(Personally, I use Doug Hughes' klaxon, but that's not the tool you
described)
Sounds like you're looking for Argus, (to quote the announce) "a generic
IP network transaction auditing tool. Argus runs as an application level
daemon, promiscuously reading network datagrams from a specified
interface, and generates network traffic status records for the network
activity that it encounters".
It's from CMU, it's built on top of libpcap (the low-level library used
by tcpdump).
Argus is a bit of a cpu hog on linux at the moment (all packets come up to
the application, rather than being filtered in the kernel as on UNIX
systems with the Berkley Packet Filter in the kernel).
See ftp://ftp://ftp.sei.cmu.edu/pub/argus-1.5 for more information.
Chip.
On Sat, 4 May 1996 zarquon@popalex1.linknet.net wrote:
> What I would really like is a tool like one I saw in use a
> while back, but have been unable to locate. It could detect attempted
> connections on any ports, giving it the ability to effectively detect port
> scans in any port range, while *not* accepting any connections. In other
> words, whoever attempted to connect would *not* have the connection accepted,
> but it would still be logged as a connection attempt.
Chip Coy coy@coy.com http://bridge.coy.com/~coy/
"Do not mistake composure for ease." - Tuvok