w)\s+([\w\-\.,]+)\s+->\s+([\w\-\.,]+)\s+PR\s+(\w+)\s+len\s+(\d+)\s+\(?(\d+)\)?\s*(.*)$/ox);
+ unless (scalar (@fields))
+ {
+ print STDERR "$me:$.: cannot parse: $_\n";
+ next;
+ }
+ my ($count, $if, $group, $rule, $act, $src, $dest, $proto, $hlen, $len, $more) = @fields;
+
+ # Skip actions we're not interested in.
+ next unless (exists ($selectActs{$act}));
+
+ # Packet count defaults to 1.
+ $count = 1 unless (defined ($count));
+
+ my ($sport, $dport, @flags);
+
+ if ($proto eq 'icmp')
+ {
+ if ($more =~ s/^icmp (\d+)\/(\d+)\s*//)
+ {
+ # We save icmp type and code in both sport and dport. This
+ # allows us to sort icmp packets using the normal port-sorting
+ # code.
+ $dport = $sport = "$1.$2";
+ }
+ else
+ {
+ $sport = '';
+ $dport = '';
+ }
+ }
+ else
+ {
+ if ($showFlags)
+ {
+ if (($proto eq 'tcp') && ($more =~ s/^\-([A-Z]+)\s*//))
+ {
+ push (@flags, $1);
+ }
+ if ($more =~ s/^K\-S\s*//)
+ {
+ push (@flags, 'state');
+ }
+ }
+ if ($src =~ s/,([\-\w]+)$//)
+ {
+ $sport = &portSimplify ($1, $proto);
+ }
+ else
+ {
+ $sport = '';
+ }
+ if ($dest =~ s/,([\-\w]+)$//)
+ {
+ $dport = &portSimplify ($1, $proto);
+ }
+ else
+ {
+ $dport = '';
+ }
+ }
+
+ # Make sure addresses are numeric at this point. We want to sort by
+ # IP address later. If the hostname doesn't resolve, punt. If you
+ # must use ipmon -n, be ready for weirdness. Use only the first
+ # address returned.
+ my $x;
+ $x = (&hostAddrs ($src))[0];
+ unless (defined ($x))
+ {
+ print STDERR "$me:$.: cannot resolve hostname $src\n";
+ next;
+ }
+ $src = $x;
+ $x = (&hostAddrs ($dest))[0];
+ unless (defined ($x))
+ {
+ print STDERR "$me:$.: cannot resolve hostname $dest\n";
+ next;
+ }
+ $dest = $x;
+
+ # Skip hosts we're not interested in.
+ if ($selectAddrs)
+ {
+ my ($a, $m);
+ my $s = &integerAddr ($src);
+ my $d = &integerAddr ($dest);
+ my $cute = 0;
+ while (($a, $m) = each (%selectAddrs))
+ {
+ if ((($s & $m) == $a) || (($d & $m) == $a))
+ {
+ $cute = 1;
+ last;
+ }
+ }
+ next unless ($cute);
+ }
+
+ # Convert proto to proto number.
+ $proto = &protoNumber ($proto);
+
+ sub countPacket
+ {
+ my ($host, $dir, $peer, $proto, $count, $packet, @flags) = @_;
+
+ # Make sure host is in the hosts hash.
+ $hosts{$host} =
+ +{
+ 'd' => +{ },
+ 's' => +{ },
+ } unless (exists ($hosts{$host}));
+
+ # Get the source/destination traffic hash for the host in question.
+ my $trafficHash = $hosts{$host}->{$dir};
+
+ # Make sure there's a hash for the peer.
+ $trafficHash->{$peer} = +{ } unless (exists ($trafficHash->{$peer}));
+
+ # Make sure the peer hash has a hash for the protocol number.
+ my $peerHash = $trafficHash->{$peer};
+ $peerHash->{$proto} = +{ } unless (exists ($peerHash->{$proto}));
+
+ # Make sure there's a counter for this packet type in the proto hash.
+ my $protoHash = $peerHash->{$proto};
+ $protoHash->{$packet} = +{ '' => 0 } unless (exists ($protoHash->{$packet}));
+
+ # Increment the counter and mark flags.
+ my $packetHash = $protoHash->{$packet};
+ $packetHash->{''} += $count;
+ map { $packetHash->{$_} = undef; } (@flags);
+ }
+
+ # Count the packet as outgoing traffic from the source address.
