188 lines
5.8 KiB
Groff
188 lines
5.8 KiB
Groff
.\" $NetBSD: ipmon.8,v 1.1.1.2 2012/07/22 13:44:45 darrenr Exp $
|
|
.\"
|
|
.TH IPMON 8
|
|
.SH NAME
|
|
ipmon \- monitors /dev/ipl for logged packets
|
|
.SH SYNOPSIS
|
|
.B ipmon
|
|
[
|
|
.B \-abBDFhnpstvxX
|
|
] [
|
|
.B "\-N <device>"
|
|
] [
|
|
.B "\-L <facility>"
|
|
] [
|
|
.B "\-o [NSI]"
|
|
] [
|
|
.B "\-O [NSI]"
|
|
] [
|
|
.B "\-P <pidfile>"
|
|
] [
|
|
.B "\-S <device>"
|
|
] [
|
|
.B "\-f <device>"
|
|
] [
|
|
.B <filename>
|
|
]
|
|
.SH DESCRIPTION
|
|
.LP
|
|
\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
|
|
the packet filter. The binary data read from the device is reprinted in
|
|
human readable for, however, IP#'s are not mapped back to hostnames, nor are
|
|
ports mapped back to service names. The output goes to standard output by
|
|
default or a filename, if given on the command line. Should the \fB\-s\fP
|
|
option be used, output is instead sent to \fBsyslogd(8)\fP. Messages sent
|
|
via syslog have the day, month and year removed from the message, but the
|
|
time (including microseconds), as recorded in the log, is still included.
|
|
.LP
|
|
Messages generated by ipmon consist of whitespace separated fields.
|
|
Fields common to all messages are:
|
|
.LP
|
|
1. The date of packet receipt. This is suppressed when the message is
|
|
sent to syslog.
|
|
.LP
|
|
2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
|
|
minutes seconds, and fractions of a second (which can be several digits
|
|
long).
|
|
.LP
|
|
3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
|
|
.LP
|
|
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
|
|
viewed with \fBipfstat -n\fP.
|
|
.LP
|
|
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
|
|
packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
|
|
.LP
|
|
6. The addresses.
|
|
This is actually three fields: the source address and port
|
|
(separated by a comma), the \fB->\fP symbol, and the destination address
|
|
and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
|
|
.LP
|
|
7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
|
|
.LP
|
|
8. \fBlen\fP followed by the header length and total length of the packet,
|
|
e.g., \fBlen 20 40\fP.
|
|
.LP
|
|
If the packet is a TCP packet, there will be an additional field starting
|
|
with a hyphen followed by letters corresponding to any flags that were set.
|
|
See the ipf.conf manual page for a list of letters and their flags.
|
|
.LP
|
|
If the packet is an ICMP packet, there will be two fields at the end,
|
|
the first always being `icmp', and the next being the ICMP message and
|
|
submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
|
|
unreachable message.
|
|
.LP
|
|
In order for \fBipmon\fP to properly work, the kernel option
|
|
\fBIPFILTER_LOG\fP must be turned on in your kernel. Please see
|
|
\fBoptions(4)\fP for more details.
|
|
.LP
|
|
\fBipmon\fP reopens its log file(s) and rereads its configuration file
|
|
when it receives a SIGHUP signal.
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-a
|
|
Open all of the device logfiles for reading log entries from. All entries
|
|
are displayed to the same output 'device' (stderr or syslog).
|
|
.TP
|
|
.B \-b
|
|
For rules which log the body of a packet, generate hex output representing
|
|
the packet contents after the headers.
|
|
.TP
|
|
.B \-B <binarylogfilename>
|
|
Enable logging of the raw, unformatted binary data to the specified
|
|
\fI<binarylogfilename>\fP file. This can be read, later, using \fBipmon\fP
|
|
with the \fB-f\fP option.
|
|
.TP
|
|
.B \-D
|
|
Cause ipmon to turn itself into a daemon. Using subshells or backgrounding
|
|
of ipmon is not required to turn it into an orphan so it can run indefinitely.
|
|
.TP
|
|
.B "\-f <device>"
|
|
specify an alternative device/file from which to read the log information
|
|
for normal IP Filter log records.
|
|
.TP
|
|
.B \-F
|
|
Flush the current packet log buffer. The number of bytes flushed is displayed,
|
|
even should the result be zero.
|
|
.TP
|
|
.B \-L <facility>
|
|
Using this option allows you to change the default syslog facility that
|
|
ipmon uses for syslog messages. The default is local0.
|
|
.TP
|
|
.B \-n
|
|
IP addresses and port numbers will be mapped, where possible, back into
|
|
hostnames and service names.
|
|
.TP
|
|
.B "\-N <device>"
|
|
Set the logfile to be opened for reading NAT log records from to <device>.
|
|
.TP
|
|
.B \-o
|
|
Specify which log files to actually read data from. N - NAT logfile,
|
|
S - State logfile, I - normal IP Filter logfile. The \fB-a\fP option is
|
|
equivalent to using \fB-o NSI\fP.
|
|
.TP
|
|
.B \-O
|
|
Specify which log files you do not wish to read from. This is most sensibly
|
|
used with the \fB-a\fP. Letters available as parameters to this are the same
|
|
as for \fB-o\fP.
|
|
.TP
|
|
.B \-p
|
|
Cause the port number in log messages to always be printed as a number and
|
|
never attempt to look it up as from \fI/etc/services\fP, etc.
|
|
.TP
|
|
.B \-P <pidfile>
|
|
Write the pid of the ipmon process to a file. By default this is
|
|
\fI//etc/opt/ipf/ipmon.pid\fP (Solaris), \fI/var/run/ipmon.pid\fP (44BSD
|
|
or later) or \fI/etc/ipmon.pid\fP for all others.
|
|
.TP
|
|
.B \-s
|
|
Packet information read in will be sent through syslogd rather than
|
|
saved to a file. The default facility when compiled and installed is
|
|
\fBlocal0\fP. The following levels are used:
|
|
.IP
|
|
.B LOG_INFO
|
|
\- packets logged using the "log" keyword as the action rather
|
|
than pass or block.
|
|
.IP
|
|
.B LOG_NOTICE
|
|
\- packets logged which are also passed
|
|
.IP
|
|
.B LOG_WARNING
|
|
\- packets logged which are also blocked
|
|
.IP
|
|
.B LOG_ERR
|
|
\- packets which have been logged and which can be considered
|
|
"short".
|
|
.TP
|
|
.B "\-S <device>"
|
|
Set the logfile to be opened for reading state log records from to <device>.
|
|
.TP
|
|
.B \-t
|
|
read the input file/device in a manner akin to tail(1).
|
|
.TP
|
|
.B \-v
|
|
show tcp window, ack and sequence fields.
|
|
.TP
|
|
.B \-x
|
|
show the packet data in hex.
|
|
.TP
|
|
.B \-X
|
|
show the log header record data in hex.
|
|
.SH DIAGNOSTICS
|
|
\fBipmon\fP expects data that it reads to be consistent with how it should be
|
|
saved and will abort if it fails an assertion which detects an anomaly in the
|
|
recorded data.
|
|
.SH FILES
|
|
/dev/ipl
|
|
.br
|
|
/dev/ipnat
|
|
.br
|
|
/dev/ipstate
|
|
.br
|
|
/etc/services
|
|
.SH SEE ALSO
|
|
ipl(4), ipf(8), ipfstat(8), ipnat(8)
|
|
.SH BUGS
|
|
.PP
|
|
If you find any, please send email to me at darrenr@pobox.com
|