IPFWLOG(8) BSD System Manager's Manual IPFWLOG(8)NAMEipfwlog - display BSD IP Filter logging
SYNOPSISipfwlog [-cdknRx] [-b bits] [-l logfile] [-L facility.priority] [-m mask]
[-r rcvsize] [-fIiOo] [file]
DESCRIPTION
The ipfwlog utility displays packets returned from a BSD IP Filter, or
from file. If file is specified then it should contain packets previously
stored by ipfwlog using the -R and -l options.
The options available are:
-b Require the specified user bits be set. The user bits are speci-
fied by a mask in the range of 0x00 - 0xff
-c Unless -c is specified, IPFW informational messages (such as cir-
cuits closing) are not displayed.
-d Run as a daemon, requires the -l option as well. The PID of the
running process will be store in /var/run/ipfwlog.pid
-k Send a SIGHUP to the currently running ipfwlog daemon (started
with -d) before doing any logging. This is typically used when
reading from a raw packet log being generated by an ipfwlog dae-
mon to force it to close and reopen the logfile. This can also
be used when rotating log files. If file is not specified then
ipfwlog will exit after sending the SIGHUP.
-L Rather than logging to a file, log to syslog. The values that
facility and priority can take are listed in syslog(3). Either
or both of these may be absent. Using just ``.'' will use the
default priority of notice and the default facility of user.
-l Rather than logging to standard output, log to the file named
logfile.
-m Specify the mask to use when checking the user bits. The mask in
the range of 0x00 - 0xff.
-n Do not do reverse name lookup on IP addresses or port number
lookups.
-R Run in raw mode, store the raw packets received for future inter-
rogation.
-r Change the receive buffer on the logging socket to rcvsize bytes.
-x When not using raw mode, also display the context of the packet
in HEX.
-f Display packets from the forwarding BSD IP Filter.
-I Display packets from the pre-input BSD IP Filter.
-i Display packets from the input BSD IP Filter.
-O Display packets from the pre-output BSD IP Filter.
-o Display packets from the output BSD IP Filter.
OUTPUT
The output format produced by ipfwlog depends on the type of packet being
logged. All packets start with the following fields:
date The year/month/day the packet was logged.
time The hour:minute:second the packet was logged.
disposition
This is a single character field which is one of:
<space>
An empty space implies this packet was accepted by the
filter and is only be reported.
! The packet was rejected by the filter.
c This is a control message from the filter. For example,
a circuit cache has concluded a TCP circuit entry.
filter This is a single character field which is appended to the above
field. It may be one of:
f The forward filter reported this packet.
I The pre-input filter reported this packet.
i The input filter reported this packet.
O The pre-output filter reported this packet.
o The output filter reported this packet.
user-code
The two byte user code, displayed in hex. See ipfwcmp(8) for
more information on user codes.
srcaddr
The source IP address associated with the packet.
dstaddr
The destination IP address associated with the packet.
The remaining fields are dependent on the version of IP and the protocol.
IPv4 packets will have the flag and fragment information display. The
following 3 flags may be displayed:
R The reserved bit was set, this should not happen.
D The don't fragment bit was set.
M The more fragments bit was set.
If this packet is not the initial fragment of the packet (the offset
field is not zero) then frag @ offset will be printed.
Both UDP and TCP packets will have their source and destination ports
displayed. In addition, TCP will display the TCP flags:
F The FIN bit was set.
S The SYN bit was set.
R The RESET bit was set.
P The PUSH bit was set.
A The ACK bit was set.
U The URGENT bit was set.
4 The reserved bit 0x40 was set.
8 The reserved bit 0x80 was set.
ICMP packets will display the type and code of the packet.
Packets of other protocols display Pprotocol where protocol is the proto-
col number listed in the IP packet.
Packets other than IPv4, IPv6, or IPFW control packets are displayed only
as IPvversion where version is the IP version of the packet.
BUGS
This program is just slightly better than the "Pooh" variety, having just
slightly more than very little brain.
SEE ALSOipfw(8)4th Berkeley Distribution November 12, 1996 3