+ &countPacket ($src, 's', $dest, $proto, $count, "$sport:$dport:$if:$act", @flags) if ($sTable);
+
+ # Count the packet as incoming traffic to the destination address.
+ &countPacket ($dest, 'd', $src, $proto, $count, "$dport:$sport:$if:$act", @flags) if ($dTable);
+}
+
+my $dir;
+foreach $dir (@dirs)
+{
+ my $order = ($dir eq 's' ? 'source' : 'destination');
+ my $arrow = ($dir eq 's' ? '->' : '<-');
+
+ print "###\n";
+ print "### Traffic by $order address:\n";
+ print "###\n";
+
+ sub ipSort
+ {
+ &integerAddr ($a) <=> &integerAddr ($b);
+ }
+
+ sub packetSort
+ {
+ my ($asport, $adport, $aif, $aact) = split (/:/, $a);
+ my ($bsport, $bdport, $bif, $bact) = split (/:/, $b);
+ $bact cmp $aact || $aif cmp $bif || $asport <=> $bsport || $adport <=> $bdport;
+ }
+
+ my $host;
+ foreach $host (sort ipSort (keys %hosts))
+ {
+ my $traffic = $hosts{$host}->{$dir};
+
+ # Skip hosts with no traffic.
+ next unless (scalar (keys (%{$traffic})));
+
+ if ($numeric)
+ {
+ print &dottedAddr ($host), "\n";
+ }
+ else
+ {
+ print &hostName ($host), " \[", &dottedAddr ($host), "\]\n";
+ }
+
+ my $peer;
+ foreach $peer (sort ipSort (keys %{$traffic}))
+ {
+ my $peerHash = $traffic->{$peer};
+ my $peerName = ($numeric ? &dottedAddr ($peer) : &hostName ($peer));
+ my $proto;
+ foreach $proto (sort (keys (%{$peerHash})))
+ {
+ my $protoHash = $peerHash->{$proto};
+ my $protoName = &protoName ($proto);
+
+ my $packet;
+ foreach $packet (sort packetSort (keys %{$protoHash}))
+ {
+ my ($sport, $dport, $if, $act) = split (/:/, $packet);
+ my $packetHash = $protoHash->{$packet};
+ my $count = $packetHash->{''};
+ $act = '?' unless (defined ($act = $acts{$act}));
+ if (($protoName eq 'tcp') || ($protoName eq 'udp'))
+ {
+ printf (" %-6s %7s %4d %4s %16s %2s %s.%s", $if, $act, $count, $protoName, &portName ($sport, $protoName), $arrow, $peerName, &portName ($dport, $protoName));
+ }
+ elsif ($protoName eq 'icmp')
+ {
+ printf (" %-6s %7s %4d %4s %16s %2s %s", $if, $act, $count, $protoName, &icmpType ($sport), $arrow, $peerName);
+ }
+ else
+ {
+ printf (" %-6s %7s %4d %4s %16s %2s %s", $if, $act, $count, $protoName, '', $arrow, $peerName);
+ }
+ if ($showFlags)
+ {
+ my @flags = sort (keys (%{$packetHash}));
+ if (scalar (@flags))
+ {
+ shift (@flags);
+ print ' (', join (',', @flags), ')' if (scalar (@flags));
+ }
+ }
+ print "\n";
+ }
+ }
+ }
+ }
+
+ print "\n";
+}
+
+exit (0);
+
+# Translates a numeric port/named protocol to a port name. Reserved ports
+# that do not have an entry in the services database are left numeric. High
+# ports that do not have an entry in the services database are mapped
+# to '<high>'.
+sub portName
+{
+ my $port = shift;
+ my $proto = shift;
+ my $pname = "$port/$proto";
+ unless (exists ($pn{$pname}))
+ {
+ my $name = getservbyport ($port, $proto);
+ $pn{$pname} = (defined ($name) ? $name : ($port <= 1023 ? $port : '<high>'));
+ }
+ return $pn{$pname};
+}
+
+# Translates a named port/protocol to a port number.
+sub portNumber
+{
+ my $port = shift;
+ my $proto = shift;
+ my $pname = "$port/$proto";
+ unless (exists ($pn{$pname}))
+ {
+ my $number = getservbyname ($port, $proto);
+ unless (defined ($number))
+ {
+ # I don't think we need to recover from this. How did the port
+ # name get into the log file if we can't find it? Log file from
+ # a different machine? Fix /etc/services on this one if that's
+ # your problem.
