196 lines
6.6 KiB
Groff
196 lines
6.6 KiB
Groff
.\" $NetBSD: ipfstat.8,v 1.13 2007/05/15 22:52:22 martin Exp $
|
|
.\"
|
|
.TH ipfstat 8
|
|
.SH NAME
|
|
ipfstat \- reports on packet filter statistics and filter list
|
|
.SH SYNOPSIS
|
|
.B ipfstat
|
|
[
|
|
.B \-6aAdfghIilnoRsv
|
|
]
|
|
.br
|
|
.B ipfstat -t
|
|
[
|
|
.B \-6C
|
|
] [
|
|
.B \-D
|
|
<addrport>
|
|
] [
|
|
.B \-P
|
|
<protocol>
|
|
] [
|
|
.B \-S
|
|
<addrport>
|
|
] [
|
|
.B \-T
|
|
<refresh time>
|
|
]
|
|
.SH DESCRIPTION
|
|
\fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP,
|
|
\fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP.
|
|
To run and work, it needs to be able to read both /dev/kmem and the
|
|
kernel itself. The kernel name defaults to \fB/netbsd\fP.
|
|
.PP
|
|
The default behaviour of \fBipfstat\fP
|
|
is to retrieve and display the accumulated statistics which have been
|
|
accumulated over time as the kernel has put packets through the filter.
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-6
|
|
Display filter lists and states for IPv6, if available.
|
|
.TP
|
|
.B \-a
|
|
Display the accounting filter list and show bytes counted against each rule.
|
|
.TP
|
|
.B \-A
|
|
Display packet authentication statistics.
|
|
.TP
|
|
.B \-C
|
|
This option is only valid in combination with \fB\-t\fP.
|
|
Display "closed" states as well in the top. Normally, a TCP connection is
|
|
not displayed when it reaches the CLOSE_WAIT protocol state. With this
|
|
option enabled, all state entries are displayed.
|
|
.TP
|
|
.BR \-d
|
|
Produce debugging output when displaying data.
|
|
.TP
|
|
.BR \-D \0<addrport>
|
|
This option is only valid in combination with \fB\-t\fP. Limit the state top
|
|
display to show only state entries whose destination IP address and port
|
|
match the addrport argument. The addrport specification is of the form
|
|
ipaddress[,port]. The ipaddress and port should be either numerical or the
|
|
string "any" (specifying any IP address resp. any port). If the \fB\-D\fP
|
|
option is not specified, it defaults to "\fB\-D\fP any,any".
|
|
.TP
|
|
.B \-f
|
|
Show fragment state information (statistics) and held state information (in
|
|
the kernel) if any is present.
|
|
.TP
|
|
.B \-g
|
|
Show groups currently configured (both active and inactive).
|
|
.TP
|
|
.B \-h
|
|
Show per-rule the number of times each one scores a "hit". For use in
|
|
combination with \fB\-i\fP.
|
|
.TP
|
|
.B \-i
|
|
Display the filter list used for the input side of the kernel IP processing.
|
|
.TP
|
|
.B \-I
|
|
Swap between retrieving "inactive"/"active" filter list details. For use
|
|
in combination with \fB\-i\fP.
|
|
.TP
|
|
.B \-n
|
|
Show the "rule number" for each rule as it is printed.
|
|
.TP
|
|
.B \-o
|
|
Display the filter list used for the output side of the kernel IP processing.
|
|
.TP
|
|
.BR \-P \0<protocol>
|
|
This option is only valid in combination with \fB\-t\fP. Limit the state top
|
|
display to show only state entries that match a specific protocol. The
|
|
argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a
|
|
protocol number. If this option is not specified, state entries for any
|
|
protocol are specified.
|
|
.TP
|
|
.BR \-R
|
|
Don't try to resolve addresses to hostnames and ports to services while
|
|
printing statistics.
|
|
.TP
|
|
.B \-s
|
|
Show packet/flow state information (statistics only).
|
|
.TP
|
|
.B \-sl
|
|
Show held state information (in the kernel) if any is present (no statistics).
