Latest version is: ippl 1.4.14.
Latest development version is: ippl 1.99.5.
Download the latest stable version
The mailing lists
What is ippl?
ippl is a daemon which logs IP packets sent to a
computer. It runs in the background, and displays
information about the incoming packets.
ippl is free software. Its license is GPL.
Who wrote ippl?
ippl is a program written by Hugo Haas and Etienne Bernard. See the history section for details.
Does it work on my system?
To run ippl, you will need a Linux system with a libc version 5 or higher. If you have libc version 5, you need to install the pthread library.
We would like it to run on a wide range of different Un*xes. For the moment, it only runs on Linux systems. If you are running another operating system and you would like to port ippl to it, please tell us.
Note that the development version should work with much more Un*ces systems, as it was entirely rewritten to use libpcap. I have currently run it on Linux (glibc2.1) and Solaris 2.6. I need some feedback from *BSD users, as I do not have a BSD system to compile it (I am aware of a limitation, due to the non-existent function, pthread_cancel on some Un*ces, and I am working on the problem).
29 September 2001:
14 April 2001:
5 November 2000:
28 October 2000:
18 May 2000:
24 April 2000:
21 April 2000:
11 February 2000:
28 January 2000:
12 October 1999:
6 September 1999:
18 June 1999:
16 June 1999:
5 May 1999:
19 April 1999:
12 April 1999:
9 April 1999:
8 April 1999:
7 April 1999:
6 April 1999:
5 April 1999:
26 March 1999:
18 March 1999:
17 March 1999:
17 March 1999:
16 March 1999:
14 March 1999:
I decided to write this section to explain how ippl works internally. This way, if you think we do things incorrectly, you will be able to tell us.
Logging of the packets
ippl is multi-threaded. There is a main thread which handles the signal sent to the process and which performs some tasks like flushing the DNS cache.
One thread is run by the main thread for each protocol logged. It opens a socket and for each packet decides if it has to be logged or not.
The filtering uses a chained-list. Each element contains a rule. When a packet is received, its content is compared to each element to see if it should be logged or not. If the packet has to be logged, a structure is returned describing how to log it (ident query, DNS resolution, details, etc).
To speed up this task, the host names specified in rules are resolved in advanced. They are periodically re-performed.
When UDP is logged, a lot of name look-ups are done. As DNS queries are not cached, the same query could be done 100 times in a row, in just a few seconds' interval.
To avoid to overload the DNS server (we saw a load going up to 0.9 because of queries was making), ippl caches the queries it makes. A hash table with a double hashing function is used. This table is periodically emptied so that the information it contains does not become out-of-date.
Tests have shown that 9 queries out of 10 are saved on average.
Want to know more about ippl?
Read the source, Luke!
Written by Hugo Haas on February 14, 1999 (release date of version 1.0):
« I have always liked the idea to know who does what to my computer. A lot of people indeed like to scan all the ports of your computer or even do more nasty things.
That is why I started to use iplogger written by Mike Edulla (firstname.lastname@example.org). I liked it. Another program called jail was based on it, but I did not really like it, for some unknown reason.
After a while, I became the maintainer of the iplogger package for Debian GNU/Linux. I therefore had to do a few security fixes and I discovered that the source code was not very clean. Every fix was making it even more complex.
Then, Shawn Michael (email@example.com) modified the program a little bit to release a 1.1 version. However, if the features added were interesting, a lot of problems appeared with the new version.
As I was fed up with working in a source which was more and more a mess and as everybody was requesting features that I did not want to implement in iplogger - such as a way to select what packets to log, I decided in October 1998 to rewrite iplogger completely, giving it the configurability that it was lacking.
As I did not have a lot of spare time, I developed this new program slowly, and I decided to call it ippl (I had found another name at the beginning but I decided not to use it as it was not politically correct). After almost two months, I had something working as I wanted, but I was not happy with the parsing of the configuration. I hence decided to ask Etienne Bernard (firstname.lastname@example.org) to do a clean configuration parser using Lex/Bison and as he liked the idea of ippl, he kept on helping me.
Little by little, with the help of people testing ippl for us (special thanks to Michel Kaempf (email@example.com)) we managed to get something working well.
And now it is time to release version 1.0, a stable version. »
Thanks to VIA - Centrale Réseaux, we have two mailing lists set up:
If you want to subscribe to one of these mailing lists, send an email to firstname.lastname@example.org containing subscribe list in the body, where list is the name of the list you wish to subscribe to.