+ die ("Unrecognized port name \"$port\" at $.");
+ }
+ $pn{$pname} = $number;
+ }
+ return $pn{$pname};
+}
+
+# Convert all unrecognized high ports to the same value so they are treated
+# identically. The protocol should be by name.
+sub portSimplify
+{
+ my $port = shift;
+ my $proto = shift;
+
+ # Make sure port is numeric.
+ $port = &portNumber ($port, $proto)
+ unless ($port =~ /^\d+$/);
+
+ # Look up port name.
+ my $portName = &portName ($port, $proto);
+
+ # Port is an unknown high port. Return a value that is too high for a
+ # port number, so that high ports get sorted last.
+ return $highPort if ($portName eq '<high>');
+
+ # Return original port number.
+ return $port;
+}
+
+# Translates a numeric address into a hostname. Pass only packed numeric
+# addresses to this routine.
+sub hostName
+{
+ my $ip = shift;
+ return $ipName{$ip} if (exists ($ipName{$ip}));
+
+ # Do an inverse lookup on the address.
+ my $name = gethostbyaddr ($ip, AF_INET);
+ unless (defined ($name))
+ {
+ # Inverse lookup failed, so map the IP address to its dotted
+ # representation and cache that.
+ $ipName{$ip} = &dottedAddr ($ip);
+ return $ipName{$ip};
+ }
+
+ # For paranoid hostname lookups.
+ if ($paranoid)
+ {
+ # If this address already matches, we're happy.
+ unless (exists ($ipName{$ip}) && (lc ($ipName{$ip}) eq lc ($name)))
+ {
+ # Do a forward lookup on the resulting name.
+ my @addr = &hostAddrs ($name);
+ my $match = 0;
+
+ # Cache the forward lookup results for future inverse lookups,
+ # but don't stomp on inverses we've already cached, even if they
+ # are questionable. We want to generate consistent output, and
+ # the cache is growing incrementally.
+ foreach (@addr)
+ {
+ $ipName{$_} = $name unless (exists ($ipName{$_}));
+ $match = 1 if ($_ eq $ip);
+ }
+
+ # Was this one of the addresses? If not, tack on a ?.
+ $name .= '?' unless ($match);
+ }
+ }
+ else
+ {
+ # Just believe it and cache it.
+ $ipName{$ip} = $name;
+ }
+
+ return $name;
+}
+
+# Translates a hostname or dotted address into a list of packed numeric
+# addresses.
+sub hostAddrs
+{
+ my $name = shift;
+ my $ip;
+
+ # Check if it's a dotted representation.
+ return ($ip) if (defined ($ip = &isDottedAddr ($name)));
+
+ # Return result from cache.
+ $name = lc ($name);
+ return @{$ipAddr{$name}} if (exists ($ipAddr{$name}));
+
+ # Look up the addresses.
+ my @addr = gethostbyname ($name);
+ splice (@addr, 0, 4);
+
+ unless (scalar (@addr))
+ {
+ # Again, I don't think we need to recover from this gracefully.
+ # If we can't resolve a hostname that ended up in the log file,
+ # punt. We want to be able to sort hosts by IP address later,
+ # and letting hostnames through will snarl up that code. Users
+ # of ipmon -n will have to grin and bear it for now. The
+ # functions that get undef back should treat it as an error or
+ # as some default address, e.g. 0 just to make things work.
+ return ();
+ }
+
+ $ipAddr{$name} = [ @addr ];
+ return @{$ipAddr{$name}};
+}
+
+# If the argument is a valid dotted address, returns the corresponding
+# packed numeric address, otherwise returns undef.
+sub isDottedAddr
+{
+ my $addr = shift;
+ if ($addr =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/)
+ {
+ my @a = (int ($1), int ($2), int ($3), int ($4));
+ foreach (@a)
+ {
+ return undef if ($_ >= 256);
+ }
+ return pack ('C*', @a);
+ }
+ return undef;
+}
+
+# Unpacks a packed numeric address and returns an integer representation.
+sub integerAddr
+{
+ my $addr = shift;
+ return unpack ('N', $addr);
+
+ # The following is for generalized IPv4/IPv6 stuff. For now, it's a
+ # lot faster to assume IPv4.
+ my @a = unpack ('C*', $addr);
+ my $a = 0;
+ while (scalar (@a))
+ {
+ $a = ($a << 8) | shift (@a);
+ }
+ return $a;
+}
+
+# Unpacks a packed numeric address into a dotted representation.
