PRADS − Passive Real-time Asset Detection System
prads −i eth1 −v
PRADS is a Passive Real−time Asset Detection System.
PRADS employs digital fingerprints to recognize services on the wire, and can be used to map your network and monitor for changes in real time.
Real−time passive traffic analysis will also let you detect assets that are just connected to the network for a short period of time, since PRADS can glean useful information from every packet.
PRADS aims to be the one−stop−shop for passive asset detection, and currently does MAC lookups, TCP and UDP OS fingerprinting as well as client and service application matching and a connection state table. Various output plugins include logfile and FIFO and make PRADS a useful replacement for p0f, pads and sancp.
PRADS was built from the ground up for a small footprint and modern networks with IPv6 and gigabits of throughput.
−i <iface>
Network device <iface> (default: eth0).
−r <file>
Read pcap <file>.
−c <file>
Read config from <file>.
−b <filter>
Apply Berkeley packet filter <filter>.
−u <user>
Run as user <user> (Default: uid 1).
−g <group>
Run as group <group> (Default: gid 1).
−d |
Do not drop privileges. |
−a <nets>
Specify home nets (eg: '192.168.0.0/25,10.0.0.0/255.0.0.0').
−D |
Daemonize. |
−p <pidfile>
Name of pidfile − inside chroot.
−l <file>
Log assets to <file> (default: '%s')n", config.assetlog.
−f <FIFO>
Log assets to <FIFO>.
−B |
Log connections to ringbuffer. |
−C <dir>
Chroot into <dir> before dropping privs.
−XFRMSAK
Flag picker: X − clear flags, F:FIN, R:RST, M:MAC, S:SYN, A:ACK, K:SYNACK
−UTtI |
Service checks: U:UDP, T:TCP−server, I:ICMP, t:TCP−cLient |
||
−P |
DHCP fingerprinting. |
−s <snaplen>
Dump <snaplen> bytes of each payload.
−v |
Verbose output − repeat for more verbosity. |
|||
−q |
Quiet − try harder not to produce output. |
−L <dir>
log cxtracker type output to <dir> (will be owned by <uid>).
−O |
Connection tracking [O]utput − per−packet! |
||
−x |
Conne[x]ion tracking output − New, expired and ended. |
||
−Z |
Passive DNS (Experimental). |
||
−H |
DHCP fingerprinting (Expermiental). |
||
−h |
This help message. |
1. |
Doesn't detect everything out there :−P |
|||
2. |
This man page. |
• |
PRADS <http://prads.projects.linpro.no/> |
|||
• |
p0f <http://lcamtuf.coredump.cx/p0f.shtml> |
|||
• |
PADS <http://passive.sourceforge.net/> |
Report bugs here:
• |
http://github.com/gamelinux/prads/issues |
For general questions:
• |
http://projects.linpro.no/mailman/listinfo/prads−devel |
|||
• |
http://projects.linpro.no/mailman/listinfo/prads−users |
Edward Bjarte Fjellskål <edwardfjellskaal AT gmail DOT com>, Kacper Wysocki <comotion AT users DOT sf DOT net>
GPL