DragonFly On-Line Manual Pages

Search: Section:  

IPFCOUNT(1)           User Contributed Perl Documentation          IPFCOUNT(1)


NAME

       ipfcount - Summarise ipf logs


SYNOPSIS

       ipfcount [-binNopq] [-e expr] -k key[,key...] [-t top] [file...]


DESCRIPTION

       ipfcount summarises ipf(8) logs by counting and sorting the fields.
       The following fields are recognised:

           iface group rule action shost sport dhost dport proto flags type
           dir

       By default, all input lines are processed - this can be restricted with
       the -b, -p, -i and -o options to count blocked, passed, incoming and
       outgoing packets respectively.

       The logs can be filtered further with the -e option - see "EXAMPLES".

       At least one sort key must be given using the -k option. ipfcount will
       list all the unique values in this field, from the most to the least
       common.  Repeat this option to create multiple lists, or use comma
       separated keys to create nested lists.

       To list only the first top values in each field, use the -t option.

       If the -n option is given, port numbers and IP addresses are resolved
       in the output. With the -N, option, all input lines are resolved before
       filtering (which may take some time).

       If no files are specified, ipfcount reads from standard input.


OPTIONS

       -b  Count blocked packets

       -i  Count incoming packets

       -n  Lookup host and service names

       -N  Lookup names before filtering

       -o  Count outgoing packets

       -p  Count passed packets

       -q  Don't print headers

       -e expr
           Filter expression - see "EXAMPLES"

       -k key[,key...]
           Sort key(s)

       -t top
           Show only the top top entries


EXAMPLES

       Show the top 10 blocked ports for incoming traffic:

           ipfcount -bi -k dport -t 10 /var/log/local0

       Show the hosts attempting to connect to those ports:

           ipfcount -bi -k dport,shost -t 10 /var/log/local0

       Sort incoming connections by interface and protocol:

           ipfcount -pi -k iface,proto /var/log/local0

       For more sophisticated filtering, use the -e option - it takes a Perl
       expression, using field names as variables.

       (These examples assume that ipmon(8) was invoked without the -n
       option.)

       Show blocked ports above 1024:

           ipfcount -bi -e 'dport > 1024' -k dport /var/log/local0

       Show traffic leaving the local network:

           ipfcount -po -e 'dhost !~ /^192\.168/' -k dhost /var/log/local0

       The expression passed to -e can also modify field values. This
       'feature' may occasionally be useful.

       Show the class C network of blocked hosts:

           ipfcount -bi -e 'shost =~ s/\d+$/0/' -k shost /var/log/local0

       Note that Perl uses different comparison operators for numbers and
       strings - see perlop(1).


SEE ALSO

       ipf(8), ipmon(8), perlop(1)


AUTHOR

       Robert Archer <ipfcount@deathbeforedecaf.net>

perl v5.20.3                      2015-10-07                       IPFCOUNT(1)

Search: Section: