summaryrefslogtreecommitdiff
path: root/usr/src/man/man1m/ipmon.1m
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/man/man1m/ipmon.1m')
-rw-r--r--usr/src/man/man1m/ipmon.1m417
1 files changed, 417 insertions, 0 deletions
diff --git a/usr/src/man/man1m/ipmon.1m b/usr/src/man/man1m/ipmon.1m
new file mode 100644
index 0000000000..3540b8709e
--- /dev/null
+++ b/usr/src/man/man1m/ipmon.1m
@@ -0,0 +1,417 @@
+'\" te
+.\" To view license terms, attribution, and copyright for IP Filter, the default path is /usr/lib/ipf/IPFILTER.LICENCE. If the Solaris operating environment has been installed anywhere other than the default, modify the given path to access the file at the installed
+.\" location.
+.\" Portions Copyright (c) 2008, Sun Microsystems Inc. All Rights Reserved.
+.TH ipmon 1M "3 Apr 2008" "SunOS 5.11" "System Administration Commands"
+.SH NAME
+ipmon \- monitors /dev/ipl for logged packets
+.SH SYNOPSIS
+.LP
+.nf
+\fBipmon\fR [\fB-abDFhnpstvxX\fR] [\fB-N\fR \fIdevice\fR] [ [o] [NSI]] [\fB-O\fR [NSI]]
+ [\fB-P\fR \fIpidfile\fR] [\fB-S\fR \fIdevice\fR] [\fB-f\fR \fIdevice\fR] [\fIfilename\fR]
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBipmon\fR command is part of a suite of commands associated with the
+Solaris IP Filter feature. See \fBipfilter\fR(5).
+.sp
+.LP
+The \fBipmon\fR command opens \fB/dev/ipl\fR for reading and awaits data to be
+saved from the packet filter. The binary data read from the device is reprinted
+in human readable form. However, IP addresses are not mapped back to hostnames,
+nor are ports mapped back to service names. The output goes to standard output,
+by default, or a filename, if specified on the command line. Should the
+\fB-s\fR option be used, output is sent instead to \fBsyslogd\fR(1M). Messages
+sent by means of \fBsyslog\fR have the day, month, and year removed from the
+message, but the time (including microseconds), as recorded in the log, is
+still included.
+.sp
+.LP
+Messages generated by \fBipmon\fR consist of whitespace-separated fields.
+Fields common to all messages are:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The date of packet receipt. This is suppressed when the message is sent to
+\fBsyslog\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The time of packet receipt. This is in the form
+\fIHH\fR:\fIMM\fR:\fISS\fR.\fIF\fR, for hours, minutes, seconds, and fractions
+of a second (which can be several digits long).
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The name of the interface on which the packet was processed, for example,
+\fBib1\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The group and rule number of the rule, for example, \fB@0:17\fR. These can be
+viewed with \fBipfstat\fR \fB-in\fR for input rules or \fBipfstat\fR \fB-in\fR
+for output rules. See \fBipfstat\fR(1M).
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The action: \fBp\fR for passed, \fBb\fR for blocked, \fBs\fR for a short
+packet, \fBn\fR did not match any rules, or \fBL\fR for a log rule.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+The addresses. This is actually three fields: the source address and port
+(separated by a comma), the symbol \(->, and the destination address and port.
+For example: \fB209.53.17.22,80 \(-> 198.73.220.17,1722\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+\fBPR\fR followed by the protocol name or number, for example, \fBPR tcp\fR.
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+\fBlen\fR followed by the header length and total length of the packet, for
+example, \fBlen 20 40\fR.
+.RE
+.sp
+.LP
+If the packet is a TCP packet, there will be an additional field starting with
+a hyphen followed by letters corresponding to any flags that were set. See
+\fBipf.conf\fR(4) for a list of letters and their flags.
+.sp
+.LP
+If the packet is an ICMP packet, there will be two fields at the end, the first
+always being \fBicmp\fR, the next being the ICMP message and submessage type,
+separated by a slash. For example, \fBicmp 3/3\fR for a port unreachable
+message.
