Thu May  8 15:39:03 EDT 2003
This file is the README distributed for the ICMP monitor (icmp_mon) code.
-------------------------------------------------------------------------

Description:
icmp_mon.c is a linux kernel module that will scan parts of ICMP packets and
check for hidden words. 

Licence:
This module is distributed as is basis. Please see the accompanying licence
files for more information.
	GTRI_software_disclaimer.pdf
	public_use.pdf

Usage:
To compile use the provided Makefile and type "make", you may have to modify
KERNELDIR to match the location of the source to your currently running
kernel.  "insmod icmp_mon.o" to load the module.

Inside /proc/icmp_monitor/ four new files are available that can tune the
behavior of the module.

	icmp_mon_scan
	icmp_mon_erase
	icmp_mon_ignore_ping
	icmp_mon_drop_unrec

You may turn on or off each behavior by writing 1 or 0 into each of the files.

Limitations:
Currently only ICMP echo and reply packets are properly filtered, scanned and
erased. The code to scan other ICMP types is not fully complete. The pattern
matching done searches for some trivial strings and should be modified to
perform better matching. Yet we feel this is not so important since a true
covert channel would be encrypted thus rendering string scanning useless. The
code can also be modified to perform timed benchmarking, which shows that ICMP
packet scanning is a very cheap operation.

Questions, comments please send electronic mail to:
Ola Nordstrom <nalo@cc.gatech.edu>
