Cover V12, I01
jan2003.tar

Listing 3 autosniff.conf

# Autosniff configuration file
#
# this is sourced by the shell, so all shell syntax rules apply
# NOTE: user-configurable items are at the top, marked with ###CUSTOMIZE###

# Settings for the client (autosniff)

# location of daemon
AUTOSNIFFD="/usr/local/sbin/autosniffd"  ###CUSTOMIZE###

# default mail address
# DEFAULTMAIL=support-staff@your.company.example.com
DEFAULTMAIL=${LOGNAME:-root} ###CUSTOMIZE###

# Settings for the daemon (autosniffd)

###CUSTOMIZE###
# for tcpdump users, you may need to compensate for variations in
# tcpdump output:
# IPARG=2  # NetBSD
# IPARG=4  # Linux  # the default
#
# if you are on Solaris but would rather use tcpdump:
# TCPDUMP_OVERRIDE="/usr/local/sbin/tcpdump"

#############################################################

if [ `uname -s` = "SunOS" ]
then
    MAILER=mailx
    AUTOSNIFFD="ksh $AUTOSNIFFD"  # Solaris /bin/sh is not sufficient
else
    MAILER=Mail
fi

if [ `uname -s` = "SunOS" -a -z "${TCPDUMP_OVERRIDE:-}" ] # Solaris & snoop?
then
    SNIFF="/usr/sbin/snoop -q -r"
    SNIFFCOUNT="-c 1"
    SNIFFWRITE="$SNIFF -o"
    SUFFIX=sn
    SNIFFTEST="-C"
    IPARG=1  # see sample trace below - source address is field 1
# solaris-box# snoop -q -r -c 1 host news and port 9999
# 192.168.1.90 -> 192.168.1.40 TCP D=9999 S=55080 Syn Seq=3119926197 
# Len=0 Win=16384 Options=<mss 1460>
#
else
# Everyone else should have tcpdump
# may need to adjust IPARG due to variations in tcpdump output
    SNIFF="${TCPDUMP_OVERRIDE:-/usr/sbin/tcpdump} -n"
    SNIFFCOUNT="-c 1"
    SNIFFWRITE="$SNIFF -s 1500 -w"
    SUFFIX=pcap
    SNIFFTEST="-d"
    IPARG=${IPARG:-4} # see traces below - source IP may be field 2 or 4
fi
# Netbsd 1.5.2:
# 19:28:37.085709 192.168.1.90.55093 > 192.168.1.43.9999: 
# S 3043053983:3043053983(0) win 16384 <mss 1460> [tos 0x10]
#
# Linux (RedHat 6.2):
# 00:41:52.069498   eth0 > 192.168.1.2.2600 > 192.168.3.10.12345: 
# S 1735149309:1735149309(0) win 31072 <mss 3884,sackOK,timestamp 610503 
# 0,nop,wscale 0> (DF)


# directory to keep autosniff output
ARCHIVE=/var/tmp/autosniff

# format of a temporary filename
TMPFILE=$ARCHIVE/autosniff.$$

# default timeout once the sniffer starts (in seconds)
TIMEOUT=300

# what's the name of this machine?
HOSTNAME=`hostname`
 
© 2005 CMP Media LLC. All Rights Reserved.
www.sysadminmag.com