|  | .TH ipfstat 8 | 
|  | .SH NAME | 
|  | ipfstat \- reports on packet filter statistics and filter list | 
|  | .SH SYNOPSIS | 
|  | .B ipfstat | 
|  | [ | 
|  | .B \-6aAdfghIilnoRsv | 
|  | ] | 
|  | .br | 
|  | .B ipfstat -t | 
|  | [ | 
|  | .B \-6C | 
|  | ] [ | 
|  | .B \-D | 
|  | <addrport> | 
|  | ] [ | 
|  | .B \-P | 
|  | <protocol> | 
|  | ] [ | 
|  | .B \-S | 
|  | <addrport> | 
|  | ] [ | 
|  | .B \-T | 
|  | <refresh time> | 
|  | ] | 
|  | .SH DESCRIPTION | 
|  | \fBipfstat\fP examines /dev/kmem using the symbols \fB_fr_flags\fP, | 
|  | \fB_frstats\fP, \fB_filterin\fP, and \fB_filterout\fP. | 
|  | To run and work, it needs to be able to read both /dev/kmem and the | 
|  | kernel itself.  The kernel name defaults to \fB/vmunix\fP. | 
|  | .PP | 
|  | The default behaviour of \fBipfstat\fP | 
|  | is to retrieve and display the accumulated statistics which have been | 
|  | accumulated over time as the kernel has put packets through the filter. | 
|  | .SH OPTIONS | 
|  | .TP | 
|  | .B \-6 | 
|  | Display filter lists and states for IPv6, if available. | 
|  | .TP | 
|  | .B \-a | 
|  | Display the accounting filter list and show bytes counted against each rule. | 
|  | .TP | 
|  | .B \-A | 
|  | Display packet authentication statistics. | 
|  | .TP | 
|  | .B \-C | 
|  | This option is only valid in combination with \fB\-t\fP. | 
|  | Display "closed" states as well in the top. Normally, a TCP connection is | 
|  | not displayed when it reaches the CLOSE_WAIT protocol state. With this | 
|  | option enabled, all state entries are displayed. | 
|  | .TP | 
|  | .BR \-d | 
|  | Produce debugging output when displaying data. | 
|  | .TP | 
|  | .BR \-D \0<addrport> | 
|  | This option is only valid in combination with \fB\-t\fP. Limit the state top | 
|  | display to show only state entries whose destination IP address and port | 
|  | match the addrport argument. The addrport specification is of the form | 
|  | ipaddress[,port].  The ipaddress and port should be either numerical or the | 
|  | string "any" (specifying any IP address resp. any port). If the \fB\-D\fP | 
|  | option is not specified, it defaults to "\fB\-D\fP any,any". | 
|  | .TP | 
|  | .B \-f | 
|  | Show fragment state information (statistics) and held state information (in | 
|  | the kernel) if any is present. | 
|  | .TP | 
|  | .B \-g | 
|  | Show groups currently configured (both active and inactive). | 
|  | .TP | 
|  | .B \-h | 
|  | Show per-rule the number of times each one scores a "hit".  For use in | 
|  | combination with \fB\-i\fP. | 
|  | .TP | 
|  | .B \-i | 
|  | Display the filter list used for the input side of the kernel IP processing. | 
|  | .TP | 
|  | .B \-I | 
|  | Swap between retrieving "inactive"/"active" filter list details.  For use | 
|  | in combination with \fB\-i\fP. | 
|  | .TP | 
|  | .B \-n | 
|  | Show the "rule number" for each rule as it is printed. | 
|  | .TP | 
|  | .B \-o | 
|  | Display the filter list used for the output side of the kernel IP processing. | 
|  | .TP | 
|  | .BR \-P \0<protocol> | 
|  | This option is only valid in combination with \fB\-t\fP. Limit the state top | 
|  | display to show only state entries that match a specific protocol. The | 
|  | argument can be a protocol name (as defined in \fB/etc/protocols\fP) or a | 
|  | protocol number. If this option is not specified, state entries for any | 
|  | protocol are specified. | 
|  | .TP | 
|  | .BR \-R | 
|  | Don't try to resolve addresses to hostnames and ports to services while | 
|  | printing statistics. | 
|  | .TP | 
|  | .B \-s | 
|  | Show packet/flow state information (statistics only). | 
|  | .TP | 
|  | .B \-sl | 
|  | Show held state information (in the kernel) if any is present (no statistics). | 
|  | .TP | 
|  | .BR \-S \0<addrport> | 
|  | This option is only valid in combination with \fB\-t\fP. Limit the state top | 
|  | display to show only state entries whose source IP address and port match | 
