System Administration Commands ipmon(1M)
NAME
ipmon - monitors /dev/ipl for logged packets
SYNOPSIS
ipmon [-abDFhnpstvxX] [-N device] [ [o] [NSI] [-O [NSI]
[-P pidfile] [-S device] [-f device] [filename]
DESCRIPTION
The ipmon command is part of a suite of commands associated
with the Solaris IP Filter feature. See ipfilter(5).
The ipmon command opens /dev/ipl for reading and awaits data
to be saved from the packet filter. The binary data read
from the device is reprinted in human readable form. How-
ever, IP addresses are not mapped back to hostnames, nor are
ports mapped back to service names. The output goes to stan-
dard output, by default, or a filename, if specified on the
command line. Should the -s option be used, output is sent
instead to syslogd(1M). Messages sent by means of syslog
have the day, month, and year removed from the message, but
the time (including microseconds), as recorded in the log,
is still included.
Messages generated by ipmon consist of whitespace-separated
fields. Fields common to all messages are:
o The date of packet receipt. This is suppressed when
the message is sent to syslog.
o The time of packet receipt. This is in the form
H:M:S.F, for hours, minutes, seconds, and frac-
tions of a second (which can be several digits
long).
o The name of the interface on which the packet was
processed, for example, ib1.
o The group and rule number of the rule, for example,
@0:17. These can be viewed with ipfstat -in for
input rules or ipfstat -in for output rules. See
ipfstat(1M).
o The action: p for passed, b for blocked, s for a
short packet, n did not match any rules, or L for a
log rule.
o The addresses. This is actually three fields: the
source address and port (separated by a comma), the
symbol ->, and the destination address and port.
SunOS 5.11 Last change: 3 Apr 2008 1
System Administration Commands ipmon(1M)
For example: 209.53.17.22,80 -> 198.73.220.17,1722.
o PR followed by the protocol name or number, for
example, PR tcp.
o len followed by the header length and total length
of the packet, for example, len 20 40.
If the packet is a TCP packet, there will be an additional
field starting with a hyphen followed by letters correspond-
ing to any flags that were set. See ipf.conf(4) for a list
of letters and their flags.
If the packet is an ICMP packet, there will be two fields at
the end, the first always being icmp, the next being the
ICMP message and submessage type, separated by a slash. For
example, icmp 3/3 for a port unreachable message.
OPTIONS
The following options are supported:
-a
Open all of the device logfiles for reading log entries.
All entries are displayed to the same output device
(stderr or syslog).
-b
For rules which log the body of a packet, generate hex
output representing the packet contents after the
headers.
-D
Cause ipmon to turn itself into a daemon. Using sub-
shells or backgrounding of ipmon is not required to turn
it into an orphan so it can run indefinitely.
-f device
Specify an alternative device/file from which to read
the log information for normal IP Filter log records.
-F
SunOS 5.11 Last change: 3 Apr 2008 2
System Administration Commands ipmon(1M)
Flush the current packet log buffer. The number of bytes
flushed is displayed, even if the result is zero.
-h
Displays usage information.
-n
IP addresses and port numbers will be mapped, where pos-
sible, back into hostnames and service names.
-N device
Set the logfile to be opened for reading NAT log records
from or to device.
-o letter
Specify which log files from which to actually read
data. N, NAT logfile; S, state logfile; I, normal IP
Filter logfile. The -a option is equivalent to using -o
NSI.
-O letter
Specify which log files you do not wish to read from.
This is most commonly used in conjunction with the -a.
Letters available as parameters are the same as for -o.
-p
Cause the port number in log messages always to be
printed as a number and never attempt to look it up.
-P pidfile
Write the PD of the ipmon process to a file. By default
this is /var/run/ipmon.pid.
-s
Packet information read in will be sent through syslogd
rather than saved to a file. The default facility when
SunOS 5.11 Last change: 3 Apr 2008 3
System Administration Commands ipmon(1M)
compiled and installed is local0. The following levels
are used:
LOGINFO
Packets logged using the log keyword as the action
rather than pass or block.
LOGNOTICE
Packets logged that are also passed.
LOGWARNING
Packets logged that are also blocked.
LOGER
Packets that have been logged and that can be con-
sidered "short".
-S device
Set the logfile to be opened for reading state log
records from or to device.
-t
Read the input file/device in the way performed by
tail(1).
-v
Show TCP window, ack, and sequence fields
-x
Show the packet data in hex.
-X
Show the log header record data in hex.
SunOS 5.11 Last change: 3 Apr 2008 4
System Administration Commands ipmon(1M)
FILES
o /dev/ipl
o /dev/ipnat
o /dev/ipstate
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWipfu
Interface Stability Committed
SEE ALSO
ipf(1M), ipfstat(1M), ipnat(1M), attributes(5), ipfilter(5)
DIAGNOSTICS
ipmon expects data that it reads to be consistent with how
it should be saved and aborts if it fails an assertion which
detects an anomaly in the recorded data.
SunOS 5.11 Last change: 3 Apr 2008 5
|
