DOKK / manpages / debian 12 / nstreams / nstreams.1.en
nstreams(1) Users Manuals nstreams(1)

nstreams - a tcpdump output analyzer

nstreams [ -v ] [ -c nstreams-services ] [ -n nstreams-networks_file ] [ -N [ -i ] [ -I ]] [ -r ] [ -O output [ -D iface ] [ -Y ]] [ -u ] [ -U ] [ -B ] [ -f tcpdump_file ] [ -l <iface> ] [ tcpdump output ]

nstreams is a utility designed to identify the IP streams that are occuring on a network from a non-user friendly tcpdump output of several megabytes.

This is especially useful when you plan to install a firewall but if you do not know the nstreams that the network users are generating (http, real audio, and more...). nstreams can read the tcpdump output directly from stdin, or from a file. It can even generate the configuration file of your firewall, using the -O option.

The path to an alternate nstreams service file. This file is used to identify each protocol. See the services file section later in this manual page.

The path to an alternate nstreams network file. This file is used to identify which hosts belong to which network. See the networks file section later in this manual page.

The path to the file to read data from. This file must have been generated using 'tcpdump -w filename'.

Listen directly on interface <iface>. This avoids the use of tcpdump.

print the networks names instead of the hosts IP addresses. The intra-network traffic will not be shown. Use this option twice to show the networks IP address instead of their names.

Also show the intra-network traffic (must be used with -N)

Only show the intra-network traffic (must be used with -N)

be redundant. That is, the same streams will be printed each time they appear in the dump.

print version number and exit.

output type. You can use this option to generate your firewall startup script. Do nstreams -h to see the supported output types.

interface to apply to output onto. Must be used with -O.

The firewall rules that will be generated will deny all packets coming from the outside trying to establish connections to the inside. If you system is not serving anything, then it's safe to turn on this option.

Do not print the unknown streams

Only print the unknown streams

Show broadcasts and networks

Let tcpdump(1) run some time on your network (like one week), and save its output in a file, by doing :
tcpdump -l -n > output
or
tcpdump -w filename

Then, feed nstreams with this output file, and it will turn it into a easily-readable file which will help you to write efficient firewall filters. You may also do :
tcpdump -l -n | nstreams
or
nstreams -f filename (if you used tcpdump -w)

The service file contains the description of each protocol, as well as their name. Its syntax is :
protocol_name:server_port(s)/{udp,tcp}:client_ports(s)
or :
protocol_name:type(s)/icmp:code(s)

Whereas :

is the name of the protocol described. This name may contain any character, including space, except ':'.

is the range of ports used by the server. Usually, you will want to define one server port only, but you may enter any range you want.

is the IP protocol that this protocol is lying onto. Acceptable values are tcp and udp

is the range of ports that the client may use. You can set this to any or, for more accurate results, to ports ranges, like '1-1024,2048-4096'.
The rules are : 'first match, first taken'.

Using this syntax, you would declare the ssh protocol by :
ssh-unix:22/tcp:1000-1023
Because the Unix version of the ssh client uses a privileged port to connect onto the ssh server which listens on port 22.

The networks file is used to define sets and subsets of hosts (also known as networks). This avoids redundancy in the output file. The syntax format for this file is :
network name:ip/mask
Whereas the network name is whatever you want, the IP is the ip of the network, and the mask is the CIDR netmask of the network. The rule is 'first match, first taken'.

admin:192.168.19.0/29
whole_subnet:192.168.0.0/16
internet:0.0.0.0/0

• nstreams can only parse the output of 'tcpdump -n'

• Even though the output of nstreams is easier to read than the one of tcpdump, it is still not easily readable. Use sort(1) on the nstream output to get a more readable file.

• This program could have been written in perl

/etc/nstreams-services
/etc/nstreams-networks

tcpdump(1)

Concept : Herve Schauer Consultants - http://www.hsc.fr
Coding : Renaud Deraison <deraison@cvs.nessus.org>

Please send all your bug reports with the detail of your configuration to Renaud Deraison <deraison@cvs.nessus.org>

July 1999 nstreams