
BPFT V2.00  -- 96/12/04
-----------------------
Changes:

A lot of bugs fixed.
Improved timeout functions in domain resolving.
Properly work with slip and ppp interfaces.
Added cisco_hdlc serial line encapsulation.
Ported to new style bpf pseudo header.
New trafshow improvement, see trafshow/README.

BPFT v1.31  -- 93/01/14
-----------------------
Changes:

Little modifications for FreeBSD, trafd's files may have your own extention,
thanks to vv@sonet.kemerovo.su.
Really logged traffic of any fragmented datagramms, look like tcp or udp
entry with none port. Useful for locating unefficient network traffic.

BPFT v1.30  -- 93/01/06
-----------------------
Changes:

The new output format present, more interesting information can be collected!
In particular added:
- logging all IP traffic, so on ICMP, IGMP, EGP, OSPF and unknown;
- full IP packets size included;
- information about who is server for TCP and UDP;
- any service port correctly detected;
- new keywords for user defined output format;
All traffic restriction was removed.
ATTENTION: this version has a new traffic database format, converter enclosed.

BPFT v1.20  -- 93/12/05
-----------------------
Changes:

Now traflog understand user defined descriptions of the various output format,
see file traflog/traflog.format for more details.
Maximum tcp or udp data length per packet was up to loopback MTU, it value
allow any fragmented datagrams to be right accepted.
Popup ICMP messages too when trafshow make traffic show. :)

BPFT v1.10  -- 93/11/20
-----------------------
Changes:

Corrected little problem with bpft library.
lib/addrtoname.c - added necessary alarm() and decreased gethostbyname() wait
pause. lib/etherproto.h - append static to eproto_db[].
Removed -g for debuging and added -O flags for improvement compiler code.
At present library should be compiled and safe works without any problems.
Fixed bug with fseek length in traflog.
Has been emerged new full screen application - the trafshow.

BPFT v1.02  -- 93/11/06
-----------------------
Changes:

Added forks for the interprocess communication, improved signal handlers.
Modify access method to daemon, now trafstat don't wait interfaces activity
before obtain the traffic statistic.
Fixed little bug in trafstat log file format, now logged information about
remote program.
Changed the traflog default output on last logfile traffic record instead all
records, but added '-a' flag for output all records. Append '-r' flag.

BPFT v1.00  -- 93/10/20
-----------------------
Initial revision.


The BPF Traffic collector
=========================

These directories contain a TCP and UDP traffic logging system.
It can be used for locating suspicious network data traffic.
The following programs are included:

trafd      - tcp/udp data traffic collector daemon
trafstart  - simple example to start trafd
trafstop   - backup memory traffic table to tmp file and shutdown daemon
trafdump   - backup memory traffic table to tmp file without shutdown
trafsave   - append memory traffic table to log file and restart collect
traflog    - manage daemon log files
trafstat   - grab current traffic statistics from daemon
trafstatd  - allow remote request of the current traffic statistics
trafshow   - full screen visualization of the network data traffic

First and last program use the Berkeley Packet Filter mechanism and may be
used with BSD4.3, BSDI, Ultrix and some other OS Unix like BSD. The current
version of the BPF data traffic programs tested and safe work only under
BSDI BSD/386 v1.0, router with following hardware configuration was used:
- 486DLC-40, delay multiplier 305;
- Two Ethernet NE2000 cards;
- Five serial port with 57600 and two 9600 on DigiBoard PC-8e card.

Before compile this stuff edit main Makefile as you need, also some
useful definition you may find in include/traffic.h.

To build the programs, just enter 'make' from the bpft root directory.
To install the programs, just type 'make install' and to clean - apparently
'make clean'.

If you want allow remote users to request traffic statistics from your
daemon then add line to your /etc/inetd.conf, for example:

trafstat stream tcp nowait root /usr/local/bin/trafstatd trafstatd

and add line to your /etc/services, for example:

trafstat	150/tcp		trafstat	# network traffic statistic

The trafstat service used TCP port number 150 for default, but you may
overwrite it from command line when execute trafstat program.

