SANCP logo
Logo created with GIMP Filter: 'Xtns' -> 'Script Fu' -:> 'Logos' -> 'Alien Glow' -> 'Script Arguments' { Text: SANCP, Font size (pixels): 150, Font: Sans Bold, Glow color: afc3a8 }

Security Analyst Network Connection Profiler  
           SANCP (pronounced: s

                  Current version (stable): 1.6.1-stable

                  Next version (beta): 1.6.2-candidate.C.5    [ see Related-Tools  below added 20080313 ]



SANCP is a network security tool designed to collect statistical information regarding network traffic, as well as, record the traffic itself to file in pcap format for the purpose of: auditing, historical analysis, and network activity discovery. Rules can be used to distinguish normal traffic from abnormal traffic and support tagging connections with: rule id, node id, and status id.

From an intrusion detection standpoint, every connection is an event that must be validated through some means. SANCP uses rules to identify, record, and tag traffic of interest.  Connection 'stats' can be loaded into a database for further analysis.

Download links:

Current version 1.6.1 (stable) - supports linux and bsd

      sancp-1.6.1-stable.tar.gz      Download from sourceforge or (md5: ffa64f2fdb49afd7ef16fbefda21e251 )

Anonymous CVS version 1.6.1 (beta) - requires patches a, b, c and d to be applied from

        cvs login
        cvs co sancp
Development version 1.6.2 (beta) - supports linux, bsd and solaris

     sancp-1.6.2-candidate.C.5.tar.gz     Download from (md5: 26cb63b846f0ce7addb39945c787168a )

        - add new output field value for 'reversed' (5 == 'MAYBEREVERESED'); indicates
                when option 'nosrc_pktsok' was applied to force the direction
        - add default nosrc_pktsok = 0, set to 1 to enable, does not REREVERSE connections which have
                closed with no packets collected from the assumed source...
        - add 'nosrc_pktsok' rules option support to force the 'known_ports' direction preference for
                connections which receive no packets from the assumed source
        - add custom prelude output support to rules for output control
        - fix bug reported in #snort-gui with stats files not being created 
        - fix bug for compiling prelude support reported by
Sebastien Tricaud
        - add solaris support
        - add console output; (e.g. used to print running configuration and ongoing connections)
        - add new output fields to include sample of payload data from source or destination for stats and realtime
        - add pcap index support; created to support locating packets in large pcap files without parsing.
                 (new output fields: output_filename, start_pos and stop_pos )
        - add prelude compile-time support
                (edit Makefile, uncomment: 
        - improve daemon mode to store process id in file name ''
        - improve signal-handling (set flag and return method allows for timely processing of signal requests)
        - remove README from binary to docs/ to reduce footprint and code maintenance
        - replace all typographical references to '80211' with '8021Q' 
        - add -p <pidfile> support 
        - update README documentation
        - improve configuration output to include output formats (see: --config)
        - add three new output fields: silence (seconds since last packet), timeleft (seconds until timeout) and expired (internal state flag)


Related Tools:  -  Perl script
for retrieving packets from SANCP pcap files index (read usage here)


sancp -i <interface> -d <logging-directory> -c <configuration-file> -F <bpf-expression-file> -r <pcapfile>

     <interface> = network interface name to monitor
    <logging-directory> = directory for writing all output files
    <configuration-file> = text file containing configuration options
    <bpf-expression-file> = text file containing a valid bpf expression in the first line
    <pcapfile> = packet capture file to read, use instead of '-i <interface>'

Rules Syntax:

# sancp.conf version 1.6.1+ 
# 1 - Define variables to use in subsequent rules - vars are context sensitive ( eth_proto, ip, ip_proto, port )

var ip 8
var icmp 1
var tcp 6
var udp 17
var dns 53

# 2 - Define known ports for udp and tcp/ip traffic
# These values will be used to reverse the (source and destination-related values) to change the apparent
# direction of connections which commonly appear 'reverse' that of their commonly presumed direction.

