This file contains instructions describing a basic setup of sancp for monitoring traffic on a single interface.


	1. Create a configuration file called sancp.conf 


	2. Create a directory to store output files


	3. Start sancp specifying a configuration file, output directory and interface


Create a sancp configuration file with appropriate settings 
(This is not required, but useful)

# vi /etc/sancp/sancp.conf
	# define some tcp ports for which we may sometimes log reversed connections # i.e. dropped packets?
	var tcp 6
	var udp 17 
	known_ports tcp 25,80
	known_ports udp 53

# You can run sancp in the following manner to generate a default configuration file


	sancp --config;  mv console /etc/sancp/sancp.conf;


Create a base directory for storing sancp output files

# mkdir /var/log/sancp/`date +"%Y-%m-%d"`


Create a link for this directory named 'today' , an automated script can manage these directories

# ln -s /var/log/sancp/`date +"%Y-%m-%d"` /var/log/sancp/today


Start sancp (use -D for daemon mode)

># sancp -c /etc/sancp -d /var/log/sancp/today -i eth0  


Create a cron job, scheduled every hour, that will create a directory for today's data, if not present and to send a 'kill -HUP' signal to sancp which tells it to re-read the  default configuration, output formats and rules and open new output files for recording new connetions. 

* * * * * /etc/init.d/sancpd hup

see: etc/init.d/sancpd
see: etc/sancp/sancp.conf


