.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32 .\" .\" Standard preamble: .\" ======================================================================== .de Sh \" Subsection heading .br .if t .Sp .ne 5 .PP \fB\\$1\fR .PP .. .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' .\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .\" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .hy 0 .if n .na .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "IPFWCOUNT 1" .TH IPFWCOUNT 1 "2008-01-12" "perl v5.8.8" "User Contributed Perl Documentation" .SH "NAME" ipfwcount \- Summarise ipfw logs .SH "SYNOPSIS" .IX Header "SYNOPSIS" ipfwcount [\fB\-adinNoq\fR] [\fB\-e\fR \fIexpr\fR] \fB\-k\fR \fIkey\fR[,\fIkey\fR...] [\fB\-t\fR \fItop\fR] [\fIfile\fR...] .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBipfwcount\fR summarises \fIipfw\fR\|(8) logs by counting and sorting the fields. The following fields are recognised: .Sp .RS 4 rule action proto type shost sport dhost dport dir iface .RE .PP By default, all input lines are processed \- this can be restricted with the \&\fB\-a\fR, \fB\-d\fR, \fB\-i\fR and \fB\-o\fR options to count allowed, denied, incoming and outgoing packets respectively. .PP The logs can be filtered further with the \fB\-e\fR option \- see \*(L"\s-1EXAMPLES\s0\*(R". .PP At least one sort key must be given using the \fB\-k\fR option. \fBipfwcount\fR will list all the unique values in this field, from the most to the least common. Repeat this option to create multiple lists, or use comma separated keys to create nested lists. .PP To list only the first \fItop\fR values in each field, use the \fB\-t\fR option. .PP If the \fB\-n\fR option is given, port numbers and \s-1IP\s0 addresses are resolved in the output. With the \fB\-N\fR, option, all input lines are resolved before filtering (which may take some time). .PP If no files are specified, \fBipfwcount\fR reads from standard input. .SH "OPTIONS" .IX Header "OPTIONS" .IP "\fB\-a\fR" 4 .IX Item "-a" Count allowed packets .IP "\fB\-d\fR" 4 .IX Item "-d" Count denied packets .IP "\fB\-i\fR" 4 .IX Item "-i" Count incoming packets .IP "\fB\-n\fR" 4 .IX Item "-n" Lookup host and service names .IP "\fB\-N\fR" 4 .IX Item "-N" Lookup names before filtering .IP "\fB\-o\fR" 4 .IX Item "-o" Count outgoing packets .IP "\fB\-q\fR" 4 .IX Item "-q" Don't print headers .IP "\fB\-e\fR \fIexpr\fR" 4 .IX Item "-e expr" Filter expression \- see \*(L"\s-1EXAMPLES\s0\*(R" .IP "\fB\-k\fR \fIkey\fR[,\fIkey\fR...]" 4 .IX Item "-k key[,key...]" Sort key(s) .IP "\fB\-t\fR \fItop\fR" 4 .IX Item "-t top" Show only the top \fItop\fR entries .SH "EXAMPLES" .IX Header "EXAMPLES" Show the top 10 denied ports for incoming traffic: .PP .Vb 1 \& ipfwcount -di -k dport -t 10 /var/log/security .Ve .PP Show the hosts attempting to connect to those ports: .PP .Vb 1 \& ipfwcount -di -k dport,shost -t 10 /var/log/security .Ve .PP Sort incoming connections by interface and protocol: .PP .Vb 1 \& ipfwcount -ai -k iface,proto /var/log/security .Ve .PP For more sophisticated filtering, use the \fB\-e\fR option \- it takes a Perl expression, using field names as variables. .PP Show denied ports above 1024: .PP .Vb 1 \& ipfwcount -di -e 'dport > 1024' -k dport /var/log/security .Ve .PP Show traffic leaving the local network: .PP .Vb 1 \& ipfwcount -ao -e 'dhost !~ /^192\e.168/' -k dhost /var/log/security .Ve .PP The expression passed to \fB\-e\fR can also modify field values. This 'feature' may occasionally be useful. .PP Show the class C network of denied hosts: .PP .Vb 1 \& ipfwcount -di -e 'shost =~ s/\ed+$/0/' -k shost /var/log/security .Ve .PP Note that Perl uses different comparison operators for numbers and strings \- see \&\fIperlop\fR\|(1). .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIipfw\fR\|(8), \fIperlop\fR\|(1) .SH "AUTHOR" .IX Header "AUTHOR" Robert Archer