known_ports udp dns
known_ports tcp 25, dns, 80, 443

# 3 - Define rules
# Rule Format: {PROFILE} {OPTIONS}
# Where
# PROFILE contains six fields: (Use the field-keyword 'any' to indicate all possible field values)
# <eth_proto.num> <src_ip.dotted[/mask]> <dst_ip.dotted[/mask]> <ip_proto.num> <src_port.num> <dst_port.num>
# OPTIONS may be any of the following:
# realtime <log|pass>, stats <log|pass>, pcap <log|pass|filename|tsfilename|connection>,
# rid <N>, rgid <N>, limit <N>, tcplag <N>, timeout <N>, retro

ip any any tcp any 443; limit 1500
ip any any udp any any; realtime pass
ip any any icmp any any; realtime pass

# Note: comments (/#.*$/), commas, semi-colons, equal-signs, tabs and extra spaces are ignored in configuration files

Configuration file option defaults for 
Version 1.6.1 (stable):

# sancp.conf version 1.6.1+
default use_icmp_mixed=disable  # enable to log icmp values of 'type' and 'code' to fields 'src_port' and 'dst_port ', respectively, from icmp packets

default use_pcap_time=disable  # enable to set clock to timestamps contained in packet headers rather than the system clock

default strip-80211=disable  # enable to remove 8021Q headers from packets (note: 80211 is not related to 8021Q, this association is a typo that resides only within the source code)

default debug_pcap_raw=disable  # enable to record packets to output file name pcap_raw prior to packet decoding (use for debugging)

default realtime=tsfilename realtime # sets realtime output filename format to 'realtime.<interface>.<unixtimestamp>'; set to pass to disable

default stats=tsfilename stats # sets stats output filename format to 'stats.<interface>.<unixtimestamp>'; set to pass to disable

default pcap=tsfilename pcap  # sets pcap output filename format to 'pcap.<interface>.<unixtimestamp>'; set to pass to disable

format realtime=delimiter=|, start_time_gmt, duration, src_ip_dotted, dst_ip_dotted, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collect, climit, collected, pcap, realtime, stats, retro, src_mac, dst_mac

format stats=delimiter=|, sancp_id, start_time_gmt, stop_time_gmt, erased_time_gmt, eth_proto, ip_proto, src_ip_decimal, src_port, dst_ip_decimal, dst_port, duration, timeout, src_pkts, dst_pkts, src_bytes, dst_bytes, sflags, dflags, cflags, total_bytes, collect, collected, climit, tcplag, pcap, realtime, stats, reversed, hash, rid, rgid, node, zone, status, retro, src_mac, dst_mac

default flush_interval=1800  # flush to disk every N seconds

default expire_interval=10  # check for expired connections every N seconds

default burst_mode=enable  # force close of stats output file after every flush_interval to create new output file, set to disable to continue logging to same file until program ends

default status=0  # set default status id to N

default node=0  # set default node id to N

default zone=0  # assign default zone id to N

default rid=0  # assign default rule id to N

default rgid=0 # assign default rule group id to N

default limit=0  # limit pcap data collected per connection to N bytes

default timeout=300  # expire connections after N seconds of inactivity

default tcplag=0  # extend timeout N seconds before expiring tcp connections

 Configuration file option defaults added in Version 1.6.2 (beta-test):

# sancp.conf version 1.6.2+

default sample_src_length=0 # set to number of initial bytes of data to sample from source payload to N

default sample_dst_length=0 # set to number of initial bytes of data to sample from destination payload to N

default strip_8021q=disable # enable to remove 8021Q (VLAN) headers from packets (obsoletes strip-80211 option)

default arprarp_decode=disable # enable to log values to certain ip fields from arp and rarp packets, records arp/rarp ip addresses to src_ip and dest_ip, operation to ip_proto, and then hardware and protocol types and lengths to source and dest port and byte fields, respectively.

