sensor - the shoki packet sensor
sensor [-c max_count] [-C conf_file] [-d] [-D chrdir] [-F filterfile] [-h] [-i device] [-P pidfile] [-s snaplen] [-U luser] [-w outdump]
sensor is a simple, fairly compact IDS sensor. It listens on a specified network interface, and writes packets to a file. And very, very little else.
-c max_count Exit after reading max_count packets. -C conf_file Read an alternate config file. By default, /usr/local/shoki/etc/sensor.conf will be used. -d Debug mode. The sensor will run in the foreground and will not fork. -D chrdir If specified, will do a chroot(2) to chrdir -F filterfile Read the default filter from filterfile. The file should contain a standard libpcap-style filter expression. In general, this should be a fairly minimal filter, although you might want to write it such that it will ignore log-collection traffic between the sensor and the central data store. -h Display a usage message and exit. -i device Tells the sensor to listen for traffic on network interface device. -P pidfile Writes PID of sensor process to pidfile, which cannot be an existing file. -s snaplen Tells the sensor to only capture the first snaplen bytes of each packet. By default, the sensor will grab the first 65535 bytes of any packet. -U luser If specified, setuid/setgid to specified luser. -w outdump Packets are written by sensor to a libpcap-stype dumpfile. The name of a currently open dumpfile will be of the form outdump.0123456789; the name of a closed dumpfile will be of the form outdump.0123456789-9876543210, where outdump is specified by the -w flag or taken from the config file, and 0123456789 and 9876543210 are, respectively, the timestamps (in seconds after the start of the epoch) of the first and last packets included in the dumpfile.
/usr/local/shoki/etc/sensor.conf sensor config file.
.An Stephen P. Berry <email@example.com>
More information can be found at the shoki homepage:
Check the README at the top of the source tree.
|December 2, 2003||SENSOR (8)||shoki|