diff options
Diffstat (limited to 'contrib/ipfilter/man/ipmon.8')
-rw-r--r-- | contrib/ipfilter/man/ipmon.8 | 185 |
1 files changed, 0 insertions, 185 deletions
diff --git a/contrib/ipfilter/man/ipmon.8 b/contrib/ipfilter/man/ipmon.8 deleted file mode 100644 index 905a9c8..0000000 --- a/contrib/ipfilter/man/ipmon.8 +++ /dev/null @@ -1,185 +0,0 @@ -.TH ipmon 8 -.SH NAME -ipmon \- monitors /dev/ipl for logged packets -.SH SYNOPSIS -.B ipmon -[ -.B \-abBDFhnpstvxX -] [ -.B "\-N <device>" -] [ -.B "\-L <facility>" -] [ -.B "\-o [NSI]" -] [ -.B "\-O [NSI]" -] [ -.B "\-P <pidfile>" -] [ -.B "\-S <device>" -] [ -.B "\-f <device>" -] [ -.B <filename> -] -.SH DESCRIPTION -.LP -\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from -the packet filter. The binary data read from the device is reprinted in -human readable for, however, IP#'s are not mapped back to hostnames, nor are -ports mapped back to service names. The output goes to standard output by -default or a filename, if given on the command line. Should the \fB\-s\fP -option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent -via syslog have the day, month and year removed from the message, but the -time (including microseconds), as recorded in the log, is still included. -.LP -Messages generated by ipmon consist of whitespace separated fields. -Fields common to all messages are: -.LP -1. The date of packet receipt. This is suppressed when the message is -sent to syslog. -.LP -2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours, -minutes seconds, and fractions of a second (which can be several digits -long). -.LP -3. The name of the interface the packet was processed on, e.g., \fBwe1\fP. -.LP -4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be -viewed with \fBipfstat -n\fP. -.LP -5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short -packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. -.LP -6. The addresses. -This is actually three fields: the source address and port -(separated by a comma), the \fB->\fP symbol, and the destination address -and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP. -.LP -7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP. -.LP -8. \fBlen\fP followed by the header length and total length of the packet, -e.g., \fBlen 20 40\fP. -.LP -If the packet is a TCP packet, there will be an additional field starting -with a hyphen followed by letters corresponding to any flags that were set. -See the ipf.conf manual page for a list of letters and their flags. -.LP -If the packet is an ICMP packet, there will be two fields at the end, -the first always being `icmp', and the next being the ICMP message and -submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port -unreachable message. -.LP -In order for \fBipmon\fP to properly work, the kernel option -\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see -\fBoptions(4)\fP for more details. -.LP -\fBipmon\fP reopens its log file(s) and rereads its configuration file -when it receives a SIGHUP signal. -.SH OPTIONS -.TP -.B \-a -Open all of the device logfiles for reading log entries from. All entries -are displayed to the same output 'device' (stderr or syslog). -.TP -.B \-b -For rules which log the body of a packet, generate hex output representing -the packet contents after the headers. -.TP -.B \-B <binarylogfilename> -Enable logging of the raw, unformatted binary data to the specified -\fI<binarylogfilename>\fP file. This can be read, later, using \fBipmon\fP -with the \fB-f\fP option. -.TP -.B \-D -Cause ipmon to turn itself into a daemon. Using subshells or backgrounding -of ipmon is not required to turn it into an orphan so it can run indefinitely. -.TP -.B "\-f <device>" -specify an alternative device/file from which to read the log information -for normal IP Filter log records. -.TP -.B \-F -Flush the current packet log buffer. The number of bytes flushed is displayed, -even should the result be zero. -.TP -.B \-L <facility> -Using this option allows you to change the default syslog facility that -ipmon uses for syslog messages. The default is local0. -.TP -.B \-n -IP addresses and port numbers will be mapped, where possible, back into -hostnames and service names. -.TP -.B "\-N <device>" -Set the logfile to be opened for reading NAT log records from to <device>. -.TP -.B \-o -Specify which log files to actually read data from. N - NAT logfile, -S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is -equivalent to using \fB-o NSI\fP. -.TP -.B \-O -Specify which log files you do not wish to read from. This is most sensibly -used with the \fB-a\fP. Letters available as parameters to this are the same -as for \fB-o\fP. -.TP -.B \-p -Cause the port number in log messages to always be printed as a number and -never attempt to look it up as from \fI/etc/services\fP, etc. -.TP -.B \-P <pidfile> -Write the pid of the ipmon process to a file. By default this is -\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD -or later) or \fI/etc/ipmon.pid\fP for all others. -.TP -.B \-s -Packet information read in will be sent through syslogd rather than -saved to a file. The default facility when compiled and installed is -\fBlocal0\fP. The following levels are used: -.IP -.B LOG_INFO -\- packets logged using the "log" keyword as the action rather -than pass or block. -.IP -.B LOG_NOTICE -\- packets logged which are also passed -.IP -.B LOG_WARNING -\- packets logged which are also blocked -.IP -.B LOG_ERR -\- packets which have been logged and which can be considered -"short". -.TP -.B "\-S <device>" -Set the logfile to be opened for reading state log records from to <device>. -.TP -.B \-t -read the input file/device in a manner akin to tail(1). -.TP -.B \-v -show tcp window, ack and sequence fields. -.TP -.B \-x -show the packet data in hex. -.TP -.B \-X -show the log header record data in hex. -.SH DIAGNOSTICS -\fBipmon\fP expects data that it reads to be consistent with how it should be -saved and will abort if it fails an assertion which detects an anomaly in the -recorded data. -.SH FILES -/dev/ipl -.br -/dev/ipnat -.br -/dev/ipstate -.br -/etc/services -.SH SEE ALSO -ipl(4), ipf(8), ipfstat(8), ipnat(8) -.SH BUGS -.PP -If you find any, please send email to me at darrenr@pobox.com |