default index=pass # set to log to enable logging of start and stop positions of packets written to pcap files

format index
wildchar='\s'  sancp_id, output_filename, start_pos, stop_pos

format console 
wildchar='\s' delimiter = \s, sancp_id, start_time_local, src_mac, dst_mac, src_ip_dotted, dst_ip_dotted, eth_proto, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, timeout, total_bytes, output_session_id, sflags_hex, dflags_hex, cflags_hex, duration, sample_src_asc

format realtime
wildchar='\s' delimiter = |, start_time_gmt, duration, src_ip_dotted, dst_ip_dotted, ip_proto, src_port, dst_port, src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, sample_src_len, sample_src_hex, sample_src_asc

format stats wildchar='\s' delimiter = |, sancp_id, start_time_gmt, stop_time_gmt, erased_time_gmt, eth_proto,
 ip_proto, src_ip_decimal, src_port, dst_ip_decimal, dst_port, duration, timeout, src_pkts, dst_pkts, src_bytes, dst_bytes, sflags, dflags, cflags, total_bytes, collect, collected, climit, tcplag, pcap, realtime, stats, reversed, hash, rid, rgid, node, zone, status, retro, src_mac, dst_mac, sample_src_len, sample_dst_len, sample_src_hex, sample_dst_hex

default nosrc_pktsok = 0 # 'default' and 'rules' option support to force the 'known_ports' direction preference for connections which receive no packets from the assumed source

8 any any 6 any 80  nosrc_pktsok=1   #  force known_ports preference for HTTP connections that we did not collect packets from the assumed source, by default these connections would be re-reversed prior to logging 

Development timeline:   

Oct 16, 2007 - Version 1.6.2-candidate.C.5 (released as beta)
- updated docs/CHANGES
- updated docs/README

Oct 09, 2007 - Version 1.6.2-candidate.C.5

- added 'nosrc_pktsok' rules option support to force the 'known_ports' direction preference for
connections which receive no packets* from the assumed source
- added new output field value for 'reversed' (5 == 'MAYBEREVERESED'); indicates
when option 'nosrc_pktsok' was applied to force the direction*
- added default nosrc_pktsok = 0, set to 1 to enable, does not REREVERSE connections which have
closed with no packets collected from the assumed source, 'reversed' connections
typically result when the initial packet is dropped by the collection engine,
or when packets appear to be coming from known_ports (i.e. network scans, or third-party DDOS RESET packets)

*nosrc_pktsok is not applied to TCP connections whose first packet contained a SYN flag or SYN-ACK flag combination, in which case, the inferred TCP direction is preferred over known_ports 6.

Sep 30, 2007 - Version 1.6.2-candidate.C.4 (not released, beta)

- resolve problem not printing known_ports setting in configuration output (i.e. --config)
- added new output format option 'wildchar=\s'; used by fields sample_src_asc and sample_dst_asc
sets character to print in place of nonprintable characters, i.e. 'wildchar=.'

Sep 24, 2007 - Version 1.6.2-candidate.C.3 (released as beta)

- document additional prelude-related rule options available in docs/README

Sep 06, 2007 - Version 1.6.2-candidate.C.3-customoutput (not released - to be released as
1.6.2-candidate.C.3 )

modify,,,, gvars.h, sancp.h
- add custom prelude output support to rules for output control; requested by Dean Takemori, forwarded by Sebastian Tricaud
var trusty
8 trusty any 6 any 22 prelude pass # disable prelude output on matching secure shell connections
8 any any 6 any 22 prelude log # enable prelude output on matching secure shell connections

 Aug 21, 2007 - Version 1.6.2-candidate.C.2 - released as beta

         - update prelude compile-time support 
                (To enable edit Makefile, uncomment define statements for:  PRELUDE_CFLAGS, PRELUDE_LIBS, PRELUDE_SUPPORT )

        - add --strip_8021q option, deprecate --strip_8021Q,
        - remove backwards compatible option --strip_80211
        - fix debug compile errors  (ref: #DEBUG=1 in gvars.h )
        - fix build_acl() to read 'strip_8021q' or 'strip_8021Q' setting from configuration file
        - update print_acl() to print output formats in output from --config output

