diff options
Diffstat (limited to 'man/ipmon.8')
-rw-r--r-- | man/ipmon.8 | 185 |
1 files changed, 185 insertions, 0 deletions
diff --git a/man/ipmon.8 b/man/ipmon.8 new file mode 100644 index 0000000..905a9c8 --- /dev/null +++ b/man/ipmon.8 @@ -0,0 +1,185 @@ +.TH ipmon 8 +.SH NAME +ipmon \- monitors /dev/ipl for logged packets +.SH SYNOPSIS +.B ipmon +[ +.B \-abBDFhnpstvxX +] [ +.B "\-N <device>" +] [ +.B "\-L <facility>" +] [ +.B "\-o [NSI]" +] [ +.B "\-O [NSI]" +] [ +.B "\-P <pidfile>" +] [ +.B "\-S <device>" +] [ +.B "\-f <device>" +] [ +.B <filename> +] +.SH DESCRIPTION +.LP +\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from +the packet filter. The binary data read from the device is reprinted in +human readable for, however, IP#'s are not mapped back to hostnames, nor are +ports mapped back to service names. The output goes to standard output by +default or a filename, if given on the command line. Should the \fB\-s\fP +option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent +via syslog have the day, month and year removed from the message, but the +time (including microseconds), as recorded in the log, is still included. +.LP +Messages generated by ipmon consist of whitespace separated fields. +Fields common to all messages are: +.LP +1. The date of packet receipt. This is suppressed when the message is +sent to syslog. +.LP +2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours, +minutes seconds, and fractions of a second (which can be several digits +long). +.LP +3. The name of the interface the packet was processed on, e.g., \fBwe1\fP. +.LP +4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be +viewed with \fBipfstat -n\fP. +.LP +5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short +packet, \fBn\fP did not match any rules or \fBL\fP for a log rule. +.LP +6. The addresses. +This is actually three fields: the source address and port +(separated by a comma), the \fB->\fP symbol, and the destination address +and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP. +.LP +7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP. +.LP +8. \fBlen\fP followed by the header length and total length of the packet, +e.g., \fBlen 20 40\fP. +.LP +If the packet is a TCP packet, there will be an additional field starting +with a hyphen followed by letters corresponding to any flags that were set. +See the ipf.conf manual page for a list of letters and their flags. +.LP +If the packet is an ICMP packet, there will be two fields at the end, +the first always being `icmp', and the next being the ICMP message and +submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port +unreachable message. +.LP +In order for \fBipmon\fP to properly work, the kernel option +\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see +\fBoptions(4)\fP for more details. +.LP +\fBipmon\fP reopens its log file(s) and rereads its configuration file +when it receives a SIGHUP signal. +.SH OPTIONS +.TP +.B \-a +Open all of the device logfiles for reading log entries from. All entries +are displayed to the same output 'device' (stderr or syslog). +.TP +.B \-b +For rules which log the body of a packet, generate hex output representing +the packet contents after the headers. +.TP +.B \-B <binarylogfilename> +Enable logging of the raw, unformatted binary data to the specified +\fI<binarylogfilename>\fP file. This can be read, later, using \fBipmon\fP +with the \fB-f\fP option. +.TP +.B \-D +Cause ipmon to turn itself into a daemon. Using subshells or backgrounding +of ipmon is not required to turn it into an orphan so it can run indefinitely. +.TP +.B "\-f <device>" +specify an alternative device/file from which to read the log information +for normal IP Filter log records. +.TP +.B \-F +Flush the current packet log buffer. The number of bytes flushed is displayed, +even should the result be zero. +.TP +.B \-L <facility> +Using this option allows you to change the default syslog facility that +ipmon uses for syslog messages. The default is local0. +.TP +.B \-n +IP addresses and port numbers will be mapped, where possible, back into +hostnames and service names. +.TP +.B "\-N <device>" +Set the logfile to be opened for reading NAT log records from to <device>. +.TP +.B \-o +Specify which log files to actually read data from. N - NAT logfile, +S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is +equivalent to using \fB-o NSI\fP. +.TP +.B \-O +Specify which log files you do not wish to read from. This is most sensibly +used with the \fB-a\fP. Letters available as parameters to this are the same +as for \fB-o\fP. +.TP +.B \-p +Cause the port number in log messages to always be printed as a number and +never attempt to look it up as from \fI/etc/services\fP, etc. +.TP +.B \-P <pidfile> +Write the pid of the ipmon process to a file. By default this is +\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD +or later) or \fI/etc/ipmon.pid\fP for all others. +.TP +.B \-s +Packet information read in will be sent through syslogd rather than +saved to a file. The default facility when compiled and installed is +\fBlocal0\fP. The following levels are used: +.IP +.B LOG_INFO +\- packets logged using the "log" keyword as the action rather +than pass or block. +.IP +.B LOG_NOTICE +\- packets logged which are also passed +.IP +.B LOG_WARNING +\- packets logged which are also blocked +.IP +.B LOG_ERR +\- packets which have been logged and which can be considered +"short". +.TP +.B "\-S <device>" +Set the logfile to be opened for reading state log records from to <device>. +.TP +.B \-t +read the input file/device in a manner akin to tail(1). +.TP +.B \-v +show tcp window, ack and sequence fields. +.TP +.B \-x +show the packet data in hex. +.TP +.B \-X +show the log header record data in hex. +.SH DIAGNOSTICS +\fBipmon\fP expects data that it reads to be consistent with how it should be +saved and will abort if it fails an assertion which detects an anomaly in the +recorded data. +.SH FILES +/dev/ipl +.br +/dev/ipnat +.br +/dev/ipstate +.br +/etc/services +.SH SEE ALSO +ipl(4), ipf(8), ipfstat(8), ipnat(8) +.SH BUGS +.PP +If you find any, please send email to me at darrenr@pobox.com |