.TH ECHOLOT 1 "December 29th, 2002" .SH NAME echolot \- network station monitor .SH SYNOPSIS .B echolot [\-a][\-c][\-D][\-f] [\-i interface] [\-d database] [\-I idendity][-s ./script.pl] [\-h|\-v] .SH DESCRIPTION Here in detail. Before any IP connection is established, the computers will exchange their MAC addresses by the Address Resolution Protocoll (ARP). These ARP packets contain the MAC address of the sender, its IP address and some more information. They are broadcasted to any computer on the lan, even thru switches (but not thru gateways). echolot sniffers these packets on a given interface and tries to resolve a domain name (netbios, dns etc., see Scripting section below). This information is stored in a database which is compatible with "iptraf". Now you can detect already known hosts, like popular ftps on lan parties, you can detect foreign hosts on your network, possible intruders to your companies lan and you can prevent IP and MAC spoofing - or kick someones ass therefor. echolot announces, if faked ARP packets are sent and it announces if the IP address of a client changes. This gives you the capability to say host abc had IP xyz at some date. You can exactly see who used an IP at some time. .SH OPTIONS .TP .B "-a, --add" add new hosts to database .TP .B "-c, --continuously" announce continuously, only useful if you have nothing else to do;) .TP .B "-D, --daemonize" start as a daemon and write to the syslog .TP .B "-f, --force" force startup if pid file already exists .TP .B -i, --interface use given interface, default is "any" .TP .B -d, --database use given database, default is "/var/db/echolot.mac" .TP .B -I, --idendity set default description for new hosts .TP .B -s, --script use external resolver script, i.e. "echolot -s ./date.pl" .TP .B -h, --help print this short help .TP .B -v, --version print release and copyright information .SH EXAMPLES * Detecting Intruders You will have to generate a database, including all of your trusted computers. Run therefor echolot echolot -a -i eth0 -I "my-computers" -d "~/trusted.mac" echolot will watch on interface eth0 for all activities and will use "my-computers" as base-name. All data is stored to "~/trusted.mac". After some minutes, most of your computers should be in the database, now you can run echolot echolot -i eth0 -I "my-computers" -d "~/trusted.mac" and all new hosts will be reported, but not stored. You will see, if there is activity from any new hosts on your network. It is also a good idea to run echolot as a daemon, see this below. * Finding Servers Again Just run echolot in collection mode (-a/--add) echolot -a -i eth0 -D "my-computers" -d "~/trusted.mac" (fixme) It will report any computers on your lan and add new ones to your database. If a hosts looks fine, you just have to remember its name or modify the correspondending entry in the database. .SH SEE ALSO tcpdump(1), libpcap(3), echolot howto and website http://echolot.sf.net/ .SH COPYRIGHT echolot may be used under the terms of the BSD License. See the LICENSE file in the source directory therefor. .SH AUTHORS echolot was written in 2002 by Benjamin Schweizer http://www.redsheep.de/ a lot of help with the BSD port was given by Andreas Turtschan the code uses the libpcap, which is (c) by the tcpdump group. http://www.tcpdump.org/