1DERRICK(1)                        User Manual                       DERRICK(1)
2
3
4

NAME

6       derrick -- a simple network stream recorder
7

SYNOPSIS

9       derrick [-mvVh] [-i interface] [-r file] [-f expression] [-l file] [-b
10       bytes] [-t lines]
11

DESCRIPTION

13       derrick is a simple tool for recording data streams of TCP and UDP
14       traffic.  It shares similarities with other network recorders, such as
15       tcpflow and wireshark, where it is more advanced than the first and
16       clearly inferior to the latter.
17
18       derrick has been specifically designed to monitor application-layer
19       communication.  In contrast to other tools the application data is
20       logged in a line-based text format.  Common UNIX tools, such as grep,
21       sed & awk, can be directly applied.  Even replay of recorded
22       communication is straight forward using netcat.
23
24       derrick supports on-the-fly compression and rotation of log files.
25       Payloads of TCP sessions are re-assembled using libnids and can be
26       merged or truncated.  UDP payloads are logged as-is.  Details of lower
27       network layers are omitted.
28

OUTPUT FORMAT

30       derrick outputs the monitored network traffic in a line-based text
31       format, where each line corresponds to one recorded TCP or UDP payload.
32       Note that TCP payloads are re-assembled and thus not necessary match
33       the corresponding TCP datagrams.
34
35       Each line of the output has the following format:
36
37          <TIME> <FLAG> <SRC> <DST> <PAYLOAD>
38
39       The different fields of the output are defined as follows
40
41       <TIME>    This field specifies the time at which the payload has been
42                 monitored. The time is given as standard UNIX time and
43                 encoded as a floating-point number of seconds.
44
45       <FLAG>    This field indicates the type of payload that has been
46                 recorded. U refers to a UDP payload and T refers to a TCP
47                 payload. Additionally, the beginning and end of TCP streams
48                 are marked by T+ and T-, respectively.
49
50       <SRC>     This field specifies the source of the payload. It is a tuple
51                 of an IP address and a port number in form of IP:PORT.
52
53       <DST>     This field specifies the destination of the payload. It is a
54                 tuple of an IP address and a port number in form of IP:PORT.
55
56       <PAYLOAD> The last field is the monitored payload. Non-printable
57                 characters are escaped using standard URI encoding. Each non-
58                 printable characters is replaced by %XX where XX is the
59                 character's hexadecimal ASCII number.
60
61       An example output of derrick looks as follows
62
63         05.80 T 10.100.163.103:58445 91.198.174.233:80 GET /index.html ...
64
65       The line shows a TCP payload recorded at time 05.80, that is, 5.8
66       seconds after new year's eve of 1970 ;). The payload is directed to
67       port 80 (HTTP) and shows the beginning of a typical HTTP GET request.
68       Note that whitespaces are not escaped in the payload and thus each line
69       may seemingly have more than 5 fields. However, starting from the 5th
70       field all following white-spaces are part of the payload.
71

OPTIONS

73       derrick supports the following command-line options which can be used
74       to control the recording of network traffic.
75
76       -i interface  Record network traffic from this interface. On Linux
77                     systems with 2.2 or later kernels, an interface argument
78                     of "any" can be used to capture packets from all
79                     interfaces.
80
81       -r file       Read network traffic from a dump file in pcap format.
82                     Dump files can be created using tcpdump.
83
84       -f expression Filter network traffic using a filter expression. Only
85                     packets that match the expression will be recorded.
86                     Consult the man page of tcpdump for a description of
87                     filter expressions.
88
89       -l file       Write output to a compressed log file instead of stdout.
90                     This option can be used when derrick runs in the
91                     background. The log file will be rotated if a certain
92                     number of lines have been logged, see -t.
93
94       -b bytes      Record only the first bytes of each TCP stream. The
95                     number of bytes is computed from incoming and outgoing
96                     TCP payloads.
97
98       -m            Merge consecutive TCP payloads in the same direction.
99                     This options comes handy if protocol messages are split
100                     over multiple TCP payloads.
101
102       -t lines      Rotate the log file after the given number of lines.
103
104       -v            Increase the verbosity of derrick during recording.
105
106       -h            Print a brief help screen.
107
108       -V            Print a version and copyright string.
109
111       Copyright (c) 2011-2012 Konrad Rieck (konrad@mlsec.org)
112
113       Derrick is licensed under the new BSD License. See the file COPYING in
114       the source distribution for more information.
115
116
117
118derrick 0.3                       2013-01-21                        DERRICK(1)
Impressum