|
|
Otterhole :: pfrtg
|
|
(20050813 Slightly updated version of pfrtg, w/ support for ipf files tested on FreeBSD 4.8, and other types of firewall logs, CSV from a commercial firewall, and with the ability to report on a whole month and not just a day) (20050622 Slightly updated version of this file, with grammar fixed up a bit and better explanations. Still, this note could be better!) (20050719 added some notes about tcpdump/pcap, and information about where this has been referenced)
Introduction I wrote a utility for ipfilter, and changed it to support some graphical-like output (textgraph, I like to call it). I then then changed it for pf, and then to the pf supported in OpenBSD 3.6 (or higher?). Some might like 'real' graphics, but this works for me. PF . Report . with TextGraph = pfrtg I must note that while this utility was designed to summarize my pf logs, these logs are held in a slightly modified pcap format, and since this script merely uses the tcpdump utility to extract that data from the log files, this pfrtg program can be used for summarizing any old tcpdump/pcap file. Example Date: 1115956848 - 1115999243 Date: 2005/05/13 04:00:48 S - 2005/05/13 15:47:23 S GMT Date: 2005/05/13 00:00:48 D - 2005/05/13 11:47:23 D Eastern Source and Port Plus (1180680 bytes 8716 packets) count: source 45678901n12345678901M123G bytes dstn some ports -----: ------ 012345678901n12345678901E ------ ---- ----- 1500: 0.0.0.0 C...C...C................ 72000 252 N 1: 139 314: 204.60.78.55 ...C..................... 14482 206 N 1: 135 265: 218.66.104.133 .......C................. 93810 174 N 2: 1026 1027 264: 222.77.185.228 .....C................... 115896 179 N 2: 1026 1027 253: 82.161.114.92 ..........C.............. 12144 253 N 1: 135 253: 221.137.120.22 ....C.................... 12144 253 N 1: 135 251: 204.11.152.101 ...C..................... 13052 251 N 1: 135 248: 84.177.228.28 .........C............... 11904 248 N 1: 135 247: 12.214.47.89 ..C...................... 11856 247 N 1: 135 213: 218.94.1.226 .......C................. 8520 213 N 1: 1433 199: 24.201.75.195 ...........C............. 9552 40 N 2: 12345 27374 125: 222.34.5.45 4XXXXXXXXXX9............. 50500 125 N 1: 1434 118: 218.56.135.186 ..C...................... 4720 118 N 1: 1433 115: 213.60.4.121 64XXX88XX7X1............. 5520 56 N 1: 135 104: 208.34.232.79 7674X998XXX.............. 4992 52 N 1: 135 76: 62.206.238.146 X624686866X4............. 3648 36 N 1: 135 75: 61.129.34.19 667676757675............. 30300 75 N 1: 1434 72: 211.98.104.7 656576676765............. 29088 70 N 1: 1434 71: 61.159.15.2 765766765664............. 28684 71 N 1: 1434 70: 210.74.232.40 664666576765............. 28280 70 N 1: 1434 69: 61.0.108.132 ........L................ 5382 69 N 1: 137 69: 202.109.140.213 666665666664............. 27876 69 N 1: 1434 62: 217.166.233.52 .9785X6X5................ 2976 47 N 1: 135 58: 221.210.203.126 .45656565664............. 23432 58 N 1: 1434 52: 82.52.35.111 ..XXX21.472.............. 2496 28 N 1: 135 49: 61.129.32.96 454554254362............. 19796 49 N 1: 1434 45: 221.6.238.186 .265XX4.................. 2160 24 N 1: 135 38: 61.152.95.73 234444532223............. 15352 38 N 1: 1434 38: 219.147.62.71 424333324343............. 15352 38 N 1: 1434 37: 208.34.232.127 .26X2...293.............. 1776 18 N 1: 135 overflow Explanation One is supposed to observe, in this case, that the report was run at 2005/05/13 15:47:23 S GMT or 2005/05/13 11:47:23 D Eastern. Usually, 24 of the hour columns are filled, as I run it after midnight on yesterday's logs. The first line of interest in the report shows that during the day someone, likely with a Microsoft windows box, sent me 1500 packets from a source address of 0.0.0.0. The packets came in three blocks of over 100 packets, but less than or equal to 1000. The blocks occurred between 12:00-1:00, 4:00-5:00, and 8:00-9:00 AM Eastern Daylight time. The packets were sent to 252 addresses in my class C, and all the packets were sent to port 139 (probably TCP). The last line is the word 'overflow' which exists because the script was run to show only the top 30 entries by packet count. This is set by an argument. Monthly examples reports to my DarkNet(HoneyPot?)
Legend
Source
The source is ugly. But here it is if anyone has a desire to make it
clean:
pfrtg.pl
There are a few arguments, and different outputs that are possible. Another output is more verbose : pfrtgv.txt If anyone likes this, improves it, wants an updated version with my improvements, has questions, please send a note to openbsd . at . otterhole.ca 20050622 added a copyright statement to the script, in case anyone wanted to make it useful. References Places where PFRTG has been referenced:
|
|
Copyright Otterhole 2008 last updated: 2008/08/29 23:14 . |
|