Monitor network activity on a network by host, protocol and port.

Please see new ipaudit page at         ipaudit.sourceforge.net


IPAUDIT listens to a network device in promiscuous mode, and records of every 'connection', each conversation between two ip addresses. A unique connection is determined by the ip addresses of the two machines, the protocol used between them and the port numbers (if they are communicating via udp or tcp).

It uses a hash table to keep track of the number of bytes and packets in both directions. When IPAUDIT receives a signal SIGTERM (kill) or SIGINT (kill -2, usually the same as a Control-C), it stops collecting data and write the tabulated results.

IPAUDIT is built using the pcap packet capture library to read the network port from LBNL Network Research Group.

Two utilities are included with ipaudit.
  ipstrings reads strings from pcap dump files (similar to Unix utility strings).
  total calculates totals and subtotal from columnar text files (like ipaudit output files). Its like a mini database query program for flat text files.

Suggested Usage

IPAUDIT can be used to monitor network activity for a variety of purposes. It has proved useful for monitoring intrusion detection, bandwidth consumption and denial of service attacks.

We run it in shifts. Every 30 minutes launch an new instance of IPAUDIT in the background and kill the previous instance. Before the previous instance dies it writes a file describing the network activity for the past 30 minutes. Perl scripts then parse this file and make a Web viewable report. This is the script that runs from cron every 30 minutes. It currently monitors a 45MB link averaging at about 1/3 capacity on a Pentium II/333 running Linux 2.2.13. Average CPU usage is at about 10%, and peaks at around %20 on the half hour.



ipaudit-0.92.tgz         ( older versions:     ipaudit-0.91.1.tgz ipaudit-0.91.tgz, ipaudit-0.90.tgz )

Beta Version

New beta version includes full complement of perl scripts that use ipaudit program to produce web accessible reports of network activity (screenshot).



To compile IPAUDIT you first need the pcap packet library installed, available from the LBNL Network Research Group at ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
Once pcap packet library is installed, untar the IPAUDIT archive and type make. That should do it.

Last updated June 20, 2000.
Maintained by jon.rifkin@uconn.edu.