|  | the addrport argument. The addrport specification is of the form | 
|  | ipaddress[,port].  The ipaddress and port should be either numerical or the | 
|  | string "any" (specifying any IP address resp. any port). If the \fB\-S\fP | 
|  | option is not specified, it defaults to "\fB\-S\fP any,any". | 
|  | .TP | 
|  | .B \-t | 
|  | Show the state table in a way similar to the way \fBtop(1)\fP shows the process | 
|  | table. States can be sorted using a number of different ways. This option | 
|  | requires \fBcurses(3)\fP and needs to be compiled in. It may not be available on | 
|  | all operating systems. See below, for more information on the keys that can | 
|  | be used while ipfstat is in top mode. | 
|  | .TP | 
|  | .BR \-T \0<refreshtime> | 
|  | This option is only valid in combination with \fB\-t\fP. Specifies how often | 
|  | the state top display should be updated. The refresh time is the number of | 
|  | seconds between an update. Any positive integer can be used. The default (and | 
|  | minimal update time) is 1. | 
|  | .TP | 
|  | .B \-v | 
|  | Turn verbose mode on.  Displays more debugging information. | 
|  | .SH SYNOPSIS | 
|  | The role of \fBipfstat\fP is to display current kernel statistics gathered | 
|  | as a result of applying the filters in place (if any) to packets going in and | 
|  | out of the kernel.  This is the default operation when no command line | 
|  | parameters are present. | 
|  | .PP | 
|  | When supplied with either \fB\-i\fP or \fB\-o\fP, it will retrieve and display | 
|  | the appropriate list of filter rules currently installed and in use by the | 
|  | kernel. | 
|  | .PP | 
|  | One of the statistics that \fBipfstat\fP shows is \fBticks\fP. | 
|  | This number indicates how long the filter has been enabled. | 
|  | The number is incremented every half\-second. | 
|  | .SH STATE TOP | 
|  | Using the \fB\-t\fP option \fBipfstat\fP will enter the state top mode. In | 
|  | this mode the state table is displayed similar to the way \fBtop\fP displays | 
|  | the process table. The \fB\-C\fP, \fB\-D\fP, \fB\-P\fP, \fB\-S\fP and \fB\-T\fP | 
|  | command line options can be used to restrict the state entries that will be | 
|  | shown and to specify the frequency of display updates. | 
|  | .PP | 
|  | In state top mode, the following keys can be used to influence the displayed | 
|  | information: | 
|  | .TP | 
|  | \fBb\fP show packets/bytes from backward direction. | 
|  | .TP | 
|  | \fBf\fP show packets/bytes from forward direction. (default) | 
|  | .TP | 
|  | \fBl\fP redraw the screen. | 
|  | .TP | 
|  | \fBq\fP quit the program. | 
|  | .TP | 
|  | \fBs\fP switch between different sorting criterion. | 
|  | .TP | 
|  | \fBr\fP reverse the sorting criterion. | 
|  | .PP | 
|  | States can be sorted by protocol number, by number of IP packets, by number | 
|  | of bytes and by time-to-live of the state entry. The default is to sort by | 
|  | the number of bytes. States are sorted in descending order, but you can use | 
|  | the \fBr\fP key to sort them in ascending order. | 
|  | .SH STATE TOP LIMITATIONS | 
|  | It is currently not possible to interactively change the source, destination | 
|  | and protocol filters or the refresh frequency. This must be done from the | 
|  | command line. | 
|  | .PP | 
|  | The screen must have at least 80 columns. This is however not checked. | 
|  | When running state top in IPv6 mode, the screen must be much wider to display | 
|  | the very long IPv6 addresses. | 
|  | .PP | 
|  | Only the first X-5 entries that match the sort and filter criteria are | 
|  | displayed (where X is the number of rows on the display. The only way to see | 
|  | more entries is to resize the screen. | 
|  | .SH FILES | 
|  | /dev/kmem | 
|  | .br | 
|  | /dev/ipl | 
|  | .br | 
|  | /dev/ipstate | 
|  | .br | 
|  | /vmunix | 
|  | .SH SEE ALSO | 
|  | ipf(8) | 
|  | .SH BUGS | 
|  | none known. |