NANY 2011 Entry Information
|Application Name||Crush Sniffer|
|Short Description||Sniff Programs, Users, Server availability and Connections in (Unix/Linux) Network Environments|
|Supported OSes||Sniffer: Unix/Linux / Analyzer: Windows|
|Download Link||Crush Sniffer.zip (20.08 KB - downloaded 305 times.)|
The Crush Sniffer creates different continous logs of several system events in Linux/Unix.
Because IĀ“ve no deeper experience in Unix-Coding I decided to create a small but handy analyzer that can filter the most important events from these logs and to search at a click the right positions of all logs at the same (or similar) time stamp.
The tool has been created to detect illegal activities or sabotage on special systems - and it worked fine.
This program can be used to sniff the behaviour of other users on your or other computers and check out who have done what and when.
Because of this, the usage is only allowed to system owners or administrators who have the legal rights to control the sniffed systems.
I recommend only experienced users who know how to read system-logs to use this tool!
- sniffer works as a normal task from the shell
- the results can be easy viewed with the analyzer
There are two scripts: One for Unix systems (and Cygwin I think) and another one for Linux. Copy the suiting one to the system you like. Open a shell window and start it.
Copy the "Crush Sniffer.exe" to a windows system or a wine directory in Linux and run it there.
Using the Application
After logging (can be stopped with ctrl-c) you have to copy the logs (all starting with RR...) to a windows computer or perhaps a Linux computer with wine and run the "Crush Sniffer.exe" - otherwise a mapped drive with network access should also work.
The program is in german - but itĀ“s so easy to use I donĀ“t see any reason to translate it.
"Nachrichtenfilter aktivieren" is automatically enabled and filters unnecessary lines from the results where nothing important happened.
The button "Dateien einlesen" Reads the files. You can select one of the RR... files. ItĀ“s not important which one.
Reading and filtering can take some time - so please be patient.
At the end you can see the 4 different logs. On clicking in a window all other logs will be corrected to the nearest time stamps to see what happend at this time with the other logs.
All settings are in the logger.sh file hard-coded. You have to change them by hand if necessary.
You can set the names of 3 different hosts. It should be easy to add more if you like.
Maximalcountage sets the days of logging. Older logs will be automatically deleted.
The _init-variables set the timeslice being used to update the different logs.
In the greps you can change the "*" parameter to a special to be controlled user if you like.
Only delete the files and folder
The load-process takes a lot of time sometimes - depending on the size of your logs.
Please donĀ“t ask for further support or development, because I decided to stop the development at this state.