Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ipl(4) [osx man page]

IPL(4)							     Kernel Interfaces Manual							    IPL(4)

NAME

       ipl - IP packet log device

DESCRIPTION

       The ipl pseudo device's purpose is to provide an easy way to gather packet headers of packets you wish to log.  If a packet header is to be
       logged, the entire header is logged (including any IP options - TCP/UDP options are not included when it calculates header size) or not	at
       all.  The packet contents is also logged after the header.

       Prepending  every  packet  header logged is a structure containing information relevant to the packet following and why it was logged.  The
       structure's format is as follows:

       struct ipl_ci   {
	       u_long  sec;	 /* time when the packet was logged */
	       u_long  usec;
	       u_long  plen;	 /* length of packet data logged */
	       u_short hlen;	 /* length of headers logged */
	       u_short rule;	 /* rule number (for log ...) or 0 if result = log */
	       u_long  flags:24; /* XXX FIXME do we care about the extra bytes? */
       #if (defined(OpenBSD) && (OpenBSD <= 1991011) && (OpenBSD >= 199606))
	       u_long  filler:8; /* XXX FIXME do we care? */
	       u_char  ifname[IFNAMSIZ];
       #else
	       u_long  unit:8;
	       u_char  ifname[4];
       #endif
       };

       In the case of the header causing the buffer to finish on a non-32bit
       boundary, padding will be `appended' to ensure that the next log entry
       is aligned to a 32bit boundary.

       If the packet contents is more then 128 bytes, then only 128 bytes of the
       packet contents is logged. Should the packet contents finish on a non-32bit
       boundary, then the last few bytes are not logged to ensure the log entry
       is aligned to a 32bit boundary.

       ipl is a read-only (sequential) character pseudo-device.

       The ioctls which are loaded with this device can be found under ipf(4).
       The only ioctl which is used for logging and doesn't affect the filter is:

	       ioctl(fd, SIOCIPFFB, int *)

       This ioctl flushes the log buffer and returns the number of bytes flushed.

       There is currently no support for non-blocking IO with this device, meaning all read operations should be considered blocking in nature (if
       there is no data to read, it will sleep until some is made available).

SEE ALSO

       ipf(4)

BUGS

       Packet headers are dropped when the internal buffer (static size) fills.

FILES

       /dev/ipl0

																	    IPL(4)

Check Out this Related Man Page

PFLOG(4)                                                   BSD Kernel Interfaces Manual                                                   PFLOG(4)

NAME

     pflog -- packet filter logging interface

SYNOPSIS

     device pflog

DESCRIPTION

     The pflog interface is a pseudo-device which makes visible all packets logged by the packet filter, pf(4).  Logged packets can easily be mon-
     itored in real time by invoking tcpdump(1) on the pflog interface, or stored to disk using pflogd(8).

     The pflog0 interface is created automatically at boot if both pf(4) and pflogd(8) are enabled; further instances can be created using
     ifconfig(8).

     Each packet retrieved on this interface has a header associated with it of length PFLOG_HDRLEN.  This header documents the address family,
     interface name, rule number, reason, action, and direction of the packet that was logged.  This structure, defined in <net/if_pflog.h> looks
     like

           struct pfloghdr {
                   u_int8_t        length;
                   sa_family_t     af;
                   u_int8_t        action;
                   u_int8_t        reason;
                   char            ifname[IFNAMSIZ];
                   char            ruleset[PF_RULESET_NAME_SIZE];
                   u_int32_t       rulenr;
                   u_int32_t       subrulenr;
                   uid_t           uid;
                   pid_t           pid;
                   uid_t           rule_uid;
                   pid_t           rule_pid;
                   u_int8_t        dir;
                   u_int8_t        pad[3];
           };

EXAMPLES

     Create a pflog interface and monitor all packets logged on it:

           # ifconfig pflog1 up
           # tcpdump -n -e -ttt -i pflog1

SEE ALSO

     tcpdump(1) inet(4), inet6(4), netintro(4), pf(4), ifconfig(8), pflogd(8)

HISTORY

     The pflog device first appeared in OpenBSD 3.0.

BSD                                                              December 10, 2001                                                             BSD
Man Page