Aps is a small tool for analyzing network traffic. It prints out a great deal of information about the relevant protocols including TCP, UDP, ARP, and ICMP. It allows you to filter IP addresses, hardware addresses, ports, and specific protocols. It comes with a little GTK-GUI displaying packet counters for each protocol.
fireparse is an ADMLogger plugin that emails a report of all packets that have been logged by the kernel's packet filtering subsystem (iptables/netfilter or ipchains). The report includes source and destination ports, direction, logged packet count, matched rule, and fully resolved host names (if available). The email report can be formatted to plain text or a colored HTML table.
Firewall Log Daemon is a program written in C which will watch for ipchains or iptables log alerts in realtime. The program will start a small daemon process that parses and resolves firewall logs by reading a FIFO that syslog writes to. It can queue a batch of alerts and mail them to you, or can be used in a script to crunch an existing log file or data stream. It features hostname, port, protocol, and ICMP type/code lookup, with output formatted by a user-defined template.
fwmon is a firewall monitor for Linux. It integrates with ipchains/iptables to give you realtime notification of firewall events. It has fairly customizable output, allowing you to display a packet summary with hex and ASCII data dumps to stdout, a logfile, tcpdump-style capture files, and even syslog. It also boasts some simple security features such as the ability to chroot itself, and operate in a non-root environment.
fwlogwatch is a packet filter and firewall log analyzer with support for Linux ipchains, Linux netfilter/iptables, Solaris/BSD/HP-UX/IRIX ipfilter, Cisco IOS, Cisco PIX/ASA, Netscreen, Elsa Lancom router, and Snort IDS log files. It can output its summaries in text and HTML and has a lot of options. fwlogwatch also features a realtime anomaly response capability with a Web interface.
Gibraltar is a Debian GNU/Linux-based router/firewall distribution, fully workable from a bootable, live CD-ROM. Log files can be stored on a hard disk, and configuration data is stored on a USB mass storage media or a floppy disk and kept on a RAM disk during run-time. Due to its Debian base, a vast manifold of firewalling, routing, and proxy packages is available. It comes with an intuitive, easy to use Web administration interface and support, and is free to use for home users.
QDPF was written to solve the problem of exposing internal services to the Internet. It runs on machines which bridge two networks and forwards TCP/IP packets from one to the other. Its main use is to expose corporate or Intranet services to the Internet, by running it on an intervening machine. TCP sessions can also be followed in detail using the 'trace' option. QDPF is a Java console application.
SING stands for 'Send ICMP Nasty Garbage.' It is a tool that sends ICMP packets fully customized from command line. Its main purpose is to replace and complement the ping command, adding certain enhancements as fragmentation; send and receive spoofed packets; send many ICMP information types (echo as the old ping, address mask, timestamp, and router discovery) and errors (redirect, unreach, and time exceeded); and send monster packets. It also supports loose and strict source routing and record routing.