HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

311

312

313

314

315

316

317

318

319

320

ppp.Filter(4) ppp.Filter(4)

# Only these messages will have headers or contents

# logged, unless higher-level debugging is set:

log 3/icmp 11/icmp 12/icmp/trace

telnet/syn ftp/syn

smtp/syn/terminus.netsys.com

default bringup !ntp !3/icmp !who

keepup !send !ntp !3/icmp !who

RECOMMENDATIONS

Simpler ﬁlter speciﬁcations allow pppd

to start up quicker and run faster, with less processing overhead

for each packet, but that overhead is likely to present a problem only at very high line speeds (like T1).

The "backbone" example shown above is severe overkill for the sake of illustration, evolved over a period of

several weeks, and took the authors several tries to get right. Start with a simple ﬁlter speciﬁcation and

add each special case only as the need arises, usually as the result of watching packet logs. Then test care-

fully to ensure that your change had only the desired effect.

Be very careful with header logging and even more careful with packet content tracing. Make the selection

criteria very narrow, or the log ﬁle will grow extremely large in a short period of time. Also, if the daemon

is running on a diskless workstation or if the log ﬁle is on a NFS-mounted ﬁle system, excessive amounts of

logging information will drastically impede the daemon’s ability to process at high packet rates.

Remember, NFS writes are synchronous.

If you specify host names, be sure that their addresses are available locally, even with the connection down.

If you ﬁnd that you must bring up a connection to resolve a domain name, consider using that host’s IP

address (decimal numbers separated by periods) in both

Filter and Systems instead.

If you want to specify all Domain Name System trafﬁc, use domain which will be expanded to entries for

both

53/tcp and 53/udp. (Some DNS trafﬁc uses each transport.) To allow queries but disable domain

transfers, use !domain/tcp . Similarly, some systems’ older /etc/services

ﬁles, as distributed by

the manufacturer, list NTP as a TCP service. When the current UDP NTP implementation was installed

on your system, the administrator may have left the old

123/tcp entry along with the correct 123/udp.

The correct solution is to remove the

123/tcp entry from /etc/services

. A workaround would be to

specify

123/udp in Filter.

DEC ULTRIX 4.2 and some other systems may have no entry for FTP’s data socket in their

/etc/services ﬁle. If you want to log the bulk data connections as well as the control connections,

you’ll need to either add an entry for ftp-data to /etc/services

, or use 20/tcp explicitly in

Filter. The former is preferable because it will cause the log ﬁle entry to contain the symbolic name

(ftp-data) rather than the socket/protocol notation.

If your /etc/services ﬁle is missing some application-level protocols that you consider useful, you can

populate it with entries from the Assigned Numbers RFC, number 1340. For example, you may ﬁnd it use-

ful to add lines like

gopher 70/tcp

gopher 70/udp

kerberos 88/tcp

kerberos 88/udp

snmp 161/tcp

snmp 161/udp

nextstep 178/tcp

nextstep 178/udp

prospero 191/tcp

prospero 191/udp

x11 6000/tcp

if you’re using those applications, and if they’re not already in your

/etc/services ﬁle as received from

your system’s manufacturer. If you augment your

/etc/services

this way, then instead of using

entries like

pass !6000/tcp/syn/send

your

Filter could use entries like

HP-UX 11i Version 3: February 2007 − 5 − Hewlett-Packard Company 319