PADS(8) System Manager's Manual PADS(8)NAME
pads - Passive Asset Detection System
SYNOPSIS
pads <DhUvV> <-c file > <-d file > <-g group > <-i interface > <-n network(s) > <-p file > <-r file > <-u file > <-w file > <expression>
DESCRIPTION
PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing
context to IDS alerts.
Goals:
- Passive: Records and identifies traffic seen on a network without
actively "scanning" a system. There will never be a packet sent from
the pads application.
- Portable: Has the ability to be placed easily on a remote system.
Does not require additional external libraries other than those
associated with libpcap.
- Lightweight: Logging is sent to a simple CSV file. There is no need
for a database or other data repository installed on the local
machine. All correlation is done outside of the pads program.
OPTIONS -h Display help / usage information.
-D Run PADS in the background (daemon mode).
-d file
Dump banner data into a libpcap formatted file. This feature will dump the matched packet or the first 4 packets of an unmatched
connection into a specified file. This can be used to further identify a service and also aid with signature development.
Please keep in mind that this feature must be compiled into the application in order to use it. This can be done by adding
'--enable-banner-grab' to the 'configure' step.
-g group
This switch allows you to specify a group that PADS will drop to after the libpcap interface has been initialized.
-h Display help
-i interface
Specify an interface to be used.
-n network list
Specify a set of networks to be monitored. Only assets that exist within these networks will be recorded. The networks should be
specified in the following format: 10.10.10.0/24,192.168.0.0/16 .
-p pid file
This switch allows you to specify a PID file to be used in conjunction with daemon (-D) mode.
-r file
Read packets from a libpcap formatted file.
-u user
This switch allows you to specify a user that PADS will drop to after the libpcap interface has been initialized.
-w file
Dump data into a file other than assets.csv.
expression
selects which packets will be processed. Please see tcpdump(1) for details on the libpcap primitives.
SEE ALSO pads.conf(8), pads-report(8), pads-archiver(8), tcpdump(8), pcre(3)COPYRIGHT
Copyright (C) 2004 Matt Shelton <matt@mattshelton.com>
BUGS
Please send bug reports to the author.
AUTHORS
Matt Shelton <matt@mattshelton.com>
2005/06/17 PADS(8)
Check Out this Related Man Page
IPGRAB(8) System Manager's Manual IPGRAB(8)NAME
ipgrab - A Verbose Packet Sniffer
SYNOPSIS
ipgrab [ -ablmnPprTtwx ] [ -c cnt ] [ -i if ] [ expr ]
DESCRIPTION
ipgrab reads and parses packets from the link layer through the application layer, dumping explicit header information along the way. It
is a lot like tcpdump except that it prints almost every header field.
Options
-a Do not display application layer data.
-b Buffer standard output. Useful when you're redirecting output to a file.
-c cnt, --count cnt
Terminate after receiving cnt packets.
-C proto, --CCP proto
Assume a particular CCP protocol, such as MPPC. MPPC is the only one supported as yet.
-d Dump extra padding in packets. For example, according to an IP header, the packet ends at a certain point, but the link layer may
have padded it beyond that. This option displays the padding. Not valid in minimal mode.
-h, --help
Display usage screen with a brief description of the command line options.
-i if, --interface if
Makes ipgrab listen to packets on interface if, e.g., eth0. If this option is not used, the default interface will be assumed.
-l Don't display link-layer headers. The following protocols are considered to be link layer: ARP, CHAP, Ethernet, IPCP, LCP, LLC,
Loopback, PPP, PPPoE, Raw, Slip.
-m Minimal mode output. When operating in this mode, ipgrab displays only brief header information.
-n Don't display network-layer headers. The following protocols are considered to be network layer: AH, ESP, GRE, ICMP, ICMPv6, IGMP,
IP, IPv6, IPX, IPXRIP.
-P string
Initiate a dynamic port mapping. This option must be followed by a string of the form `<protocol>=<port>', such as `http=8080'.
-p Dump packet payloads beyond what IPgrab parses. In other words, if IPgrab does not parse a particular application, this option will
dump application data in hex and text format.
-r FILE
Read packets from a file, rather than an interface. The file shoule be created in "raw" format, such as with '-w' option.
-T Do not display timestamps in minimal mode.
-t Don't display transport layer headers. The following protocols are considered to be transport layer: SPX, TCP, UDP.
-v, --version
Display version number and then quit.
-w FILE
Write the raw packets to a file, rather than the screen. The packets will not be parsed. The file can be read with the '-r' option.
-x Hex dump mode. After processing each layer, dump out the contents of that layer in hex and text. Only valid in main mode.
expr Berkeley packet filter expression. See tcpdump(8) man page for details and examples.
SEE ALSO tcpdump(8)NOTES
Requires libpcap version 0.3 or greater to be installed.
AUTHOR
Michael S. Borella
http://www.borella.net/mike/
mike@borella.net
07 March 2007 IPGRAB(8)