Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
ipfstat(8)					       ipfstat(8)

NAME
       ipfstat	-  reports on packet filter statistics and filter
       list

SYNOPSIS
       ipfstat [ -6aAfghIinosv ] [ -d <device> ]

       ipfstat -t [ -C ] [ -D <addrport> ] [ -P <protocol> ] [ -S
       <addrport> ] [ -T <refresh time> ] [ -d <device> ]

DESCRIPTION
       ipfstat	examines  /dev/kmem  using the symbols _fr_flags,
       _frstats, _filterin, and _filterout.  To run and work,  it
       needs  to  be  able  to read both /dev/kmem and the kernel
       itself.	The kernel name defaults to /kernel.

       The default behaviour of ipfstat is to retrieve	and  dis­
       play  the  accumulated  statistics which have been accumu­
       lated over time as the kernel has put packets through  the
       filter.

OPTIONS
       -6     Display filter lists for IPv6, if available.

       -a     Display  the  accounting filter list and show bytes
	      counted against each rule.

       -A     Display packet authentication statistics.

       -C     This option is only valid in combination	with  -t.
	      Display  "closed"  states  as well in the top. Nor­
	      mally, a TCP connection is not  displayed  when  it
	      reaches  the  CLOSE_WAIT	protocol state. With this
	      option enabled, all state entries are displayed.

       -d <device>
	      Use a device other than  /dev/ipl  for  interfacing
	      with the kernel.

       -D <addrport>
	      This  option  is only valid in combination with -t.
	      Limit the state top  display  to	show  only  state
	      entries whose destination IP address and port match
	      the addport argument. The addrport specification is
	      of  the  form  ipaddress[,port].	The ipaddress and
	      port should be either numerical or the string "any"
	      (specifying  any ip address resp. any port). If the
	      -D option is not	specified,  it	defaults  to  "-D
	      any,any".

       -f     Show  fragment  state  information (statistics) and
	      held state information (in the kernel)  if  any  is
	      present.

								1

ipfstat(8)					       ipfstat(8)

       -g     Show  groups  currently configured (both active and
	      inactive).

       -h     Show per-rule the number of times each one scores a
	      "hit".  For use in combination with -i.

       -i     Display  the filter list used for the input side of
	      the kernel IP processing.

       -I     Swap between retrieving "inactive"/"active"  filter
	      list details.  For use in combination with -i.

       -n     Show  the  "rule	number"  for  each  rule as it is
	      printed.

       -o     Display the filter list used for the output side of
	      the kernel IP processing.

       -P <protocol>
	      This  option  is only valid in combination with -t.
	      Limit the state top  display  to	show  only  state
	      entries  that  match a specific protocol. The argu­
	      ment  can  be  a	protocol  name	(as  defined   in
	      /etc/protocols)  or  a  protocol	number.  If  this
	      option is not specified, state entries for any pro­
	      tocol are specified.

       -s     Show   packet/flow  state  information  (statistics
	      only).

       -sl    Show held state information (in the kernel) if  any
	      is present (no statistics).

       -S <addrport>
	      This  option  is only valid in combination with -t.
	      Limit the state top  display  to	show  only  state
	      entries  whose source IP address and port match the
	      addport argument. The addrport specification is  of
	      the  form ipaddress[,port].  The ipaddress and port
	      should be either	numerical  or  the  string  "any"
	      (specifying  any ip address resp. any port). If the
	      -S option is not	specified,  it	defaults  to  "-S
	      any,any".

       -t     Show  the  state table in a way similar to they way
	      top(1) shows  the  process  table.  States  can  be
	      sorted  using  a	number	of  different  ways. This
	      options requires ncurses(3) and needs  to  be  com­
	      piled  in. It may not be available on all operating
	      systems. See below, for  more  information  on  the
	      keys that can be used while ipfstat is in top mode.

       -T <refreshtime>
	      This option is only valid in combination	with  -t.

								2

ipfstat(8)					       ipfstat(8)

	      Specifies how often the state top display should be
	      updated. The refresh time is the number of  seconds
	      between an update. Any postive integer can be used.
	      The default (and minimal update time) is 1.

       -v     Turn verbose  mode  on.	Displays  more	debugging
	      information.

SYNOPSIS
       The  role  of ipfstat is to display current kernel statis­
       tics gathered as a result of applying the filters in place
       (if  any) to packets going in and out of the kernel.  This
       is the default operation when no command  line  parameters
       are present.

       When  supplied  with either -i or -o, it will retrieve and
       display the appropriate list  of  filter  rules	currently
       installed and in use by the kernel.

STATE TOP
       Using the -t option ipfstat will enter the state top mode.
       In this mode the state table is displayed similar  to  the
       way  top  displays  the	process table. The -C, -D, -P, -S
       and-T commandline options can  be  used	to  restrict  the
       state  entries  that will be shown and to specify the fre­
       quency of display updates.

       In state top mode, the  following  keys	can  be  used  to
       influence  the  displayed  information.	l  can be used to
       redraw the screen. q is used to quit the program. s can be
       used  to change the sorting criterion and r can be used to
       reverse the sorting criterion.

       States can be sorted by protocol number, by number  of  IP
       packets,  by  number  of  bytes and by time-to-live of the
       state entry. The default is  to	sort  by  the  number  of
       bytes.  States are sorted in descending order, but you can
       use the r key to sort them in ascending order.

STATE TOP LIMITATIONS
       It is currently not possible to interactively  change  the
       source,	destination  and  protocol  filters or the refreh
       frequency. This must be done from the command line.

       The screen must have at least 80 columns. This is  however
       not checked.

       Only  the first X-5 entries that match the sort and filter
       criteria are displayed (where X is the number of  rows  on
       the display. There is no way to see more entries.

       No support for IPv6

								3

ipfstat(8)					       ipfstat(8)

FILES
       /dev/kmem
       /dev/ipl
       /dev/ipstate
       /kernel

SEE ALSO
       ipf(8)

BUGS
       none known.

								4


NAME | SYNOPSIS | DESCRIPTION | OPTIONS | SYNOPSIS | STATE TOP | STATE TOP LIMITATIONS | FILES | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ipfstat&manpath=FreeBSD+4.2-RELEASE>

home | help