        -add private member 'filetype',
        -add method printFormat()
        -modify all constructor calls to pass output name to be set as filetype.

        modified Makefile
        -add alternate CFLAGS and LFLAGS with -Xlinker support

        modify and gvars.h
        -add output fields
          'silence' - seconds since last packet
          'timeleft' - seconds until timeout
          'expired' - has expired
        -add check whether we received the exit signal before processing packets
                to avoid logging packets to realtimes and pcap during shutdown

- fix bug reported in #snort-gui with stats files not being created
        - add 'output_filename' field to --schemas output

        modify docs/SCHEMAS
        - update documentation for index and console output types

        modify docs/HELP
        - update documentation

  Aug 16, 2007 - Version 1.6.2-candidate.C.1 (not released)
        applied patch from Sebastien Tricaud to correct compile issue for prelude support
        modify makefile to include /usr/local/lib/pcap (per newsgroup)

  Jul 06, 2007
- Version 1.6.1-stable
sancp-1.6.1-stable.tar.gz - released as stable
        uploaded version 1.6.1-stable on sourceforge

  Jul 05, 2007 - Version 1.6.2-candidate.C sancp-1.6.2-candidate.C.tar.gz -  released as Beta
       integrate prelude-support requested by Frank Van Vliet on 09/19/2005

 Sep 26, 2006
- Version 1.6.1-candidate.B.4 -  sancp-1.6.2.candidate.B.4.tar.gz -  released as Alpha
       fix issue discovered on 09/25/2006, add new signal handling code

 Sep 22, 2006 - Version 1.6.2-candidate.B.3 - sancp-1.6.2.candidate.B.3.tar.gz - released as Alpha
        fix issue discovered on 09/21/2006

 Sep 20, 2006 -
Version 1.6.2-candidate.B.2 - sancp-1.6.2.candidate.B.2.tar.gz - released as Alpha
        fix issue discovered on 09/20/2006

 Sep 19, 2006 -
Version 1.6.2-candidate.B.1 -
sancp-1.6.2.candidate.B.tar.gz - released as Alpha
        Add pcap index output support requested by Martin Holste on 09/19/2006
        this will record the sancp_id, output_filename, start_pos, stop_pos for each packet written to pcap
 Sep 17, 2006 -
Version 1.6.2-candidate.B - sancp-1.6.2-candidateB.20060917.tar.gz - not released
        incorporate changes from unreleased 1.7.0 branch into 1.6.2, enable logging sampled payload data

 Aug 24, 2006
- Version 1.6.2-candidate-A -
sancp-1.6.2.candidate.A.tar.gz - released as Alpha
        Combine solaris branch of 1.6.1 with patches a, b, c, and d as 1.6.2 candidate A
        Solaris testing support provided by Sean MacLeod to resolve library compile issues and segfault due signal handling
        Implement --use-pcap-time to use timestamps in pcap files to avoid calls to alarm() on solaris       

 Aug 11, 2006 - Version 1.6.1-dev-solaris sancp-1.6.1.solaris.20060811.tar.gz - not released  
         final set of solaris modifications dropped from 1.6.1;  due to problems with signal handling
         continue solaris development with 1.6.2 version 

 Aug 09, 2006 - Version 1.6.1-dev-solaris - sancp-1.6.1.solaris.20060809.tar.gz - not released
         third set of solaris modifications
Jul 05, 2006 Update with current version and patches
        sancp-1.6.1.fix200511.a.patch - posted to as Beta
       sancp-1.6.1.fix200511.b.patch - posted to as Beta
       sancp-1.6.1.fix200601.c.patch - posted to as Beta
      sancp-1.6.1.fix200606.d.patch - posted to as Beta           - posted to as Beta           
        sancp-1.6.1.tar.gz   - posted to as Beta  

 Jun 30, 2006 -  Version 1.6.1 patch BD - - released as Beta
        Combined patches contained in sancp-1.6.1-fix200511.b.patch and sancp-1.6.1-fix200606.d.patch

