Manual Reference Pages - SENSOR (8)

NAME

sensor - the shoki packet sensor

Synopsis
Description
Options
Files
Authors
Bugs

SYNOPSIS

sensor [-c max_count] [-C conf_file] [-d] [-D chrdir] [-F filterfile] [-h] [-i device] [-P pidfile] [-s snaplen] [-U luser] [-w outdump]

DESCRIPTION

sensor is a simple, fairly compact IDS sensor. It listens on a specified network interface, and writes packets to a file. And very, very little else.

OPTIONS

-c max_count
Exit after reading max_count packets.

-C conf_file
Read an alternate config file. By default, /usr/local/shoki/etc/sensor.conf will be used.

-d Debug mode. The sensor will run in the foreground and will not fork.

-D chrdir If specified, will do a chroot(2) to chrdir

-F filterfile
Read the default filter from filterfile. The file should contain a standard libpcap-style filter expression. In general, this should be a fairly minimal filter, although you might want to write it such that it will ignore log-collection traffic between the sensor and the central data store.

-h Display a usage message and exit.

-i device Tells the sensor to listen for traffic on network interface device.

-P pidfile
Writes PID of sensor process to pidfile, which cannot be an existing file.

-s snaplen
Tells the sensor to only capture the first snaplen bytes of each packet. By default, the sensor will grab the first 65535 bytes of any packet.

-U luser If specified, setuid/setgid to specified luser.

-w outdump
Packets are written by sensor to a libpcap-stype dumpfile. The name of a currently open dumpfile will be of the form outdump.0123456789; the name of a closed dumpfile will be of the form outdump.0123456789-9876543210, where outdump is specified by the -w flag or taken from the config file, and 0123456789 and 9876543210 are, respectively, the timestamps (in seconds after the start of the epoch) of the first and last packets included in the dumpfile.

FILES

/usr/local/shoki/etc/sensor.conf
sensor config file.

AUTHORS

.An Stephen P. Berry <spb@meshuggeneh.net>
More information can be found at the shoki homepage:

BUGS

Check the README at the top of the source tree.

December 2, 2003

SENSOR (8)

shoki

Generated by manServer 1.07 from sensor.8 using doc macros.

-c max_count
	Exit after reading max_count packets.
-C conf_file
	Read an alternate config file. By default, `/usr/local/shoki/etc/sensor.conf` will be used.
-d	Debug mode. The sensor will run in the foreground and will not fork.
-D chrdir	If specified, will do a chroot(2) to chrdir
-F filterfile
	Read the default filter from filterfile. The file should contain a standard libpcap-style filter expression. In general, this should be a fairly minimal filter, although you might want to write it such that it will ignore log-collection traffic between the sensor and the central data store.
-h	Display a usage message and exit.
-i device	Tells the sensor to listen for traffic on network interface device.
-P pidfile
	Writes PID of sensor process to pidfile, which cannot be an existing file.
-s snaplen
	Tells the sensor to only capture the first snaplen bytes of each packet. By default, the sensor will grab the first 65535 bytes of any packet.
-U luser	If specified, setuid/setgid to specified luser.
-w outdump
	Packets are written by sensor to a libpcap-stype dumpfile. The name of a currently open dumpfile will be of the form outdump.0123456789; the name of a closed dumpfile will be of the form outdump.0123456789-9876543210, where outdump is specified by the -w flag or taken from the config file, and 0123456789 and 9876543210 are, respectively, the timestamps (in seconds after the start of the epoch) of the first and last packets included in the dumpfile.

Manual Reference Pages - SENSOR (8)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

OPTIONS

FILES

AUTHORS

BUGS