HP-UX IPFilter Version 16 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPFilter Software

Using ipmon to View IPFilter Log Entries

The ipmon utility displays IPFilter log entries in human-readable format. To configure IPFilter

to create log entries, specify the log keyword in IPFilter rules, as described in “Using the log

keyword to Configure IPFilter Logging” (page 78). The ipmon utility can also display the state

table log, the NAT log, or any combination of these three. You can run ipmon in the foreground

or as a daemon that logs to syslog or a file.

Log files include both IPv4 and IPv6 log records, ordered according to the time IPFilter receives

the packets.

Syntax

ipmon -options

Options

-a Opens and reads data from all available log files. Equivalent to -o NSI.

-o [NSI]

Specifies which log file to read data from. Valid values are:

• N—NAT log file

• S—State log file

• I—IPFilter log file

-A

Logs the summary records created for DCA logging.

-r

Prints the summary records to the summary log file and clears the block count for

each limit entry.

-F

Flushes the packet log buffer. Output displays the number of bytes flushed.

-n

Maps IP addresses and port numbers to host names and services wherever possible.

For a complete list of ipmon options and their uses, see the ipmon manpage.

Examples

To view the state table as it updates, use the ipmon -o S command.

Example:

# ipmon -o S

01/08/1999 15:58:57.836053 STATE:NEW 100.100.100.1,53 ->20.20.20.15,53 PR udp

01/08/1999 15:58:58.030815 STATE:NEW 20.20.20.15,123 ->128.167.1.69,123 PR udp

01/08/1999 15:59:18.032174 STATE:NEW 20.20.20.15,123 ->128.173.14.71,123 PR udp

01/08/1999 15:59:24.570107 STATE:EXPIRE 100.100.100.1,53 ->20.20.20.15,53 PR udp Pkts 4 Bytes 356

01/08/1999 16:03:51.754867 STATE:NEW 20.20.20.13,1019 ->100.100.100.10,22 PR tcp

01/08/1999 16:04:03.070127 STATE:EXPIRE 20.20.20.13,1019 ->100.100.100.10,22 PR tcp Pkts 63 Bytes 4604

A state entry for an external DNS request to the nameserver is displayed by ipmon. Two xntp

pings to well-known time servers and a short outbound SSH connection are also displayed.

You can also use ipmon to display packets that have been logged.

To view the IPFilter packet log, use theipmon -o I command.

Example:

# ipmon -o I

15:57:33.803147 lan0 @0:2 b 100.100.100.103,443 ->

20.20.20.10,4923 PR tcp len 20 1488 -A:

The fields in this output are as follows:

• Field 1—Time stamp

• Field 2—The interface on which the event occurred

80 Troubleshooting HP-UX IPFilter