pftop filter example
http://www.eee.metu.edu.tr/~canacar/pftop/
Pftop is a small, curses-based utility for real-time display of active states and rule statistics for pf, the packet filter. for OpenBSD.
Current release pftop-0.7, written and maintained by Can E. Acar.
Screenshots:
80 column:
120 column:
For more information read the manual page
Screenshots:
80 column:
pfTop: Up State 1-3/64, View: default, Order: none PR DIR SRC DEST STATE AGE EXP PKTS BYTES icmp Out 192.168.100.32:361 192.168.100.22:361 0:0 9 1 2 96 icmp Out 192.168.100.32:361 192.168.100.23:361 0:0 9 1 2 96 tcp In 192.168.100.7:1029 192.168.100.32:443 4:4 4165 86302 25871 9251K
120 column:
pfTop: Up State 1-3/68, View: default, Order: none PR DIR SRC DEST STATE AGE EXP PKTS BYTES tcp In 192.168.100.1:1029 192.168.100.32:80 ESTABLISHED:ESTABLISHED 01:12:52 23:58:55 25873 9473801 tcp In 192.168.100.9:38474 192.168.100.32:25 ESTABLISHED:ESTABLISHED 00:02:47 24:00:00 193 140803 tcp In 192.168.100.12:1031 192.168.100.32:110 ESTABLISHED:ESTABLISHED 06:27:26 23:55:31 37249 15556515
For more information read the manual page
STATE FILTERING
The expression filter selects which states will be displayed. It is based
on the tcpdump filtering language. The following is based on the tcpdump
manual page, modified for state filtering.
The filter expression consists of one or more primitives. Primitives
usually consist of an id (name or number) preceded by one or more quali-
fiers. There are three different kinds of qualifiers:
type Specify which kind of address component the id name or number
refers to. Possible types are host, net and port. If there is no
type qualifier, host is assumed.
dir Specify a the address component (src, dest, gateway) that id ap-
plies. Possible directions are src, dst, gw, src or dst, src and
dst. If there is no dir qualifier, src or dst or gw is assumed.
proto Restrict the match to a particular protocol. Possible protocols
are: ah, carp, esp, icmp, ip, ip6, pfsync, tcp, and udp. If there
is no protocol qualifier, all protocols consistent with the type
are assumed.
In addition to the above, there are some special primitive keywords that
don't follow the pattern and arithmetic expressions. All of these are
described below.
More complex filter expressions are built up by using the words and, or,
and not to combine primitives.
Allowable primitives are:
dst host host True if the IP destination field of the state is host,
which may be either an address or a name.
gw host host True if the IP gateway field of the state is host.
src host host True if the IP source field of the state is host.
host host True if either the IP source or destination or gateway of
the state is host. If host is a name with multiple IP ad-
dresses, each address will be checked for a match.
dst net net True if the IP destination address of the state has a net-
work number of net. net may be either a name from
/etc/networks or a network number (see networks(5) for de-
tails).
gw net net True if the IP gateway address of the state has a network
number of net.
src net net True if the IP source address of the state has a network
number of net.
net net True if either the IP source, destination or gateway ad-
dress of the state has a network number of net.
Any of the above host or net expressions can be prepended
with the keywords, ip, or ip6.
dst port port True if the packet is IP/TCP or IP/UDP and has a destina-
tion port value of port. The port can be a number or name
number or ambiguous name is used, only the port number is
checked;
port port True if either the source, destination or gateway port of
the state is port.
Any of the above port expressions can be prepended with
the keywords tcp or udp, as in:
tcp src port port
which matches only TCP states whose source port is port.
inbound, in True if the state has an inbound direction.
outbound, out True if the state has an outbound direction.
proto proto True if the IP protocol type of the state is proto. proto
can be a number or name from protocols(5), such as icmp,
udp, or tcp.
rnr num True if the state was generated with the rule number in
the main ruleset.
ah, carp esp, icmp, pfsync, tcp, udp
Abbreviations for: proto p where p is one of the above
protocols.
expr relop expr
True if the relation holds, where relop is one of `>',
`<', `>=', `<=', `=', `!=', and expr is an arithmetic ex-
pression composed of integer constants (expressed in
standard C syntax), the normal binary operators (`+', `-',
`*', `/', `&', `|'), a length operator, and special state
data accessors.
The following expressions can be used to access numerical
fields inside a state: inp, and outp return input and out-
put packet counts. inb, and outb is for input and output
bytes transferred through the state. age is the seconds
since the state is created, and exp is the number of sec-
onds left before the state expires.
Primitives may be combined using a parenthesized group of primitives and
operators. Allowable primitives and operators are:
Negation (``!'' or ``not'')
Concatenation (``&&'' or ``and'')
Alternation (``||'' or ``or'')
Negation has highest precedence. Alternation and concatenation have
equal precedence and associate left to right.
Expression arguments must be passed to pftop as a single argument. Since
the expression usually contains shell metacharacters, it should be placed
in quotes.
Nenhum comentário:
Postar um comentário