Opensourceinfo

darkstat is an ntop-workalike network statistics gatherer. It runs as a background process on a cable or DSL router, uses libpcap to capture network traffic, and has a Web interface that serves up reports of statistics such as data transferred by host, port, and protocol. It also has a neat bandwidth usage graph.

EtherApe is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

fwlogwatch is a packet filter and firewall log analyzer with support for Linux ipchains, Linux netfilter/iptables, Solaris/BSD/HP-UX/IRIX ipfilter, Cisco IOS, Cisco PIX, Netscreen, Windows XP firewall, Elsa Lancom router, and Snort IDS log files. It can output its summaries in text and HTML, and it has a lot of options. fwlogwatch also features an interactive incident report generator and realtime anomaly response capability with a Web interface and internationalization.

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation. It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. Instead of simulating a service, it is also possible to proxy it to another machine.

httping is a "ping"-like tool for HTTP requests. Give it a URL and it will show how long it takes to connect, send a request, and retrieve the reply (only the headers). It can be used for monitoring or statistical purposes (measuring latency).

With LinkChecker, you can check HTML documents for broken links. It features recursion, robots.txt exclusion protocol support, HTTP proxy support, i18n support, multithreading, regular expression filtering rules for links, and user/password checking for authorized pages. Output can be colored or normal text, HTML, SQL, CSV, or a sitemap graph in DOT, GML, or XML format. Supported link types are HTTP/1.1 and 1.0, HTTPS, FTP, mailto:, news:, nntp:, Gopher, Telnet, and local files.

The Multi Router Traffic Grapher (MRTG) is a tool to monitor the traffic load on network-links. MRTG generates HTML pages containing graphical images which provide a LIVE visual representation of this traffic. MRTG is based on Perl and C and works under UNIX and Windows NT. MRTG is being successfully used on many sites around the net.

Nagios is a host and service monitor designed to inform you of network problems before your clients, end-users or managers do. It has been designed to run under the Linux operating system, but works fine under most *NIX variants as well. The monitoring daemon runs intermittent checks on hosts and services you specify using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, SMS, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.

Nessus is a remote security scanner for Linux, Solaris, FreeBSD, and Mac OS X. It is plugin-based and performs over 10,000 remote security checks. It allows for reports to be generated in HTML, and suggests a solution for each finding.

Netcat6 is a total rewrite of netcat, with several advantages: It fully supports IPv6. It is far more efficient, utilizing flexible buffering and minimal (or no) data copying or analysis. The source is well structured, documented and very easy to follow. One of the main objectives of netcat6 is to produce an excellent example of AF independant networking and efficient data transfer. The code has minimal dependancy on the address family or protocol type and can be trivially extended to talk many layer 3 protocols. Greatly improved configuration and platform indipendence. Can support servers or clients that use TCP half-close.

Netdude (the NETwork DUmp data Displayer and Editor) is a framework for inspection and manipulation of tcpdump tracefiles. It is separated into a GUI-based frontend and a backend library that performs the actual packet manipulation. Both the front- and backend can be extended using plugins, in order to add support for new protocols and to provide modular code to other developers.

netwox is a toolbox that helps to find and solve network problems : sniff, spoof, clients, servers, DNS, FTP, HTTP, IRC, NNTP, SMTP, SNMP, SYSLOG, TELNET, TFTP, scan, ping, traceroute, etc. Netwox contains 221 tools using network library netwib. Some tools are only a simplified implementation, while others are very sophisticated.

Nmap ("Network Mapper") is a utility for network exploration, administration, and security auditing. It uses IP packets in novel ways to determine which hosts are available online (host discovery), which TCP/UDP ports are open (port scanning), and what applications and services are listening on each port (version detection). It can also identify remote host OS and device types via TCP/IP fingerprinting. Nmap offers flexible target and port specifications, decoy/stealth scanning for firewall and IDS evasion, and highly optimized timing algorithms for fast scanning.

Oinkmaster is a script that will help you update and manage your Snort rules. It is released under the BSD license and will work on most platforms that can run Perl scripts, e.g. Linux, *BSD, Windows, Mac OS X, Solaris, etc. Oinkmaster can be used to update and manage the VRT licensed rules, the community rules, the bleeding-snort rules and other third party rules, including your own local rules.

Displays a real-time list of active connections seen on a network interface, and how much bandwidth is being used by what. Partially decodes HTTP and FTP protocols to show what filename is being transferred. X11 application names are also shown. Entries hang around on the screen for a few seconds so you can see what just happened. Also accepts filter expressions á la tcpdump.

If you know MRTG, you can think of RRDtool as a reimplementation of MRTGs graphing and logging features. Magnitudes faster and more flexible than you ever thought possible. RRD is the Acronym for Round Robin Database. RRD is a system to store and display time-series data (i.e. network bandwidth, machine-room temperature, server load average). It stores the data in a very compact way that will not expand over time, and it presents useful graphs by processing the data to enforce a certain data density. It can be used either via simple wrapper scripts (from shell or Perl) or via frontends that poll network devices and put a friendly user interface on it.

The Security Auditor's Research Assistant (SARA) is a third-generation security analysis tool that is based on the SATAN model. It is fostering a collaborative environment and is updated periodically to address latest threats.

Sarg - Squid Analysis Report Generator is a tool that allow you to view "where" your users are going to on the Internet. Sarg provides many informations about Squid users activities: times, bytes, sites, etc... Sarg generates detailed reports in html.

scanlogd is a TCP port scan detection tool, originally designed to illustrate various attacks an IDS developer has to deal with, for a Phrack Magazine article (see below). Thus, unlike some of the other port scan detection tools out there, scanlogd is designed to be totally safe to use.

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.