+sub dottedAddr
+{
+ my $addr = shift;
+ my @a = unpack ('C*', $addr);
+ return join ('.', @a);
+}
+
+# Translates a protocol number into a protocol name, or a number if no name
+# is found in the protocol database.
+sub protoName
+{
+ my $code = shift;
+ return $code if ($code !~ /^\d+$/);
+ unless (exists ($pr{$code}))
+ {
+ my $name = scalar (getprotobynumber ($code));
+ if (defined ($name))
+ {
+ $pr{$code} = $name;
+ }
+ else
+ {
+ $pr{$code} = $code;
+ }
+ }
+ return $pr{$code};
+}
+
+# Translates a protocol name or number into a protocol number.
+sub protoNumber
+{
+ my $name = shift;
+ return $name if ($name =~ /^\d+$/);
+ unless (exists ($pr{$name}))
+ {
+ my $code = scalar (getprotobyname ($name));
+ if (defined ($code))
+ {
+ $pr{$name} = $code;
+ }
+ else
+ {
+ $pr{$name} = $name;
+ }
+ }
+ return $pr{$name};
+}
+
+sub icmpType
+{
+ my $typeCode = shift;
+ my ($type, $code) = split ('\.', $typeCode);
+
+ return "?" unless (defined ($code));
+
+ my $info = $icmpTypeMap{$type};
+
+ return "\(type=$type/$code?\)" unless (defined ($info));
+
+ my $typeName = $info->{name};
+ my $codeName;
+ if (exists ($info->{codes}->{$code}))
+ {
+ $codeName = $info->{codes}->{$code};
+ $codeName = (defined ($codeName) ? "/$codeName" : '');
+ }
+ else
+ {
+ $codeName = "/$code";
+ }
+ return "$typeName$codeName";
+}
+
+sub quit
+{
+ my $ec = shift;
+ my $msg = shift;
+
+ print STDERR "$me: $msg\n";
+ exit ($ec);
+}
+
+sub usage
+{
+ my $ec = shift;
+ my @msg = @_;
+
+ if (scalar (@msg))
+ {
+ print STDERR "$me: ", join ("\n", @msg), "\n\n";
+ }
+
+ print <<EOT;
+usage: $me [-nSDF] [-s servicemap] [-A act1,...] [address...]
+
+Parses logging from ipmon and presents it in a comprehensible format. This
+program generates two reports: one organized by source address and another
+organized by destination address. For the first report, source addresses are
+sorted by IP address. For each address, all packets originating at the address
+are presented in a tabular form, where all packets with the same source and
+destination address and port are counted as a single entry. Any port number
+greater than 1023 that does not match an entry in the services table is treated
+as a "high" port; all high ports are coalesced into the same entry. The fields
+for the source address report are:
+ iface action packet-count proto src-port dest-host.dest-port \[\(flags\)\]
+The fields for the destination address report are:
+ iface action packet-count proto dest-port src-host.src-port \[\(flags\)\]
+
+Options are:
+-n Disable hostname lookups, and report only IP addresses.
+-p Perform paranoid hostname lookups.
+-S Generate a source address report.
+-D Generate a destination address report.
+-F Show all flag combinations associated with packets.
+-s map Supply an alternate services map to be preloaded. The map should
+ be in the same format as /etc/services. Any service name not found
+ in the map will be looked for in the system services file.
+-A act1,... Limit the report to the specified actions. The possible actions
+ are pass, block, log, short, and nomatch.
+
+If any addresses are supplied on the command line, the report is limited to
+these hosts. Addresses may be given as dotted IP addresses or hostnames, and
+may be qualified with netmasks in CIDR \(/24\) or dotted \(/255.255.255.0\) format.
+If a hostname resolves to multiple addresses, all addresses are used.
+
+If neither -S nor -D is given, both reports are generated.
+
+Note: if you are logging traffic with ipmon -n, ipmon will already have looked
+up and logged addresses as hostnames where possible. This has an important side
+effect: this program will translate the hostnames back into IP addresses which
+may not match the original addresses of the logged packets because of numerous
+DNS issues. If you care about where packets are really coming from, you simply
+cannot rely on ipmon -n. An attacker with control of his reverse DNS can map
+the reverse lookup to anything he likes. If you haven't logged the numeric IP
+address, there's no way to discover the source of an attack reliably. For this
+reason, I strongly recommend that you run ipmon without the -n option, and use
+this or a similar script to do reverse lookups during analysis, rather than
+during logging.
+EOT
+
+ exit ($ec);
+}
+
OpenPOWER on IntegriCloud