HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)
p
ppp.Filter(4) ppp.Filter(4)
# Only these messages will have headers or contents
# logged, unless higher-level debugging is set:
#
log 3/icmp 11/icmp 12/icmp/trace
telnet/syn ftp/syn
smtp/syn/terminus.netsys.com
#
default bringup !ntp !3/icmp !who
keepup !send !ntp !3/icmp !who
RECOMMENDATIONS
Simpler filter specifications allow
pppd to start up quicker and run faster, with less processing overhead
for each packet, but that overhead is likely to present a problem only at very high line speeds (like T1).
The ‘backbone’ example shown above is severe overkill for the sake of illustration, evolved over a period
of several weeks, and took the authors several tries to get right. Start with a simple filter specification
and add each special case only as the need arises, usually as the result of watching packet logs. Then test
carefully to ensure that your change had only the desired effect.
Be very careful with header logging and even more careful with packet content tracing. Make the selec-
tion criteria very narrow, or the log file will grow extremely large in a short period of time. Also, if the
daemon is running on a diskless workstation or if the log file is on a NFS-mounted file system, excessive
amounts of logging information will drastically impede the daemon’s ability to process at high packet
rates. Remember, NFS writes are synchronous.
If you specify host names, be sure that their addresses are available locally, even with the connection
down. If you find that you must bring up a connection to resolve a domain name, consider using that
host’s IP address (decimal numbers separated by periods) in both
Filter
and Systems instead.
If you want to specify all Domain Name System traffic, use ‘domain’ which will be expanded to entries for
both
53/tcp and 53/udp. (Some DNS traffic uses each transport.) To allow queries but disable domain
transfers, use !domain/tcp. Similarly, some systems’ older /etc/services
files, as distributed by
the manufacturer, list NTP as a TCP service. When the current UDP NTP implementation was installed
on your system, the administrator may have left the old
123/tcp entry along with the correct 123/udp.
The correct solution is to remove the
123/tcp entry from /etc/services
. A workaround would be to
specify
123/udp in Filter.
DEC ULTRIX 4.2 and some other systems may have no entry for FTP’s data socket in their
/etc/services file. If you want to log the bulk data connections as well as the control connections,
you’ll need to either add an entry for ‘ftp-data’ to
/etc/services, or use 20/tcp explicitly in
Filter. The former is preferable because it will cause the log file entry to contain the symbolic name
(‘ftp-data’) rather than the socket/protocol notation.
If your
/etc/services file is missing some application-level protocols that you consider useful, you
can populate it with entries from the Assigned Numbers RFC, number 1340. For example, you may find
it useful to add lines like
gopher 70/tcp
gopher 70/udp
kerberos 88/tcp
kerberos 88/udp
snmp 161/tcp
snmp 161/udp
nextstep 178/tcp
nextstep 178/udp
prospero 191/tcp
prospero 191/udp
x11 6000/tcp
if you’re using those applications, and if they’re not already in your
/etc/services file as received
from your system’s manufacturer. If you augment your /etc/services this way, then instead of using
entries like
pass !6000/tcp/syn/send
your
Filter could use entries like
pass !x11/syn/send
HP-UX 11i Version 2: September 2004 − 5 − Hewlett-Packard Company Section 4−−251