 Jun 30, 2006 -  Version 1.6.1 patch D -  sancp-1.6.1.fix200606.d.patch - released as Beta
        Provides fix for 100% CPU utilization issue reported by Clemente Aguiar on 04/03/2006
        Removes tcpoption parsing code from main source, disabling decoding 'wscale' (TCP window scale)
        NOTE: This patch was reported as faulty (will not compile with EXPERIMENTAL_TCPOPTIONS defined)
        and was recreated 07/05/06, copies of this patch dated earlier than 07/05/06 may not work -
        reported by Devin Kowatch 06/30/06

 Jun 16, 2006 Version 1.6.1-dev-solaris -  sancp-1.6.1.solaris.20060616.tar.gz - not released
        Resume development of solaris compatability on Sparc Ultra 10 received from Anthony Spina
Resolve byte-order issues in stats and realtimes output fields
        Identify problems with runtime segfault due to problems with signal handing 

 Jun 14, 2006
-  Version 1.6.1 patch C - 
sancp-1.6.1.fix200601.c.patch  - released as Beta
        Resolve compiler issues on x86-64 platform reported by Tomislav Kolanovic on 01/13/2006
 Apr 21, 2006 - Version  1.6.1 patch tcpoption  -  patch sancp.experimental_tcpoption.patch.1.6.1 - released as Beta
        Fix segfault, removed section for parsing tcpoptions

 Dec 13, 2005 - Version 1.6.1-dev-solaris - sancp-1.6.1.solaris.tar.gz - not released
        Began work on solaris compatability at request of Anthony Spina and others - resolved basic compilation errors
        Identified byte-order issue with stats and realtimes output fields, delays due to remote access issues to environment

 Nov 12, 2005 - Version 1.6.1 patch B - sancp-1.6.1-fix200511.b.patch - released as Beta
        Provides fix for seg-fault at decode:69 reported by Bamm on 10/17/2005

 Nov 12, 2005 - Version 1.6.1 patch A - sancp-1.6.1-fix200511.a.patch - released as Beta
        Provides fix for duplicate connection id at check_packet:187 reported by Richard Bejtlich 11/12/2005

 Nov 01, 2005 - Version 1.7.0-alpha - sancp-1.7.0j.tgz - not released
        Discard bin output
        End development of branch 1.7.0-alpha
        Code to be incorporated into future version 1.6.2

 Oct 14, 2005 -
 Version 1.7.0-alpha - sancp-1.7.0i.tgz - not released
        Continue development of different formats of sampled payload data hex, ascii, bin

 Oct 13, 2005 - Version 1.7.0-alpha - sancp-1.7.0h.tgz - not released
        Create separate fields for sampled payload data from source and destination 

 May 11, 2005 -  Version 1.7.0-alpha - sancp-1.7.0g.tgz  - not released
        Begin development of new branch for adding sample of payload data as stats field

 Nov 01, 2004 - Version 1.6.1 - sancp-1.6.1.tar.gz - released as Beta
        Fixed problem introduced in version 1.6.0 with addition of src_mac and dst_mac reported by Bamm and Rich
        Fixed bug in sample init.d/sancpd startup script reported on #snort-gui
        Increased counters from 32bit to 64bit values:src_pkts, dst_pkts, src_bytes, dst_bytes, total_bytes, collected, and climit

 Sep 13, 2004 - Version 1.6.0  - 
sancp-1.6.0.tar.gz - released as Beta
        Fixed major bug when reading from a pcap file using -r option affecting how packets are decoded.
        New default output fields added: src_mac and dst_mac; see columns 49 and 50

 Sep 02, 2004 - Version 1.5.7  -
sancp-1.5.7.tar.gz - released as Beta
        Disabled additional logging of realtimes to console, use -K to re-enable this 'feature.'
        Added forking -D (daemon) mode and suppresses -K, if enabled

 May 26, 2004 - Version 1.5.6
- sancp-1.5.6.tar.gz - released as Beta
       Resolved permission error when using options -u and -g to change the effective UID and GID.

