1
.\" This file is part of tcpspy, a TCP/IP connection monitor.
3
.\" Copyright (c) 2000, 2001 Tim J. Robbins.
4
.\" All rights reserved.
6
.\" Redistribution and use in source and binary forms, with or without
7
.\" modification, are permitted provided that the following conditions
9
.\" 1. Redistributions of source code must retain the above copyright
10
.\" notice, this list of conditions and the following disclaimer.
11
.\" 2. Redistributions in binary form must reproduce the above copyright
12
.\" notice, this list of conditions and the following disclaimer in the
13
.\" documentation and/or other materials provided with the distribution.
14
.\" 3. The name of the author may not be used to endorse or promote products
15
.\" derived from this software without specific prior written permission.
17
.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
18
.\" INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
19
.\" AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
20
.\" THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
21
.\" EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
22
.\" PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
23
.\" OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24
.\" WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25
.\" OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
26
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
.\" $Id: tcpspy.8,v 1.39 2001/05/20 11:52:12 tim Stab $
29
.TH TCPSPY 8 "May 2001" TJR "tcpspy 1.7"
31
tcpspy \- TCP/IP Connection Monitor
49
logs information about selected incoming and outgoing TCP/IP connections to
50
syslog. The following information is logged: username, local address and port,
51
remote address, port, and optionally the filename of the executable. At
52
present, only the IPv4 protocol is supported.
57
Log only connections matching the specified rule. Rule syntax is outlined
58
below. If this option is specified more than once, connections matching any
59
of the specified rules are logged. You should quote the rule, as shown above.
64
Each rule is on a new line. The `#' character may be used to add comments;
65
everything from this character to the end of the line is ignored.
71
options may be used together.
74
Log to syslog facility
76
instead of the compile-time default setting. See the
78
manual page for a list of facilities.
81
Update the internal state every
83
milliseconds, instead of the default of 1000 ms. Connections that last less
86
milliseconds may be missed, so you should experiment to find a value small
87
enough that it catches most connections, but not so small that it causes
88
tcpspy to use too much CPU time.
91
Switch to the specified user after startup.
93
may be a numeric user id or a user name from the system password file.
96
Switch to the specified group after startup.
98
may be a numeric group id or a group name from the system group file.
99
If a username to switch to with the
101
option is specified but
103
is omitted, tcpspy will switch to that specified user's primary group.
106
Debugging mode; if this option is specified, tcpspy will not detach from the
107
console after initialisation, and will log connections to standard output
111
Log the filename of the executable that created/accepted the connection.
112
You may require superuser privileges to obtain this information for processes
113
you do not own (this is a kernel limitation).
115
This option can greatly increase the amount of CPU time required to
116
process each connection/disconnection.
120
A rule may be specified with the
122
option to log information about connections matching this rule, overriding
123
the default of logging all connections.
125
The following comparison operations are defined:
128
True if the local user initiating or accepting the connection has the
133
.BI user " \N'34'username\N'34'"
134
Same as above, but using a username instead of a user id.
137
True if the local end of the connection has port number
140
.BI lport " [low] - [high]"
141
True if the local end of the connection has a port number
142
greater than or equal to
144
and less than or equal to
148
is used, high is assumed to be 65535.
151
is used, low is assumed to be 0. It is an error to omit both
152
.IR low " and " high .
154
.BI lport " \N'34'service\N'34'"
155
Same as above, but using a service name from
157
instead of a port number.
162
but compares the port number of the remote end of the connection.
164
.BI laddr " n.n.n.n[/m.m.m.m]"
165
Interpreted as a "net/mask" expression; true if "net" is equal to the bitwise
166
AND of the local address of the connection and "mask". If no mask is specified,
167
a default mask with all bits set (255.255.255.255) is used.
172
but compares the remote address.
174
.BI exe " \N'34'pattern\N'34'"
175
True if the full filename (including directory) of the executable that
176
created/accepted the connection matches
182
The pattern "" (an empty string) matches connections created/accepted by
183
processes whose executable filename is unknown.
187
option is not specified, a warning message will be printed, and the result of
188
this comparison will always be true.
190
Expressions (including the comparisons listed above) may be joined together
191
with the following logical operations:
193
.IB expr1 " or " expr2
198
are true (logical OR).
200
.IB expr1 " and " expr2
205
are true (logical AND).
210
is false (logical NOT).
212
Rules are evaluated from left to right. Whitespace (space, tab and newline)
213
characters are ignored between "words". Rules consisting of only whitespace
214
match no connections, but do not cause an error.
215
Parentheses, '(' and ')' may be placed around expressions to affect the order
218
The Examples section contains some sample rules which further demonstrate how
219
they are constructed.
224
The daemon was successfully started
234
milliseconds from now.
237
(Debugging mode only) Handled identically to
240
All other signals retain their default behaviour, which is documented in
245
tcpspy -e 'user "joe" and rport "ssh"'
246
Log connections made by user "joe" for the service "ssh".
248
tcpspy -e 'not raddr 10.0.0.0/255.0.0.0 and rport 25 and (user "bob" or user "joe")'
249
Log connections made by users "bob" and "joe" to remote port 25 on machines
250
not on a fictional "intranet".
252
tcpspy -e 'exe "/usr/bin/irc"'
253
Log connections made by /usr/bin/irc (probably ircII).
256
Tim J. Robbins <tim@robbins.dropbear.id.au>