TCPWrappers is a fine, fine program, and is suited for many purposes. However, a problem with it is it only gets what inetd chooses to pass its way, this can be a problem in some cases, as you want to know if you are being poked. TAMU produced some time ago a package of network loggers. The problem is they only work on Sun workstations, using the NIT or DLPI interfaces (SunOS and Solaris2 respectively), which limits their use. I decided to write a program that perform a similar task, but using the excellent libpcap packet capture library that TCPDUMP uses. You have in your posession the result. I made the output format both easy to read, and easy to process so it can be used very easily by scripts. There are 5 fields, each of which is seperated by the '|' character. This first field is the date the connection arrived. The second field is either the source ip address or the hostname that originated the connection (depending on if you used the -r argument or not). The third field is the source port. The fourth field is either the destination ip address or the destination hostname (again, depending on if you used -r or not). The final field is the destination port number. You can easily specify alternate filters, so this program could be easily used to detect any sort of connection from 'unusual' hostnames. The filtering syntax is exactly the same as that in the tcpdump package - if you know how to do filters with tcpdump, you know how to do filters with clog! Another possible use is detecting the so-called "stealth scanners". How a stealth scanner works is it sends a SYN packet (which is what clog logs) and if something is listening on that port, the server sends a SYN/ACK packet. If nothing is listening on the port, the server sends a RST/ACK packet. In the normal course of connection opening, after you get the SYN/ACK packet, you would return a ACK packet, thus completing the 3 way handshake; stealth scanners dont do this, they only do 2/3 steps, once they get a SYN/ACK or a RST/ACK, they know if something is listening on the port or not. Finally, there is the 'FTP Bounce' attack described by hobbit@avian.org in his whitepaper on the subject. I have included his whitepaper as ftp-bounce.txt in this distribution, I suggest you read it - it is most interesting, and raised some interesting points. Installing clog on most platforms is pretty simple, assuming you have the libpcap library previously installed. The simple makefile should handle most cases effortlessly. If you are installing on a Solaris box, use make solaris. If you are installing on a Linux system, use make linux. Anywhere else, make by itself should work (using the generic rule). No matter what platform you use, you *NEED* a ANSI compiler, this will not compile under K&R style compilers. I suggest the GNU CC compiler, since it is readily available, and really works nicely (well, I use linux - not like I have much of a choice in the matter :-) ). If you do not have libpcap yet, get it. The general release can be found at ftp://ee.lbl.gov/libpcap.tar.Z. If you have Linux, however, the general release will not compile. For Linux, there are patched libpcap's in some of the TCPDUMP source distributions (tcpdump 3.0 and above), just retrieve one of these. I have not found a 1.3.* patched version of libpcap though, 1.3.x seems to break the patched libpcap I do have, so if you run a development kernel, you are out of luck for the time being. Brian Mitchell http://www.saturn.net/~brian