[ippl logo]

Latest version is: ippl 1.4.14.

Latest development version is: ippl 1.99.5.


Download the latest stable version
Download the Debian GNU/Linux package (stable version)
Download the latest Debian GNU/Linux package
Download the RPM package*
Browse the development directory
Browse the archive directory
* the packages are built by Curtis Ireland (cireland@in-works.net)

Technical notes
See the To-Do list
View the changelog file
View a list of known bugs

The mailing lists
Write to the development mailing list: ippl@via.ecp.fr

Logo contest

Valid XHTML 1.0!

What is ippl?

ippl is a daemon which logs IP packets sent to a computer. It runs in the background, and displays information about the incoming packets.
Criteria can be used to specify what packets should be logged and what packets should be ignored.

ippl is free software. Its license is GPL.

Who wrote ippl?

ippl is a program written by Hugo Haas and Etienne Bernard. See the history section for details.

Does it work on my system?

To run ippl, you will need a Linux system with a libc version 5 or higher. If you have libc version 5, you need to install the pthread library.

We would like it to run on a wide range of different Un*xes. For the moment, it only runs on Linux systems. If you are running another operating system and you would like to port ippl to it, please tell us.

Note that the development version should work with much more Un*ces systems, as it was entirely rewritten to use libpcap. I have currently run it on Linux (glibc2.1) and Solaris 2.6. I need some feedback from *BSD users, as I do not have a BSD system to compile it (I am aware of a limitation, due to the non-existent function, pthread_cancel on some Un*ces, and I am working on the problem).


29 September 2001:
Version 1.4.14 released:

  • ignore all and log all are now available
  • fixed a minor memory leak

14 April 2001:
Version 1.4.13 released:

  • Removed uneeded include file, which prevented compilation of some distributions
  • Fixes parsing of hostnames containing a minus sign

5 November 2000:
Version 1.4.12 released:

  • Fixes version numbering problem
  • Fixes documentation bug

28 October 2000:
Version 1.4.11 released:

  • Port ranges (port--port) parsing was broken
  • Fixed typo in ICMP logging
  • Tell the resolver to use UDP instead of TCP
  • Set default to no resolve
  • Some exit conditions log a message before exiting.

18 May 2000:
Just released a new version. See the HISTORY file for more information.

24 April 2000:
Hugo stops working on ippl. I take the maintainership back for the moment, and will soon release a 2.0 version, as no negative feedback came from the development version. The web site is now hosted on my own domain, so update your bookmarks. For the moment, the CVS is still hosted on Hugo's machine. -- Etienne

21 April 2000:
Version 1.4.10 released: fixes parsing of x.x.x.x/n in the configuration.

11 February 2000:
Version 1.4.9 released: fixes a GID switching problem.

28 January 2000:
Version 1.99.3 released: first version using libpcap; completely rewritten. It should be much more portable.

12 October 1999:
Version 1.4.8 released: now accepts IP packets with options; code clean-up.

6 September 1999:
Version 1.4.7 released: better logging of repeating events, documentation updated.

18 June 1999:
The rewriting of ippl is going to start soon. We are currently discussing the way to best way to do it.

16 June 1999:
Version 1.4.6 released: fixes a configuration parsing problem.

5 May 1999:
Due to an important work load, theauthors have stopped working on ippl for a while. If you want to work on ippl, do not hesitate to write to us.

19 April 1999:
Versions 1.4.4 & 1.5.2 released, fixing a possible buffer overflow problem.

12 April 1999:
Version 1.4.4 released, fixing a problem about port range parsing.

9 April 1999:
Version 1.4.3 released, correctly fixing a potential denial of service attack.

8 April 1999:
Debian packages of version 1.4.2 are available.

7 April 1999:
Version 1.4.2 released, fixing a potential denial of service attack. Packages not built yet.

6 April 1999:
Debian packages are available.

5 April 1999:
Version 1.4.1 released. Debian packages will be built soon. RedHat packages are available.

26 March 1999:
Version 1.4.0 released.

18 March 1999:
Created a Debian package linked against glibc 2.0.

17 March 1999:
Version 1.3.9 released.

17 March 1999:
Version 1.3.8 released. I will not create Debian packages for it since the changes made are minor.

16 March 1999:
Version 1.3.7 released. Added the ability to change user running threads. Bug fixes.

14 March 1999:
Version 1.3.6 released.

Technical notes

I decided to write this section to explain how ippl works internally. This way, if you think we do things incorrectly, you will be able to tell us.

Logging of the packets

ippl is multi-threaded. There is a main thread which handles the signal sent to the process and which performs some tasks like flushing the DNS cache.

One thread is run by the main thread for each protocol logged. It opens a socket and for each packet decides if it has to be logged or not.

Filtering mechanism

The filtering uses a chained-list. Each element contains a rule. When a packet is received, its content is compared to each element to see if it should be logged or not. If the packet has to be logged, a structure is returned describing how to log it (ident query, DNS resolution, details, etc).

To speed up this task, the host names specified in rules are resolved in advanced. They are periodically re-performed.

DNS caching

When UDP is logged, a lot of name look-ups are done. As DNS queries are not cached, the same query could be done 100 times in a row, in just a few seconds' interval.

To avoid to overload the DNS server (we saw a load going up to 0.9 because of queries was making), ippl caches the queries it makes. A hash table with a double hashing function is used. This table is periodically emptied so that the information it contains does not become out-of-date.

Tests have shown that 9 queries out of 10 are saved on average.

Want to know more about ippl?

Read the source, Luke!

Why did we write ippl?

Written by Hugo Haas on February 14, 1999 (release date of version 1.0):

« I have always liked the idea to know who does what to my computer. A lot of people indeed like to scan all the ports of your computer or even do more nasty things.

That is why I started to use iplogger written by Mike Edulla (medulla@infosoc.com). I liked it. Another program called jail was based on it, but I did not really like it, for some unknown reason.

After a while, I became the maintainer of the iplogger package for Debian GNU/Linux. I therefore had to do a few security fixes and I discovered that the source code was not very clean. Every fix was making it even more complex.

Then, Shawn Michael (blkmajik@mcn.net) modified the program a little bit to release a 1.1 version. However, if the features added were interesting, a lot of problems appeared with the new version.

As I was fed up with working in a source which was more and more a mess and as everybody was requesting features that I did not want to implement in iplogger - such as a way to select what packets to log, I decided in October 1998 to rewrite iplogger completely, giving it the configurability that it was lacking.

As I did not have a lot of spare time, I developed this new program slowly, and I decided to call it ippl (I had found another name at the beginning but I decided not to use it as it was not politically correct). After almost two months, I had something working as I wanted, but I was not happy with the parsing of the configuration. I hence decided to ask Etienne Bernard (eb@pltplp.net) to do a clean configuration parser using Lex/Bison and as he liked the idea of ippl, he kept on helping me.

Little by little, with the help of people testing ippl for us (special thanks to Michel Kaempf (maxx@via.ecp.fr)) we managed to get something working well.

And now it is time to release version 1.0, a stable version. »

Mailing lists

Thanks to VIA - Centrale Réseaux, we have two mailing lists set up:

  • ippl-announce: News about ippl are posted here.
  • ippl: this is the discussion list for developement topics. This is the one you should use to contact the authors.

If you want to subscribe to one of these mailing lists, send an email to ecartis@via.ecp.fr containing subscribe list in the body, where list is the name of the list you wish to subscribe to.

Copyright © 1999-2000 Hugo Haas (hugo@larve.net), 2000 Etienne Bernard (eb@pltplp.net) except the logo, Copyright © 1999 Samuel Hocevar (sam@via.ecp.fr).