ipmon(1M)						  System Administration Commands						 ipmon(1M)

NAME

       ipmon - monitors /dev/ipl for logged packets

SYNOPSIS

       ipmon [-abDFhnpstvxX] [-N device] [ [o] [NSI]] [-O [NSI]]
	    [-P pidfile] [-S device] [-f device] [filename]

DESCRIPTION

       The ipmon command is part of a suite of commands associated with the Solaris IP Filter feature. See ipfilter(5).

       The  ipmon  command  opens /dev/ipl for reading and awaits data to be saved from the packet filter. The binary data read from the device is
       reprinted in human readable form. However, IP addresses are not mapped back to hostnames, nor are ports mapped back to service  names.  The
       output  goes  to standard output, by default, or a filename, if specified on the command line. Should the -s option be used, output is sent
       instead to syslogd(1M). Messages sent by means of syslog have the day, month, and year removed from the message, but  the  time	(including
       microseconds), as recorded in the log, is still included.

       Messages generated by ipmon consist of whitespace-separated fields. Fields common to all messages are:

	   o	  The date of packet receipt. This is suppressed when the message is sent to syslog.

	   o	  The time of packet receipt. This is in the form HH:MM:SS.F, for hours, minutes, seconds, and fractions of a second (which can be
		  several digits long).

	   o	  The name of the interface on which the packet was processed, for example, ib1.

	   o	  The group and rule number of the rule, for example, @0:17. These can be viewed with ipfstat -in for input rules or  ipfstat  -in
		  for output rules. See ipfstat(1M).

	   o	  The action: p for passed, b for blocked, s for a short packet, n did not match any rules, or L for a log rule.

	   o	  The  addresses. This is actually three fields: the source address and port (separated by a comma), the symbol ->, and the desti-
		  nation address and port. For example: 209.53.17.22,80 -> 198.73.220.17,1722.

	   o	  PR followed by the protocol name or number, for example, PR tcp.

	   o	  len followed by the header length and total length of the packet, for example, len 20 40.

       If the packet is a TCP packet, there will be an additional field starting with a hyphen followed by letters corresponding to any flags that
       were set. See ipf.conf(4) for a list of letters and their flags.

       If the packet is an ICMP packet, there will be two fields at the end, the first always being icmp, the next being the ICMP message and sub-
       message type, separated by a slash. For example, icmp 3/3 for a port unreachable message.

OPTIONS

       The following options are supported:

       -a

	   Open all of the device logfiles for reading log entries. All entries are displayed to the same output device (stderr or syslog).

       -b

	   For rules which log the body of a packet, generate hex output representing the packet contents after the headers.

       -D

	   Cause ipmon to turn itself into a daemon. Using subshells or backgrounding of ipmon is not required to turn it into an orphan so it can
	   run indefinitely.

       -f device

	   Specify an alternative device/file from which to read the log information for normal IP Filter log records.

       -F

	   Flush the current packet log buffer. The number of bytes flushed is displayed, even if the result is zero.

       -h

	   Displays usage information.

       -n

	   IP addresses and port numbers will be mapped, where possible, back into hostnames and service names.

       -N device

	   Set the logfile to be opened for reading NAT log records from or to device.

       -o letter

	   Specify  which log files from which to actually read data. N, NAT logfile; S, state logfile; I, normal IP Filter logfile. The -a option
	   is equivalent to using -o NSI.

       -O letter

	   Specify which log files you do not wish to read from. This is most commonly used in conjunction  with  the  -a.  Letters  available	as
	   parameters are the same as for -o.

       -p

	   Cause the port number in log messages always to be printed as a number and never attempt to look it up.

       -P pidfile

	   Write the PD of the ipmon process to a file. By default this is /var/run/ipmon.pid.

       -s

	   Packet  information	read in will be sent through syslogd rather than saved to a file. The default facility when compiled and installed
	   is local0. The following levels are used:

	   LOG_INFO

	       Packets logged using the log keyword as the action rather than pass or block.

	   LOG_NOTICE

	       Packets logged that are also passed.

	   LOG_WARNING

	       Packets logged that are also blocked.

	   LOG_ERR

	       Packets that have been logged and that can be considered "short".

       -S device

	   Set the logfile to be opened for reading state log records from or to device.

       -t

	   Read the input file/device in the way performed by tail(1).

       -v

	   Show TCP window, ack, and sequence fields

       -x

	   Show the packet data in hex.

       -X

	   Show the log header record data in hex.

FILES

	   o	  /dev/ipl

	   o	  /dev/ipnat

	   o	  /dev/ipstate

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWipfu			   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ipf(1M), ipfstat(1M), ipnat(1M), attributes(5), ipfilter(5)

DIAGNOSTICS

       ipmon expects data that it reads to be consistent with how it should be saved and aborts if it fails an assertion which detects an  anomaly
       in the recorded data.

SunOS 5.11							    3 Apr 2008								 ipmon(1M)