								Sept, 1992

This is IPMON Version 1.1.  It lets you monitor IP traffic on a
entire local network.

THE IPMON PROGRAM MUST EITHER BE SUID to ROOT or BE RAN AS ROOT
SINCE IT MUST ACCESS THE ETHERNET CARD! After setup it suid back
to the correct id....

The following command line switches are available

-c # change the cycle time default is 10 (seconds)

-s # change the scan rate for scanning default is 6 cycles

-b Show bandwidth useage of your ethernet note: this will
   impact possible lost packets if you monitor a tcp/udp port.

-m mum mode, stops all screen update so that all cpu cycles can be
   devoted to getting all packets recorded to a file.  Useful if
   you can't stand to lose data.

-l logfile  - start with named log file open.

-q - start with silent mode enabled.

-d device - do not use default device (le0) use device.

-S flogging file -  log bandwidth data to auxilary logging file.

The following commands are supported:

d t all	-> This will delete all port totals being displayed for tcp.

d u all	-> This will delete all port totals being displayed for udp.

d t port# -> This will delete the specified tcp port totals from being displayed.

d u port# -> This will delete the specified udp port totals from being displayed.

d i msg# -> This will delete the specified icmp msg totals from being displayed.

a t port# -> This will add a the tcp port specified to having its totals displayed.

a u port# -> This will add a the udp port specified to having its totals displayed.

a i msg# -> This will add a the icmp message number to having its totals displayed.

m t port# -> Monitor data on the tcp port number specified. This will
display address information of every packet going by. It will also
record the data and address information to the log file if one is open.

m u port# -> Monitor data on the udp port number specified. This will
display address information of every packet going by. It will also
record the data and address information to the log file if one is open.

Please note only one port may be monitored at a time. Also if you have a
very busy port you can lose data and not see all that is going by.

m off -> This turns the monitor feature off.

show totals -> This will toggel the Broadcast, NetDisk, ARP, reverse Arps
(R-ARP), Unknown, Unknown IP (IP?) and Icmp to display the sum-totals so
far.

show int -> This will toggel the Broadcast, NetDisk, ARP, reverse Arps
(R-ARP), Unknown, Unknown IP (IP?) and Icmp to display the interval totals
on this update.

log open <filename> -> Begin recording logging data to the file name
specified. Only monitored information goes to the log (m t/u Port#).

log off -> close off the log file.

log what -> displays the current log file name or None if the log is closed

flush -> does a fflush on the log file.

Note opening a second log file automatically closes the first file.

scan port# - port#  -> This will cause the TCP and UDP ports totals
being displayed to scan forward 10 ports at a time and then wrap back
to the beginning port number. The scan defaults to 6 times the cycle
time. The cycle time will default to 10 seconds.  This means by default
every 60 seconds the next 10 ports will be displayed. Both of the times
may be altered by a command line option to ipmon, -s scantimes -c
cycletime. The time is given in seconds, so ./ipmon -s10 -c20, would
start ipmon so that the totals would be updated every 20 seconds and the
scan cycle when scanning ports would happen every 200 seconds.

The other command line options are -l logfile and -q.  This will pre-open a log
file for you or set quiet mode, where the monitor only displays to/from address.

The program currently monitors all IP address's but I have noted a
one problem that I am not sure about.  The machine on which the ipmon
program is running can not see any packets that it sends out. I am not
sure if this is my problem or just the way the NIT device works.  Any
suggestions or changes will be gladly accepted, please no flames over
coding style or other such things, I have turned this out very quickly
to help me with some testing I will be doing in Japan and I did not
spend a lot of time on it.  I hope it helps you...


IPMON has been tested on Sun-4 SunOS 4.1.

You can redistribute this program as much as you want.  All I ask is
that you give credit where credit is due.  If you make modifications or
bug fixes, please send them to us so they can be incorporated into the
next release.

IPMON takes its basic packet processing shell from NFSWATCH.  Much thanks
to the creators of NFSWATCH:

Dave Curry					Jeff Mogul
SRI International				Digital Equipment Corp.
333 Ravenswood Avenue				Western Research Laboratory
Menlo Park, CA 94025				100 Hamilton Avenue
davy@erg.sri.com				Palo Alto, CA 94301
						mogul@decwrl.dec.com

For a good set of base code for me to hack and build on.

Randall Stewart
rrs@nynexst.com
 
