netlog 1.2  -- January 5, 1994

These directories contain a TCP and UDP traffic logging system.  These
programs are a part of the network security system used by Texas A&M
University.  It can be used for locating suspicious network traffic.
The following programs are included:

tcplogger -  Log all TCP connections on a subnet
udplogger -  Log all UDP sessions on a subnet
extract   -  Process log files created by tcplogger or udplogger
netwatch  -  Realtime network monitor

All three programs require an ANSI C compiler.  Tcplogger and
udplogger use the SunOS 4.x Network Interface Tap (nit) or
SunOS 5.x Data Link Provider Interface (DLPI).

To build the programs:

1) Edit the Makefile to select for SunOS 4.x or SunOS 5.x (Solaris)

2) just enter 'make'

You will end up with binaries in the 'bin' directory.

If you are using 'gcc', do not turn on optimization for tcplogger
or udplogger.  Also, if 'fix-includes' was not run, then you must
use the '-traditional' flag.  To be safe, use it anyway.

The latest versions of these programs (sans netwatch) are available
from:

net.tamu.edu:/pub/security/TAMU

net.tamu.edu == 128.194.177.1

* * * * * *

01/05/1994 Changes

Included stripped 'netwatch'.  The 'telnet' and 'ftp' modules
are removed to prevent the use of 'netwatch' as a password
grabber.

Bug fixes to improve reliability.

Added '-p' switch to all network monitoring tools which causes them
to run in non-promiscuous mode, for use in monitoring on a single
host.  Reduces load on the monitoring machine.

------------------------------------------------------------------------

10/31/1993 Changes

Support for SunOS 5.x DLPI.

Date/time handling in 'extract' corrected to properly handle daylight
savings time and other little nits.

Date/time output routines redone for performance.

Couple of minor bug fixes.

Hacked into extract, support for processing an ICMP log. 

Preliminary version of ICMP logger.  Eats tons of disk space though.

------------------------------------------------------------------------

08/23/1993 Changes

Date handling improved in extract in regards to timezone.  Also
removed references to timelocal() and used ANSI mktime() (it isn't
documented in SunOS 4, but it is there).  'extract' will now work
on SunOS 5 (and probably other UN*X's).

'extract' now handles hostnames that resolve to multiple IP addresses.

'extract' now treats an unresolvable hostname as a nonfatal condition.
It handles the failure in a semi-intelligent fashion based on the
context of the failure.

Added unbuffering flag (-U) to extract.  This causes it to not
buffer input, allowing:

tcplogger -b | extract -U

to be useful.

'udplogger' has a new option '-t' which specifies a timeout in
seconds.  This indicates how long to "remember" sessions before
assuming they have completed.  The default is 300 seconds.

------------------------------------------------------------------------

06/18/1993 Changes

Fixed bugs in extract dealing with dates (you couldn't specify the
last day of the month).

Added -n support to tcplogger and udplogger.  In tcplogger, udplogger
and extract, -n now disables port number name resolution as well.

tcplogger and udplogger now use the first ethernet interface on the
machine, instead of defaulting to "le0".  Thanks to Dave Hess for
sample code.

Fixed bug in extract that prevented using both "print" and "next"
on the same clause.  It was only executing the first one... (bug,
this was no bug... this was just silly... I only had it doing one
command).
