From NSMWiki
Jump to: navigation, search


  • Official Site:
  • 'SANCP' (Security Analyst Network Connection Profiler) is a network security tool designed to collect statistical information regarding network traffic. See official site for more info.


Command Line Options: (cmdline)

	-? or -h  this help screen
	-c <filename>  specify the configuration/rules filename
	-d <directory>  specify the directory for output files
	-i <device>  set the network device to listen on (default: 'any')
	-g <gid>   set a group identity
	-u <uid>   set a user identity
	-r <pcapfile>  pcap file to read (overrides -i)
	-B "<bpf expression>"  set a bpf expression (alternative to -F <filename>)
	-D (daemon)  prints msgs to syslog only - disables printing realtimes to stdout
	-F <bpf filename>  file containing a bpf filter expression, overrides (alternative to -B)
	-H --human-readable  write IP addresses in dotted notation and TCPflag fields in hex 
	-R  Set default for realtime to 'pass' (default is 'log') disables realtime, but rules can override
	-S  Set default for stats to 'pass' (default is 'log') disables stats, but rules can override
	-P  Set default for pcap to 'pass' (default is 'log') disables pcap, but rules can override
	-I or --enable_icmp_mixed  record 'code' and 'type' fields for ICMP
		to the fields 's_port' and 'd_port'.
		note: affects how related icmp packets are correlated 
	-V  display version
	--strip-80211  strip 802.1Q headers from 802.1Q packets; used to 
 	  decode 802.1Q encapsulated packets - affects -A option, 
	--log-facility <facility>  where facility can be 'LOCAL1' - 'LOCAL7'
		The default log facility used by SANCP is LOG_DAEMON 

     # Debug mode for pcap data logging
	-A  records ALL traffic frames to a pcap file named 'debug_pcap_raw'
	  (despite rules). Packets are logged here prior to decoding or handling. 
	  Use -F or -B option to restrict what is collectedi.
	  Pcap data logged using this option is affected by the --strip-80211 cmdline option
	  The configuration file equivalent to this is 'default debug_pcap_raw enable'

SANCP related links


cxtracker is made specially to be used with sguil. cxtracker also logs IPv6 traffic, something that sancp does not. Sguil does not eat IPv6 yet, so to use cxtracker with sguil, a bpf filer for not inspecting IPv6 traffic should be used.

   # libpcap and a build environment is needed.
   $ git clone git://
   $ cd cxtracker/src/
   $ make
   $ ./cxtracker -h
   $ cxtracker [options]
    -i : network device (default: eth0)
    -b : berkeley packet filter
    -d : directory to dump sessions files in
    -u : user
    -g : group
    -D : enables daemon mode
    -p : pidfile
    -P : path to pidfile
    -h : this help message
    -v : verbose


   $ ./cxtracker -i eth0 -D -d /nsm_data/sensor-hostname/sancp/ -u nsm -g nsm -b ‘ip’