|
|
.TP
|
|
.BR \-S \0<addrport>
|
|
This option is only valid in combination with \fB\-t\fP. Limit the state top
|
|
display to show only state entries whose source IP address and port match
|
|
the addrport argument. The addrport specification is of the form
|
|
ipaddress[,port]. The ipaddress and port should be either numerical or the
|
|
string "any" (specifying any IP address resp. any port). If the \fB\-S\fP
|
|
option is not specified, it defaults to "\fB\-S\fP any,any".
|
|
.TP
|
|
.B \-t
|
|
Show the state table in a way similar to the way \fBtop(1)\fP shows the process
|
|
table. States can be sorted using a number of different ways. This option
|
|
requires \fBcurses(3)\fP and needs to be compiled in. It may not be available on
|
|
all operating systems. See below, for more information on the keys that can
|
|
be used while ipfstat is in top mode.
|
|
.TP
|
|
.BR \-T \0<refreshtime>
|
|
This option is only valid in combination with \fB\-t\fP. Specifies how often
|
|
the state top display should be updated. The refresh time is the number of
|
|
seconds between an update. Any positive integer can be used. The default (and
|
|
minimal update time) is 1.
|
|
.TP
|
|
.B \-v
|
|
Turn verbose mode on. Displays more debugging information. When used with
|
|
either \fB-i\fP or \fB-o\fP, counters associated with the rule, such as the
|
|
number of times it has been matched and the number of bytes from such packets
|
|
is displayed. For "keep state" rules, a count of the number of state sessions
|
|
active against the rule is also displayed.
|
|
.SH SYNOPSIS
|
|
The role of \fBipfstat\fP is to display current kernel statistics gathered
|
|
as a result of applying the filters in place (if any) to packets going in and
|
|
out of the kernel. This is the default operation when no command line
|
|
parameters are present.
|
|
.PP
|
|
When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display
|
|
the appropriate list of filter rules currently installed and in use by the
|
|
kernel.
|
|
.PP
|
|
One of the statistics that \fBipfstat\fP shows is \fBticks\fP.
|
|
This number indicates how long the filter has been enabled.
|
|
The number is incremented every half\-second.
|
|
.SH STATE TOP
|
|
Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In
|
|
this mode the state table is displayed similar to the way \fBtop\fP displays
|
|
the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP
|
|
command line options can be used to restrict the state entries that will be
|
|
shown and to specify the frequency of display updates.
|
|
.PP
|
|
In state top mode, the following keys can be used to influence the displayed
|
|
information:
|
|
.TP
|
|
\fBb\fP show packets/bytes from backward direction.
|
|
.TP
|
|
\fBf\fP show packets/bytes from forward direction. (default)
|
|
.TP
|
|
\fBl\fP redraw the screen.
|
|
.TP
|
|
\fBq\fP quit the program.
|
|
.TP
|
|
\fBs\fP switch between different sorting criterion.
|
|
.TP
|
|
\fBr\fP reverse the sorting criterion.
|
|
.PP
|
|
States can be sorted by protocol number, by number of IP packets, by number
|
|
of bytes and by time-to-live of the state entry. The default is to sort by
|
|
the number of bytes. States are sorted in descending order, but you can use
|
|
the \fBr\fP key to sort them in ascending order.
|
|
.SH STATE TOP LIMITATIONS
|
|
It is currently not possible to interactively change the source, destination
|
|
and protocol filters or the refresh frequency. This must be done from the
|
|
command line.
|
|
.PP
|
|
The screen must have at least 80 columns. This is however not checked.
|
|
When running state top in IPv6 mode, the screen must be much wider to display
|
|
the very long IPv6 addresses.
|
|
.PP
|
|
Only the first X-5 entries that match the sort and filter criteria are
|
|
displayed (where X is the number of rows on the display. The only way to see
|
|
more entries is to resize the screen.
|
|
.SH FILES
|
|
/dev/kmem
|
|
.br
|
|
/dev/ipl
|
|
.br
|
|
/dev/ipstate
|
|
.br
|
|
/netbsd
|
|
.SH SEE ALSO
|
|
ipf(8)
|
|
.SH BUGS
|
|
none known.
|