FTL - FTPD Tracefile Logger - Aug 12 1994
Version 0.8

by Justin Dolske - jdolske@mail.bgsu.edu

  This program is SuggestionWare. :-) If use use it, please send me a
suggestion on how to make it better, or just tell me you like it. 

  Feel free to change the program around. If you do, I ask only that you
change the "ver" variable to reflect this, and don't distribute the changed
version without my approval. (If something breaks, I want to know it's my
fault)


1. What does FTL do?

  FTL is a program to help anyone running a FTP site (via FTPD). FTPD has
only one way to generate a log of user activity, with the "-t" option. The
tracefile generated is not very useful. There is too much logged (who cares
about PORT and STRU commands) and it's not very readable. FTL will take one
of these tracefiles, read though it, and provide a much more readable log
of server usage, along with overall statistics (ie files transfered, bytes
downloaded, etc). Please note that this isn't designed as any kind of
security scanner, I admit it can be easily confused/fooled.


2. What does FTL require?
    - OS/2 with REXX installed
    - IBM TCP/IP 2.0 + June 1994 CSD  (June CSD or newer is *required*)
    - Tracefiles generated by the FTP server FTPD running with the -t option


3. How to use it...

  FTL is quite easy to use. First of all, you'll need a tracefile generated
by FTPD with the -t option. These tracefiles are placed in the directory
pointed to by the ETC variable in CONFIG.SYS, usually x:\TCPIP\ETC. The 
filename will be FTPD.TRC. Note that FTPD does *not* append to this file!
Each time FTPD is run it will overwrite this file. Let some people login on 
your FTP server, transfer some files, etc. FTPD prevents reading the tracefile 
while it is running, so you must close the server to be able to read the file,
Control-C works nicely.
  If you havn't allready, take a look at the contents of the tracefile. Not 
very nice, huh? The tracefile seems to be geared more for debugging than for 
logging server activity.
  At this point you can copy FTPD.TRC to the directory FTL is in, and just run
"FTL" (or "FTL |more" to pause after each screen). For more FTL options, check
out the next section...


4. FTL Command Line Options

Command line option are not case sensitive.

[-0|1|2|3] - Specify level of logging. "-0" is the shortest, displaying only
             a summay of server usage. "-1" (the default) and "-2" show more
             info for each user, and "-3" shows a bunch of debugging info.
[-t tracefile] - Specify the input file. This cannot include a path.
[-l logfile]   - Write the log generated to a file. (eg -l LOGFILE.TXT)
[-q]           - Don't display the log on the screen. Really only useful with
                 the -l option when running FTL from a batch file.
[-h]           - Resolve IPs found. This requires NSLOOKUP to be in the path.
                 (Every TCP/IP installation should be allready setup for this)
[-?]           - Display available options

Running "ftl" is equivalant to "ftl -1 -t FTPD.TRC".


5. Things to note while running FTL

  FTL is not meant to be any sort of security program, it just notifies you
of normal system usage. If you're in need of security logging/features such
as those in a good ftpd for Unix, pester IBM to improve their ftpd.

  The tracefile is first sorted by socket before it's parsed. I'm currently
using a really slow sorting algorthim. Big tracefiles may take awhile to
sort. 

  When FTL encounters a command in a tracefile it doesn't understand, it
will report it (you must call FTL with the "-2" option to see this) and try to
continue. FTL should be able to handle all commands given to the ftp server,
even if it doesn't actually *do* anything. I think I've implemented all the
commonly used stuff, but if you're using some of the more obscure commands
(like proxy servers and appending files) lemme know and I'll toss those in
sooner. If you're consistantly seeing commands it doesn't handle, let me
know so I can get it fixed! After all, I use this program too. ;-)

  In some cases, FTL may encounter an unknown result from a command. I've
tried to generate all possible replys from commands, but it's possible some
may have slipped through. If this happens, FTL will report something to the
effect of "ERROR: Unknown Result Code...". If this happens, FTL will skip the
rest of the commands entered by that user and move to the next user. If you
encounter this, please let me know.


6. Known Bugs:

  - The -t and -l options cannot point to other directories.
  - Trying to open a non-existant file generates a confusing error message
  - The SortTraceFile routine is really bad... It works, but was just a 
    quick kludge on my part. Veeery slow.


7. Soon to come... (maybe :-)

  - Running summary between tracefiles (eg weekly statistics, stats-to-date)
  - Matching usernames to valid sites. (eg if username "beta_tester" is
    connecting from sites other than those you're approved.)
  - Nicer output, "Socket xx did this..." gets a little tedious.


8. A final note...

This is still being developed! Expect it to not handle all kinds of
stuff. If FTL burps on your tracefile, please send me either the portion
of the tracefile where it's dying, or the whole thing.
   I encourage suggestions for features! I'd like to make this a decent
program. I know alot of people were upset at IBM for not including any way
to monitor ftpd activity (pre CSD days), and I think that tracefiles help
a little, but not much. Tracefiles are just that, for tracing not logging.

That's it... Lemme know what ya think!


9. Contacting the author, getting the newest version...

  Since this is a program I use too, I want to hear your suggestions,
complaints, and comments. 

email: jdolske@mail.bgsu.edu
IRC: I'm often on #os/2 as Bob_Ross

  The newest version should be available on my ftp server, donut.bgsu.edu.
I'll upload major changes to hobbes.nmsu.edu, but intermediate versions will
only be on my system (anonymous ftp).
