The ipmon Utility

Syntax

ipmon <-options>

Options

-a

Opens and reads data from all available log files. Equivalent to -o NSI.

-o [NSI]

Specifies which log file to read data from.

-A

Logs the summary records created for DCA logging.

-r

Prints the summary records to the summary log file and clears the block count for each limit entry.

-F

Flushes the packet log buffer. Output displays the number of bytes flushed.

-n

Maps IP addresses and port numbers to host names and services wherever possible.

For a complete list of ipmon options and their uses, refer to the ipmon manpage.

Examples

To view the state table as it updates, use the ipmon -o S command.

Example:

# ipmon -o S
 
01/08/1999 15:58:57.836053 STATE:NEW 100.100.100.1,53 ->20.20.20.15,53 PR udp
 
01/08/1999 15:58:58.030815 STATE:NEW 20.20.20.15,123 ->128.167.1.69,123 PR udp
 
01/08/1999 15:59:18.032174 STATE:NEW 20.20.20.15,123 ->128.173.14.71,123 PR udp
 
01/08/1999 15:59:24.570107 STATE:EXPIRE 100.100.100.1,53 ->20.20.20.15,53 PR udp Pkts 4 Bytes 356
 
01/08/1999 16:03:51.754867 STATE:NEW 20.20.20.13,1019 ->100.100.100.10,22 PR tcp
 
01/08/1999 16:04:03.070127 STATE:EXPIRE 20.20.20.13,1019 ->100.100.100.10,22 PR tcp Pkts 63 Bytes 4604

A state entry for an external DNS request to the nameserver is displayed by ipmon. Two xntp pings to well-known time servers and a short outbound SSH connection are also displayed.

You can also use ipmon to display packets that have been logged.

To view the IPFilter packet log, use the ipmon -o I command.

Example:

# ipmon -o I
 
15:57:33.803147 ppp0 @0:2 b 100.100.100.103,443 ->
20.20.20.10,4923 PR tcp len 20 1488 -A:

The fields in this output are as follows:

Run the ipfstat -in command to determine which rule caused the problem. In this example, you would use this command to look at rule 2 in rule group 0.

Occasionally, a packet that was part of a state connection might appear in the ipmon -o I log. This can happen if a packet with the same sequence number as another packet is processed by IPFilter. A state packet might also be logged by the regular IPFilter log if it is the last packet in a stateful connection, and arrives after the state has been torn down by IPFilter.

Example:

#ipfstat -n
 
12:46:12.470951 lan0 @0:1 S 20.20.20.254 -> 255.255.255.255 PR  icmp len 20 9216 icmp 9/0

This is a ICMP router discovery broadcast. It is indicated by the ICMP type 9/0.

ipmon and DCA Logging

DCA logging creates a new device file. The log alerts records go to /dev/ipl and the summary records are logged to /dev/iplimit. To log the summary records, use ipmon with the -A option. Using ipmon -A prints a summary log for a limit entry before the entry being removed from the limit table.

Example:

ipmon -A /dev/iplimit > $LOGDIR/limit_summary.log &

You can use ipmon -r to print the summary records to the log file for all existing limit entries that are active. For example, you have the following rule configured:

pass in log limit quick proto tcp from IP1 to Server keep limit 10

If IP1 creates 70 connections, then 10 connections are let through and remaining 60 are blocked, which is the block count. When ipmon -r is called, a summary record is logged to the summary log records and the block count is set to 0. This is useful in a case where IP1 created many connections and has a large block count, but subsequently has connections that are within the connection limit.

ipmon -r works only on active limit entries. If there are no limit entries, ipmon -r does not log any Summary Log records. Summary logs are printed only for those limit entries which have a non-zero connection exceeded counter. For cumulative limits, this option is the only way to obtain summary logs.