 May 06, 2004 - Version 1.5.5 -
sancp-1.5.5.tar.gz - released as Beta
        Increased byte and packet counters to 64bit values, rather than 32 bit
        Database tables supporting these as 32bit values should be changed to support 64bit values.
        src_pkts, dst_pkts, src_bytes, dst_bytes, climit, collected

 May 05, 2004 - Version 1.5.4 
- sancp-1.5.4.tar.gz - released as Beta
        Increased byte and packet counters to 32bit values, rather than 16 bit
        Fixed incorrect behaviour of -R command line switch

 Jan 19, 2004 - Version 1.5.3 -  sancp-1.5.3.tar.gz
- released as Beta

 Jan 19, 2004
- Version -  sancp- - released as Beta

 Jan 19, 2004
- Version 1.5.2 -  sancp-1.5.2.tar.gz - released as Beta

 Jan 17, 2004
- Version 1.5.1 -  sancp-1.5.1.tar.gz - released as Beta

 Jan 15, 2004
- Version 1.5.0 -  sancp-1.5.0.tar.gz  - released as Beta

 Jan 01, 2004 - Version 1.4.1
- released as Beta
       Added ability to track last connection id assigned. Stored as 64bit value in .cnxid file
        Added -C (--last_cnxid) option to specify the last connection id assigned, must be greater
        than the value stored in the .cnxid file.

Dec 15, 2003  -
Version 1.4.0 -
sancp-1.4.0.tgz - released as Beta
        Expanded rules to handle ethernet protocol numbers; but only IP is parsed beyond the ethernet header
        Concept of a 'default' rule is more clearly expressed in the configuration file itself
        New rules format - we now require ethernet protocol to be specified
        Add var support for rules and known_ports definition
        Var support includes: ethernet protocol, ip address, ip protocol, tcp/udp ports
        Added three new 'default' and rule options: rule id (rid), status number, and node id
          -support for rule management and connection profile tagging: use 'rid'
          -support for a connection classification system: use 'status'
          -support for multiple instance/multiple interface support: use 'node'
        Expanded rule delimiters to include space, tab, comma, and equal signs
        BPF filter can be specified in the configuration file
        Extensive work done on configuration dump output. It now prints in a re-usable
        format, displays all defaults, known_ports, vars, and rules.
        Fixed memory leak issues with vars.
        Fixed open file handle issues

Nov 30, 2003  -
Version 1.3.1
- released as Beta
        Re-combined conf and rules (rewrote code to handle both interchangably)
        Standardized the argument and rules parsers
        Fixed problem with -F and -r options (when used together)
        Fixed some fileHandle class problems regarding storing filenames

Nov 26, 2003  -
Version 1.3.0
- released as Beta
        Split configuration and rules into two files sancp.conf, sancp.rules
        Redesigned rules
        Changed many command line options, removed others
        Renamed output files (stats,pcap,realtime)
        Updated the documentation
        Made many code changes to support new configuration and rule options

Nov 17, 2003 - 
        Add syslog support for LOG_LOCAL1 - 7; default is LOG_DAEMON.
            i.e. --log_facility "LOCAL1"
        Specify user and group for sancp to run under
        GMT supported (as default), use --local_time to use local timezone
        Created gvars structure

Oct 21, 2003 -
Version 1.2.1
- released as Beta
        Add os_info fields for destination to connection log output
        Add -NO2 option which disables printing this additional
         information (for backwards compatability)
        Fixed bad mss value

Oct 13, 2003 -
Version 1.2.0
- released as Beta
        ncp changes name to sancp
        Added 'lag' option
        Changed error messages to go to syslog
        Made a few corrections to documentation
        Updated Makefile
        Made a few changes to rule parsing routine
        Added quiet_mode
        Added daemon_mode
        Cleaned up
        Cleaned up
        Added a few more global variables to gVars

Sept 28, 2003 -
Version 1.2  
- released as Beta
        ncp posted to 

This page was designed using Nvu.
    The previous versions of this page can be found here: sancp.html.1190623867, sancp.html.1183700537, sancp.html.1205439684