README.en

INSTRUCTIONS FOR USE "PKDUMP"
Port scanning detector.

- Ver. 3.3

 
The program detect any TCP ,UDP port scanning or open connection
attempt from foreign host over the internet with IP protocol version 4
or IP protocol version 6 .

The program detect for:
TCP connect , TCP syn , TCP fin , TCP xmas, TCP ack, TCP null(no flags),
UDP port (connect) and UDP null (0 bytes, UDP packets lengt ) ,
whether the IP packet are fragmented or not.
(Please consult "Nmap"... man Nmap).

The program make a directory like this : "Pkdump-[date][time]" and in this
directory make a file "PKDATA" that contains all IP packet sent and
received during the transmission ,and during scanning attack make files
that contains the data of the attack ;the data of the port scanning will
displayed on the screen with a short beep;

The data of probable scanning contains :

> used protocoll (TCP,UDP)
> Interface name
> date and time
> type of scan
> Source port
> Destination port
> Number of IP fragments
> Flags status (TCP scan only)
> Packet direction (Ingoing or Outgoing)
> Source IP Address
> Destination IP Address


The program uses the " Packet Socket" therefore it needs to be compiled
in the kernel or could be insert it as a module(af_packet.o )

By invoking the program without any option a short help file will be
printed.

PKDUMP V. 3.3 :
Usage :pkdump interface [-di] IP-version [options] flags.


[interface] (obligatory)

-You can specify any interface that carry an IP datagram :ppp0 ,eth0 etc.


[-di] = [don't ignore my packet (outgoing packet) ] (optional)
-If you specify the flag "-di" any packet come from your computer will
be accept like an ingoing packet.So if it contain an SYN flag the
program will tell to you that there is a SYN port scanning from
local host .
So you can specify -oT 80,25,103,143,443...etc. 80=http ,25=smtp ,103=pop3,
143=imap 443=https and -oU 53..etc 53=domain for ignore this false alarm.

If "-di" flag isn't specified all local packet will be write in the file
PKDATA anyway .
read the linux file /etc/services


[options] (optional)

In addition you can ignore those packets (TCP or UDP) that have its
destination to a port or range of port and have specified source
address or addresses.

There are six flag three for TCP port scan "-iT","-oT","-aT"
an three for UDP port scan "-iU","-oU","-aU" ;

i = ingoing ;
o = outgoing ;
a = all = ingoing and outgoing ;

-iT = if you want to ignore "ingoing" TCP packet ;
-oT = if you want to ignore "outgoing" TCP packet if you have also
          specified "di" flag.
-aT = if you want to ignore "ingoing and outgoing" TCP packet if you have
          also specified "di" flag

The same thing can be done whit UDP packet ( "-iU","-oU","-aU")


-For IP protocol version 4 :

If you want to ignore UDP port scan to port 137 from all space
address you can give the following command :

- pkdump ppp0 IPV4 -iU 137-255.255.255.255/32 udpport udpnull etc. etc.

If you want to ignore TCP port scan to port 21 with source address
192.45.0.0/16 (CIDR Notation) you can give the following command :

- pkdump ppp0 IPV4 -iT 21-192.34.0.0/16 syn xmas etc. etc.

if you want to ignore TCP port scan to a port range 21-27 the command
is:

- pkdump ppp0 IPV4 -iT 21:27-192.34.0.0/16 syn xmas etc. etc.

if you want to ignore TCP port scan to ports 1,200,234,3000 the command
is:

- pkdump ppp0 IPV4 -iT 1,200,234,3000-192.34.0.0/16 syn xmas etc. etc.


if you want to ignore TCP port scan to a port range 21-32 and you have
specified "di" flag ,so you don't want false alarm on the TCP
port 80,25,103 the command is:

- pkdump ppp0 -di IPV4 -iT 21:32-255.255.255.255/32
-oT 80,25,103-255.255.255.255/32 syn xmas etc etc.

if you want to ignore TCP port scan to a port range 21-32 and you have
specified "di" flag ,so you don't want false alarm on the same range of
port the command is:

- pkdump ppp0 -di IPV4 -aT 21:32-255.255.255.255/32 syn fin etc...

The flag can be repeated :

- pkdump ppp0 -di IPV4 -iT 1,21,35-255.255.255.0/24
-iT 36-198.25.0.0/16
-iU 137:255.255.255.255/32
-iT 400:402.0.0.0/2
-oT 80,25,103-255.255.255/32 syn xmas udpport udpnull



-The same thing can be done with IP protocol version 6 :

example:

- pkdump ppp0 IPV6 -iT 1,21,37-f301:0:1:0:0:0:0:f3/24
-iT 100:105-c031:0:0:0:0:0:0:1/128
-iU 137-0:0:0:0:0:ffff:ffff:ffff/63 udpport syn xmas etc.


[flags] (obligatory)

-The flag are those of an port scanning attack :
(TCP) null (no flags) ,syn ,fin ,xmas ,ack ,rst ,urg ,mymo?
(UDP) udpport ,udpnull ;
You can specify all flag o some of it ,you can specify a set of flag
"example : rst:ack    syn  fin  xmas  psh:urg:rst etc. etc. "
Please read the manual of nmap program for learn on (port scanning attack)
and this flags.

To exit from program press CTRL C.

It's preferable to give the following commands line:

"chown root pkdump"
"chmod 4555 pkdump".

To compile the program give the following command :
gcc -o pkdump pkdump.c -lpthread


I hope I've included everything you need to make the program useful.

Any suggestion will be appreciate.