man/ipmon.8

.TH ipmon 8
.SH NAME
ipmon \- monitors /dev/ipl for logged packets
.SH SYNOPSIS
.B ipmon
[
.B \-abBDFhnpstvxX
] [
.B "\-i <number>"
] [
.B "\-N <device>"
] [
.B "\-L <facility>"
] [
.B "\-o [NSI]"
] [
.B "\-O [NSI]"
] [
.B "\-P <pidfile>"
] [
.B "\-S <device>"
] [
.B "\-f <device>"
] [
.B <filename>
]
.SH DESCRIPTION
.LP
\fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from
the packet filter.  The binary data read from the device is reprinted in
human readable for, however, IP#'s are not mapped back to hostnames, nor are
ports mapped back to service names.  The output goes to standard output by
default or a filename, if given on the command line.  Should the \fB\-s\fP
option be used, output is instead sent to \fBsyslogd(8)\fP.  Messages sent
via syslog have the day, month and year removed from the message, but the
time (including microseconds), as recorded in the log, is still included.
.LP
Messages generated by ipmon consist of whitespace separated fields.
Fields common to all messages are:
.LP
1. The date of packet receipt. This is suppressed when the message is
sent to syslog.
.LP
2. The time of packet receipt. This is in the form HH:MM:SS.F, for hours,
minutes seconds, and fractions of a second (which can be several digits
long).
.LP
3. The name of the interface the packet was processed on, e.g., \fBwe1\fP.
.LP
4. The group and rule number of the rule, e.g., \fB@0:17\fP. These can be
viewed with \fBipfstat -n\fP.
.LP
5. The action: \fBp\fP for passed, \fBb\fP for blocked, \fB\fP for a short
packet, \fBn\fP did not match any rules or \fBL\fP for a log rule.
.LP
6. The addresses.
This is actually three fields: the source address and port
(separated by a comma), the \fB->\fP symbol, and the destination address
and port. E.g.: \fB209.53.17.22,80 -> 198.73.220.17,1722\fP.
.LP
7. \fBPR\fP followed by the protocol name or number, e.g., \fBPR tcp\fP.
.LP
8. \fBlen\fP followed by the header length and total length of the packet,
e.g., \fBlen 20 40\fP.
.LP
If the packet is a TCP packet, there will be an additional field starting
with a hyphen followed by letters corresponding to any flags that were set.
See the ipf.conf manual page for a list of letters and their flags.
.LP
If the packet is an ICMP packet, there will be two fields at the end,
the first always being `icmp', and the next being the ICMP message and
submessage type, separated by a slash, e.g., \fBicmp 3/3\fP for a port
unreachable message.
.LP
In order for \fBipmon\fP to properly work, the kernel option
\fBIPFILTER_LOG\fP must be turned on in your kernel.  Please see
\fBoptions(4)\fP for more details.
.LP
\fBipmon\fP reopens its log file(s) and rereads its configuration file
when it receives a SIGHUP signal.
.SH OPTIONS
.TP
.B \-a
Open all of the device logfiles for reading log entries from.  All entries
are displayed to the same output 'device' (stderr or syslog).
.TP
.B \-b
For rules which log the body of a packet, generate hex output representing
the packet contents after the headers.
.TP
.B \-B <binarylogfilename>
Enable logging of the raw, unformatted binary data to the specified
\fI<binarylogfilename>\fP file.  This can be read, later, using \fBipmon\fP
with the \fB-f\fP option.
.TP
.B \-D
Cause ipmon to turn itself into a daemon.  Using subshells or backgrounding
of ipmon is not required to turn it into an orphan so it can run indefinitely.
.TP
.B "\-f <device>"
specify an alternative device/file from which to read the log information
for normal IP Filter log records.
.TP
.B \-F
Flush the current packet log buffer.  The number of bytes flushed is displayed,
even should the result be zero.
.TP
.B \-i <number>
When reading from a device or following the tail of a regular file, sleep for
<number> seconds between read operations. The default is 0.5.
.TP
.B \-L <facility>
Using this option allows you to change the default syslog facility that
ipmon uses for syslog messages.  The default is local0.
.TP
.B \-n
IP addresses and port numbers will be mapped, where possible, back into
hostnames and service names.
.TP
.B "\-N <device>"
Set the logfile to be opened for reading NAT log records from to <device>.
.TP
.B \-o
Specify which log files to actually read data from.  N - NAT logfile,
S - State logfile, I - normal IP Filter logfile.  The \fB-a\fP option is
equivalent to using \fB-o NSI\fP.
.TP
.B \-O
Specify which log files you do not wish to read from.  This is most sensibly
used with the \fB-a\fP.  Letters available as parameters to this are the same
as for \fB-o\fP.
.TP
.B \-p
Cause the port number in log messages to always be printed as a number and
never attempt to look it up as from \fI/etc/services\fP, etc.
.TP
.B \-P <pidfile>
Write the pid of the ipmon process to a file.  By default this is
\fI/etc/opt/ipf/ipmon.pid\fP for HP/UX, IRIX and Tru64, \fI/var/run/ipmon.pid\fP
for all others.
.TP
.B \-s
Packet information read in will be sent through syslogd rather than
saved to a file.  The default facility when compiled and installed is
\fBlocal0\fP.  The following levels are used:
.IP
.B LOG_INFO
\- packets logged using the "log" keyword as the action rather
than pass or block.
.IP
.B LOG_NOTICE
\- packets logged which are also passed
.IP
.B LOG_WARNING
\- packets logged which are also blocked
.IP
.B LOG_ERR
\- packets which have been logged and which can be considered
"short".
.TP
.B "\-S <device>"
Set the logfile to be opened for reading state log records from to <device>.
.TP
.B \-t
read the input file/device in a manner akin to tail(1).
.TP
.B \-v
show tcp window, ack and sequence fields.
.TP
.B \-x
show the packet data in hex.
.TP
.B \-X
show the log header record data in hex.
.SH DIAGNOSTICS
\fBipmon\fP expects data that it reads to be consistent with how it should be
saved and will abort if it fails an assertion which detects an anomaly in the
recorded data.
.SH FILES
/dev/ipl
.br
/dev/ipnat
.br
/dev/ipstate
.br
/etc/services
.SH SEE ALSO
ipl(4), ipf(8), ipfstat(8), ipnat(8)
.SH BUGS
.PP
If you find any, please send email to me at darrenr@pobox.com