System Administration Commands ipfstat(1M)
NAME
ipfstat - reports on packet filter statistics and filter
list
SYNOPSIS
ipfstat [-6aACdfghIilnoRstv]
ipfstat [-C] [-D addrport] [-P protocol] [-S addrport]
[-T refreshtime]
DESCRIPTION
The ipfstat command is part of a suite of commands associ-
ated with the Solaris IP Filter feature. See ipfilter(5).
The ipfstat command examines /dev/kmem using the symbols
frflags, frstats, filterin, and filterout. To run and
work, it needs to be able to read both /dev/kmem and the
kernel itself.
The default behavior of ipfstat is to retrieve and display
the statistics which have been accumulated over time as the
kernel has put packets through the filter.
The role of ipfstat is to display current kernel statistics
gathered as a result of applying the filters in place (if
any) to packets going in and out of the kernel. This is the
default operation when no command line parameters are
present. When supplied with either -i or -o, ipfstat will
retrieve and display the appropriate list of filter rules
currently installed and in use by the kernel.
ipfstat uses kernel device files to obtain information. The
default permissions of these files require ipfstat to be run
as root for all operations.
The ipfstat command supports the kstat(3KSTAT) kernel facil-
ity. Because of this support, as an alternative to ipfstat,
you can use kstat(1M). For example:
# kstat -m ipf
Using the ipfstat -t option causes ipfstat to enter the
state top mode. In this mode the state table is displayed
SunOS 5.11 Last change: 3 Apr 2008 1
System Administration Commands ipfstat(1M)
similarly to the way the Unix top utility displays the pro-
cess table. The -C, -D, -P, -S and -T command line options
can be used to restrict the state entries that will be shown
and to specify the frequency of display updates.
In state top mode, use the following keys to influence the
displayed information:
d Select information to display.
l Redraw the screen.
q Quit the program.
s Switch between different sorting criteria.
r Reverse the sorting criteria.
States can be sorted by protocol number, by number of IP
packets, by number of bytes, and by time-to-live of the
state entry. The default is to sort by the number of bytes.
States are sorted in descending order, but you can use the r
key to sort them in ascending order.
It is not possible to interactively change the source, des-
tination, and protocol filters or the refresh frequency.
This must be done from the command line.
The screen must have at least 80 columns for correct
display. However, ipfstat does not check the screen width.
Only the first X-5 entries that match the sort and filter
criteria are displayed (where X is the number of rows on the
display). There is no way to see additional entries.
OPTIONS
The following options are supported:
-6 Display filter lists and states for IPv6,
if available. This option might change in
the future.
SunOS 5.11 Last change: 3 Apr 2008 2
System Administration Commands ipfstat(1M)
-a Display the accounting filter list and
show bytes counted against each rule.
-A Display packet authentication statistics.
-C Valid only in combination with -t. Display
"closed" states as well in the top. Nor-
mally, a TCP connection is not displayed
when it reaches the CLOSEWAIT protocol
state. With this option enabled, all state
entries are displayed.
-d Produce debugging output when displaying
data.
-D addrport Valid only in combination with -t. Limit
the state top display to show only state
entries whose destination IP address and
port match the addrport argument. The
addrport specification is of the form
ipaddress[,port]. The ipaddress and port
should be either numerical or the string
any (specifying any IP address and any
port, in that order). If the -D option is
not specified, it defaults to -D any,any.
-f Show fragment state information (statis-
tics) and held state information (in the
kernel) if any is present.
-g Show groups currently configured (both
active and inactive).
-h Show per-rule the number of times each one
scores a "hit". For use in combination
with -i.
-i Display the filter list used for the input
side of the kernel IP processing.
-I Swap between retrieving inactive/active
filter list details. For use in combina-
tion with -i.
SunOS 5.11 Last change: 3 Apr 2008 3
System Administration Commands ipfstat(1M)
-l When used with -s, show a list of active
state entries (no statistics).
-n Show the rule number for each rule as it
is printed.
-o Display the filter list used for the out-
put side of the kernel IP processing.
-P protocol Valid only in combination with -t. Limit
the state top display to show only state
entries that match a specific protocol.
The argument can be a protocol name (as
defined in /etc/protocols) or a protocol
number. If this option is not specified,
state entries for any protocol are speci-
fied.
-R Disable both IP address-to-hostname reso-
lution and port number-to-service name
resolution.
-S addrport Valid only in combination with -t. Limit
the state top display to show only state
entries whose source IP address and port
match the addrport argument. The addrport
specification is of the form
ipaddress[,port]. The ipaddress and port
should be either numerical or the string
any (specifying any IP address and any
port, in that order). If the -S option is
not specified, it defaults to -S any,any.
-s Show packet/flow state information
(statistics only).
-T refreshtime Valid only in combination with -t. Speci-
fies how often the state top display
should be updated. The refresh time is the
number of seconds between an update. Any
positive integer can be used. The default
(and minimal update time) is 1.
SunOS 5.11 Last change: 3 Apr 2008 4
System Administration Commands ipfstat(1M)
-t Show the state table in a way similar to
the way the Unix utility, top, shows the
process table. States can be sorted in a
number of different ways.
-v Turn verbose mode on. Displays additional
debugging information.
FILES
o /dev/kmem
o /dev/ksyms
o /dev/ipl
o /dev/ipstate
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWipfu
Interface Stability Committed
SEE ALSO
ipf(1M), kstat(1M), kstat(3KSTAT), attributes(5),
ipfilter(5)
SunOS 5.11 Last change: 3 Apr 2008 5
|
