1NF2CSV(1)                   General Commands Manual                  NF2CSV(1)
2
3
4

NAME

6       nf2csv - iptables to CSV data
7

SYNOPSIS

9       nf2csv [options]
10

DESCRIPTION

12       nf2csv  Parses iptables log messages and generates comma-separate value
13       formatted data.  This is useful  to  provide  input  to  the  AfterGlow
14       project  (see http://afterglow.sourceforge.net) so iptables logs can be
15       visualized graphically.   An  interesting  application  of  nf2csv  and
16       AfterGlow  is  to parse and visualize the iptables logfiles made avail‐
17       able by the Honeynet project in their Scan  of  the  Month  challenges.
18       The    Scan30    and    Scan34    challenges    (see    http://www.hon
19       eynet.org/scans/scan30/ and http://www.honeynet.org/scans/scan34/) con‐
20       tain extensive iptables logfiles, and some graphical representations of
21       these can  be  viewed  here:  http://www.cipherdyne.org/psad/honeynet/.
22       The  psad  program also has the ability to generate CSV data from ipta‐
23       bles logs with its --CSV mode.
24

OPTIONS

26       -f, --fields <tokens>
27              Specify the set of fields that should be printed  from  iptables
28              log  messages. The most common usage of this argument is SRC DST
29              DPT to print the source and destination IP  addresses,  followed
30              by  the  destination  port  number.   Available  fields to print
31              include: SRC, SPT, DST, DPT, PROTO, LEN, IN, TOS, TTL, SEQ,  ID,
32              TYPE,  CODE  (and these can also be referred to as src, dst, sp,
33              dp, proto, ip_len, intf, tos, and ttl).  There are several addi‐
34              tional  fields  that are not given specific tags within iptables
35              log messages, and these can be included by specifying one of the
36              following:   flags,   top_opts,   ip_opts,   chain,  log_prefix,
37              frag_bit, src_mac, dst_mac, and udp_len.  Each of  these  fields
38              accepts  a  search criteria in the form of a numeric comparison,
39              string match, or IP match.  See the EXAMPLES section  below  for
40              more information.
41
42       -u, --unique-lines
43              Only print unique output lines.  This can drastically reduce the
44              output of nf2csv depending on the characteristics of  the  ipta‐
45              bles logfile that is being parsed.
46
47       -m, --max-lines <num>
48              Specify the maximum number of output lines nf2csv will generate.
49              This is useful for providing a limited set of data to  AfterGlow
50              in order to make visualizations more clear and less cluttered.
51
52       -r, --regex <regex>
53              Specify  a regular expression that must match against the entire
54              iptables log message in order for it to be included  within  the
55              CSV  output.   This  allows log messages to be included from the
56              output with all of the flexibility of regular expressions.   See
57              the EXAMPLES section below for more information.
58
59       -n, --neg-regex <regex>
60              Specify  a  regular  expression  that must not match against the
61              iptables log message in order for it to be included  within  the
62              CSV  output.   This  allows log messages to be excluded from the
63              output with all of the flexibility of regular expressions.   See
64              the EXAMPLES section below for more information.
65
66       -s, --start-line <line>
67              Specify  the  starting line where nf2csv begins to process ipta‐
68              bles log data.  If you are processing a huge file with thousands
69              of  iptables  log  messages this option can be useful to parse a
70              specific chunk of this data.  Also  see  the  --end-line  option
71              below.
72
73       -e, --end-line <line>
74              Specify  the  last  line  of  iptables log data that nf2csv will
75              parse.
76

EXAMPLES

78       The following examples illustrate the command line arguments that could
79       be supplied to nf2csv in a few situations:
80
81       Print source and destination IP addresses and the destination port num‐
82       ber:
83
84       $ nfcsv -f src dst dp
85
86       Same as above, but now  require  that  the  source  IP  come  from  the
87       11.11.11.0/24 subnet:
88
89       $ nfcsv -f src:11.11.11.0/24 dst dp
90
91       Display instances of the MyDoom worm:
92
93       $ nfcsv -f src dst dp:3127
94
95       Display packets that have low TTL values:
96
97       $ nfcsv -f src dst ttl:<10
98
99       Display all traffic to or from the host 11.11.11.67 (this sets up an OR
100       condition between the src and dst fields):
101
102       $ nfcsv -f src dst dp -r 11.11.11.67
103
104       Display likely instances of Window Messenger popup spam attempts  (note
105       the  use  of the --regex argument to require minimal lengths on the UDP
106       length field and source port, but the output contains  the  destination
107       port of 1026):
108
109       $ nfcsv -f src dst dp -r SPT={4}.*LEN=[4-9]{2}
110

SEE ALSO

112       psad(8)
113

AUTHOR

115       Michael Rash <mbr@cipherdyne.org>
116

BUGS

118       Send  bug  reports  to mbr@cipherdyne.org.  Suggestions and/or comments
119       are always welcome as well.
120

DISTRIBUTION

122       nf2csv  is  distributed  with  the  psad  project   (http://www.cipher
123       dyne.org/psad/)  under  the  GNU  General Public License (GPL), and the
124       latest version may be downloaded from http://www.cipherdyne.org/
125
126
127
128Linux                              Jun, 2006                         NF2CSV(1)
Impressum