IPFWFLOW(8) BSD System Manager's Manual IPFWFLOW(8)NAMEipfwflow - monitor IP flows
SYNOPSISipfwflow [filter] [-mnov] [-f flows] [-F maxflows] [-g serial] [-i index]
[-s serial] [-t when] [{in|out|both} size]
DESCRIPTION
The ipfwflow utility is used to insert, maintain, and examine flow moni-
toring data. The filter, which may be at any point, but most typically
is pre-input, the default filter, may be any of:
pre-input
A filter on all IP packets as they first enter IP processing
input A filter on IP packets destined for the local machine, after
fragment re-assembly.
forward
A filter on IP packets being forwarded through this machine.
pre-output
A filter on all IP packets leaving this machine, prior to rout-
ing.
output A filter on IP packets generated locally by this machine.
call Not an actual filtering point, this chain should contain filters
to be called from a BPF based filter.
A filter is installed by specifying in, out, or both along with the size
of the hash table that is used to hold the flows. The size of the hash
table does not limit the number of flows, however, having 100x more flows
than hash table entries will certainly impact performance. In general
the hash table should be no more than 5x or 10x the number of expected
flows.
With no arguments (options only), statistics about the flows are dis-
played, and old entries may be timed out (see the -t option below.)
The following options are available:
-f flows
Specify the number of empty flows that should be pre-allocated
upon creation. If the number of flows exceeds the pre-allocated
amount, a call to malloc() will be placed inside of the kernel,
impacting performance while it is being processed.
-F maxflows
Specify the maximum number of flows we will allow. If more than
this number of flows are used, the oldest flow will be removed
and reported.
-g serial
Glue this ipfwflow to the already existing flow which has the
specified serial number. This is used to coordinate in and out
flows on different interfaces.
-i index
Index number of the interface to limit flow monitoring to.
-m Monitor the IPFW Flow socket for reports of flows that are dis-
carded because of too many flows.
-n Do not sort the output when examining flows.
-o Print flows in machine readable format.
-s serial
Specify the serial number of the flow to examine.
-t when
Remove all entries which have not seen a packet in the last when
seconds. Times may be modified with s, m, h, d, w, and y to
specify seconds, minutes, hours, days, weeks and years. For ex-
ample: 1m30s is 1 minute and 30 seconds. A year is always con-
sidered to have 365 days.
-v Only display how many flows have been allocated.
HUMAN DISPLAY FORMAT
The human readable display format displays 11 fields:
P The protocol number of the flow (6 is TCP)
srcaddr
One of the 2 address of the flow.
port The port number of the flow associated with the srcaddr.
This value is 0 for protocols other than TCP and UDP.
dstaddr
One of the 2 address of the flow.
port The port number of the flow associated with the dstaddr.
This value is 0 for protocols other than TCP and UDP.
duration
The number of seconds this flow saw data.
lastuse
The number of seconds since this flow last saw data.
b-in Number of bytes that flowed from srcaddr to dstaddr.
b-out Number of bytes that flowed from dstaddr to srcaddr.
p-in Number of packets that flowed from srcaddr to dstaddr.
p-out Number of packets that flowed from dstaddr to srcaddr.
MACHINE DISPLAY FORMAT
The machine readable format displays 13 space seperated values:
o Serial number of the filter this flow belongs to.
o Protocol number of the flow.
o First address associated with the flow.
o Port number (0 if not TCP or UDP) associated with the first
address of the flow.
o Second address associated with the flow.
o Port number (0 if not TCP or UDP) associated with the second
address of the flow.
o Time the flow started. The time is represented in the number
of seconds since 00:00 01/01/70 GMT (UNIXtm time stamp).
o Time the last packet was seen through the flow.
o Duratation of the flow (last time - start time).
o Number of bytes sent from the first address of the flow.
o Number of bytes sent from the second address of the flow.
o Number of packets sent from the first address of the flow.
o Number of packets sent from the second address of the flow.
SEE ALSOipfw(8)
Aug 12, 1999 3