My recomendations is - more often invoke trafdump via cron to avoid loss
data as a result of system crash and trafsave one per day to have log file
aligment by days. Log file is binary file with little size, average size
per day in range 3-5kb.

Sorry, but current version doesn't contain man pages or any documentation,
maybe later...

Quick reference:
----------------

Usage:	trafd [-dOpr] [-c count] [-i iface] [-F file | expr]
Where:
	-c count	count number of packets and exit
	-d		print compiled packet-matching code and exit
	-F file		use file as input for the filter expression
	-i interface	current support: ethernet, slip, ppp, loopback
	-O		don't run the packet-matching code optimizer
	-p		don't put the interface into promiscuous mode
	-r		attempt to resume data from dumped file if exist
	expr		filter expression like tcpdump's

Usage:	trafshow [-dfnNOpr] [-c count] [-i iface] [-F file | expr]
Where:
	-c count	count number of packets and exit
	-d		print compiled packet-matching code and exit
	-f		convert addresses to name only for local hosts
	-F file		use file as input for the filter expression
	-i interface	current support: ethernet, slip, ppp, loopback
	-n		don't convert addresses to host names
	-N		output only host names without domain
	-O		don't run the packet-matching code optimizer
	-p		don't put the interface into promiscuous mode
	-r		attempt to resume data from dumped file if exist
	expr		filter expression like tcpdump's

Usage:	trafstat [-i iface] [-b | -fnN] [host] [port]
Where:
	-b		binary output, use redirect to file
	-f		convert addresses to name only for local hosts
	-i interface	current support: ethernet, slip, ppp, loopback
	-n		don't convert addresses to host names
	-N		output only host names without domain
	host		obtain traffic statistics from 'host' via network
	port		port number, default 150

Usage:	traflog -l [-i iface] [-b #] [-e #] [-r]
	-d [-fnN] [-F file | pattern]
[-i iface] [-b #] [-e #] [-afnNrs] [-o format] [-w file] [-F file | pattern]
Where:
	-a		output all log file records, default only last
	-b number	begin offset or begin time
	-d		print pattern table, use for test pattern	
	-e number	end offset or end time
	-f		convert addresses to name only for local hosts
	-F file		use file as input for the pattern expression
	-i name		interface name or file name
	-l		print records list of the log file
	-n		don't convert addresses to host names
	-N		output only host names without domain
	-o format	output by format described in traflog.format
	-r		print only number of records or number of Kb
	-s		output summary traffic
	-w file		binary output to file
	pattern		pattern expression

Note:
-----

If 'number' > 999 then interprete as time in 'date' format.
If 'name' nonexisting interface then interprete as file name.
Pattern may contain following keywords: from, to, mask, port, proto.
For example:

from turbo.nsk.su 	to ns.nsk.su 	port domain
			to all 		port ftp port ftp-data
from TURBONET		to all
from 192.188.187.127 mask 255.255.255.224 port all
from all to 144.206.0.0 proto tcp


Environment variables:
----------------------

IFF_LISTEN		set the name of the network interface.
			the same as '-i interface' and -i overwrite it value.
			supported by trafd, trafstat, traflog, trafshow.

PATTERNPATH		set the default directory name where find pattern
			files.
			supported only by traflog.

FORMATPATH		set the full name of file with user defined
			description of the traffic output format.
			supported only by traflog.


Syslog facility:
----------------

trafd use the system logger daemon (syslogd) for the logging various
information.
Thus, it use options LOG_PID for log the process id and LOG_CONS for if
cannot pass the message to syslogd it will attempt to write the message
to console, use facility 'daemon' and levels 'info', 'notice', 'warning'
and 'error'.
If you want additional information about condition of your daemon, i.e.
what is it doing and how do it do, then you should set syslog message
level in your syslog.conf up to 'info'.


The latest versions of these programs are available from
ftp://ftp.turbo.nsk.su/pub/unix/bpft-X.Y.tgz


Vladimir Vorobyev <bob@turbo.nsk.su>
CAD lab., Siberian State Academy of Telecommunication
Novosibirsk, Russia.