+.SH OPTIONS
+.sp
+.LP
+The following options are supported:
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-a\fR\fR
+.ad
+.sp .6
+.RS 4n
+Open all of the device logfiles for reading log entries. All entries are
+displayed to the same output device (stderr or syslog).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-b\fR\fR
+.ad
+.sp .6
+.RS 4n
+For rules which log the body of a packet, generate hex output representing the
+packet contents after the headers.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-D\fR\fR
+.ad
+.sp .6
+.RS 4n
+Cause \fBipmon\fR to turn itself into a daemon. Using subshells or
+backgrounding of \fBipmon\fR is not required to turn it into an orphan so it
+can run indefinitely.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-f\fR \fIdevice\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify an alternative device/file from which to read the log information for
+normal IP Filter log records.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-F\fR\fR
+.ad
+.sp .6
+.RS 4n
+Flush the current packet log buffer. The number of bytes flushed is displayed,
+even if the result is zero.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-h\fR\fR
+.ad
+.sp .6
+.RS 4n
+Displays usage information.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-n\fR\fR
+.ad
+.sp .6
+.RS 4n
+IP addresses and port numbers will be mapped, where possible, back into
+hostnames and service names.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-N\fR \fIdevice\fR\fR
+.ad
+.sp .6
+.RS 4n
+Set the logfile to be opened for reading NAT log records from or to
+\fIdevice\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-o\fR \fIletter\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify which log files from which to actually read data. \fBN\fR, NAT logfile;
+\fBS\fR, state logfile; \fBI\fR, normal IP Filter logfile. The \fB-a\fR option
+is equivalent to using \fB-o\fR \fBNSI\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-O\fR \fIletter\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify which log files you do not wish to read from. This is most commonly
+used in conjunction with the \fB-a\fR. Letters available as parameters are the
+same as for \fB-o\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-p\fR\fR
+.ad
+.sp .6
+.RS 4n
+Cause the port number in log messages always to be printed as a number and
+never attempt to look it up.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-P\fR \fIpidfile\fR\fR
+.ad
+.sp .6
+.RS 4n
+Write the PD of the \fBipmon\fR process to a file. By default this is
+\fB/var/run/ipmon.pid\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-s\fR\fR
+.ad
+.sp .6
+.RS 4n
+Packet information read in will be sent through \fBsyslogd\fR rather than saved
+to a file. The default facility when compiled and installed is \fBlocal0\fR.
+The following levels are used:
+.sp
+.ne 2
+.mk
+.na
+\fB\fBLOG_INFO\fR\fR
+.ad
+.sp .6
+.RS 4n
+Packets logged using the \fBlog\fR keyword as the action rather than \fBpass\fR
+or \fBblock\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBLOG_NOTICE\fR\fR
+.ad
+.sp .6
+.RS 4n
+Packets logged that are also passed.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBLOG_WARNING\fR\fR
+.ad
+.sp .6
+.RS 4n
+Packets logged that are also blocked.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fBLOG_ERR\fR\fR
+.ad
+.sp .6
+.RS 4n
+Packets that have been logged and that can be considered "short".
+.RE
+
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-S\fR \fIdevice\fR\fR
+.ad
+.sp .6
+.RS 4n
+Set the logfile to be opened for reading state log records from or to
+\fIdevice\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-t\fR\fR
+.ad
+.sp .6
+.RS 4n
+Read the input file/device in the way performed by \fBtail\fR(1).
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-v\fR\fR
+.ad
+.sp .6
+.RS 4n
+Show TCP \fBwindow\fR, \fBack\fR, and \fBsequence\fR fields
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-x\fR\fR
+.ad
+.sp .6
+.RS 4n
+Show the packet data in hex.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-X\fR\fR
+.ad
+.sp .6
+.RS 4n
+Show the log header record data in hex.
+.RE
+
+.SH FILES
+.RS +4
+.TP
+.ie t \(bu
+.el o
+\fB/dev/ipl\fR
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+\fB/dev/ipnat\fR
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+\fB/dev/ipstate\fR
+.RE
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i)
+lw(2.75i) |lw(2.75i)
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilityCommitted
+.TE
+
+.SH SEE ALSO
+.sp
+.LP
+\fBipf\fR(1M), \fBipfstat\fR(1M), \fBipnat\fR(1M), \fBattributes\fR(5),
+\fBipfilter\fR(5)
+.sp
+.LP
+\fI\fR
+.SH DIAGNOSTICS
+.sp
+.LP
+\fBipmon\fR expects data that it reads to be consistent with how it should be
+saved and aborts if it fails an assertion which detects an anomaly in the
+recorded data.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-27 05:35:51 +0000