nstreams(1)		  Users Manuals		      nstreams(1)


NAME
       network streams - a tcpdump output analyzer

SYNOPSIS
       nstreams	 [  -v	] [ -c nstreams-services ] [ -n nstreams-
       networks_file ] [ -N [ -i ] [ -I ]] [ -r ] [ -O	output	[
       -D  iface ] [ -Y ]] [ -u ] [ -U ] [ -B ] [ -f tcpdump_file
       ] [ -l <iface> ] [ tcpdump output ]


DESCRIPTION
       nstreams is a utility designed to identify the IP  streams
       that  are  occuring  on a network from a non-user friendly
       tcpdump output of several megabytes.

       This is especially useful when you plan to install a fire-
       wall  but if you do not know the nstreams that the network
       users are generating  (http,  real  audio,  and	more...).
       nstreams	 can read the tcpdump output directly from stdin,
       or from a file. It can  even  generate  the  configuration
       file of your firewall, using the	 -O option.



OPTIONS
       -c <nstreams-services-file>
	      The  path	 to  an	 alternate nstreams service file.
	      This file is used to identify  each  protocol.  See
	      the  services  file  section  later  in this manual
	      page.


       -n <nstreams-networks-file>
	      The path to an  alternate	 nstreams  network  file.
	      This file is used to identify which hosts belong to
	      which network. See the networks file section  later
	      in this manual page.


       -f <tcpdump output file>
	      The  path	 to the file to read data from. This file
	      must have been generated using  'tcpdump	-w  file-
	      name'.


       -l <iface>
	      Listen  directly	on interface <iface>. This avoids
	      the use of tcpdump.



       -N     print the networks names instead of  the	hosts  IP
	      addresses.  The  intra-network  traffic will not be
	      shown. Use this option twice to show  the	 networks



nstreams		    July 1999				1





nstreams(1)		  Users Manuals		      nstreams(1)


	      IP address instead of their names.


       -i     Also  show  the intra-network traffic (must be used
	      with -N)


       -I     Only show the intra-network traffic (must	 be  used
	      with -N)


       -r     be  redundant.  That  is,	 the same streams will be
	      printed each time they appear in the dump.


       -v     print version number and exit.


       -O <type>
	      output type. You can use this  option  to	 generate
	      your  firewall  startup  script.	Do nstreams -h to
	      see the supported output types.


       -D <iface>
	      interface to apply to output  onto.  Must	 be  used
	      with -O.


       -Y     The firewall rules that will be generated will deny
	      all packets  coming  from	 the  outside  trying  to
	      establish	 connections to the inside. If you system
	      is not serving anything, then it's safe to turn  on
	      this option.


       -u     Do not print the unknown streams


       -U     Only print the unknown streams


       -B     Show broadcasts and networks



USAGE
       Let  tcpdump(1)	run  some  time on your network (like one
       week), and save its output in a file, by doing :
       tcpdump -l -n > output
       or
       tcpdump -w filename

       Then, feed nstreams with this output  file,  and	 it  will



nstreams		    July 1999				2





nstreams(1)		  Users Manuals		      nstreams(1)


       turn it into a easily-readable file which will help you to
       write efficient firewall filters.  You may also do :
       tcpdump -l -n | nstreams
       or
       nstreams -f filename (if you used tcpdump -w)


THE SERVICES FILE
       The service file contains the description of  each  proto-
       col, as well as their name. Its syntax is :
       protocol_name:server_port(s)/{udp,tcp}:client_ports(s)
       or :
       protocol_name:type(s)/icmp:code(s)

       Whereas :

       protocol_name
	      is  the  name  of the protocol described. This name
	      may contain any character, including space,  except
	      ':'.


       server_port(s)
	      is  the range of ports used by the server. Usually,
	      you will want to define one server port  only,  but
	      you may enter any range you want.


       ip_protocol
	      is  the  IP  protocol  that  this protocol is lying
	      onto. Acceptable values are tcp and udp



       client_port(s)

	      is the range of ports that the client may use.  You
	      can  set this to any or, for more accurate results,
	      to ports ranges, like '1-1024,2048-4096'.
	      The rules are : 'first match, first taken'.


SERVICE FILE EXAMPLE
       Using this syntax, you would declare the ssh protocol by :
       ssh-unix:22/tcp:1000-1023
       Because	the  Unix version of the ssh client uses a privi-
       leged port to connect onto the ssh server which listens on
       port 22.


THE NETWORKS FILE
       The  networks  file  is used to define sets and subsets of
       hosts (also known as networks). This avoids redundancy  in
       the output file. The syntax format for this file is :



nstreams		    July 1999				3





nstreams(1)		  Users Manuals		      nstreams(1)


       network name:ip/mask
       Whereas	the  network name is whatever you want, the IP is
       the ip of the network, and the mask is the CIDR netmask of
       the network.  The rule is 'first match, first taken'.

NETWORKS FILE EXAMPLE
       admin:192.168.19.0/29
       whole_subnet:192.168.0.0/16
       internet:0.0.0.0/0



LIMITS
       o nstreams can only parse the output of 'tcpdump -n'

       o  Even	though	the  output of nstreams is easier to read
       than the one of tcpdump, it is still not easily	readable.
       Use  sort(1)  on the nstream output to get a more readable
       file.

       o This program could have been written in perl


FILES
       /etc/nstreams-services
       /etc/nstreams-networks



SEE ALSO
       tcpdump(1)


AUTHORS
       Concept : Herve Schauer Consultants - http://www.hsc.fr
       Coding : Renaud Deraison <deraison@cvs.nessus.org>


BUG REPORTS
       Please send all your bug reports with the detail	 of  your
       configuration to Renaud Deraison <deraison@cvs.nessus.org>
















nstreams		    July 1999				4


