IPFWCOUNT(1) User Contributed Perl Documentation IPFWCOUNT(1)NAMEipfwcount - Summarise ipfw logs
SYNOPSISipfwcount [-adinNoq] [-e expr] -k key[,key...] [-t top] [file...]
DESCRIPTIONipfwcount summarises ipfw(8) logs by counting and sorting the fields.
The following fields are recognised:
rule action proto type shost sport dhost dport dir iface
By default, all input lines are processed - this can be restricted with
the -a, -d, -i and -o options to count allowed, denied, incoming and
outgoing packets respectively.
The logs can be filtered further with the -e option - see "EXAMPLES".
At least one sort key must be given using the -k option. ipfwcount will
list all the unique values in this field, from the most to the least
common. Repeat this option to create multiple lists, or use comma
separated keys to create nested lists.
To list only the first top values in each field, use the -t option.
If the -n option is given, port numbers and IP addresses are resolved
in the output. With the -N, option, all input lines are resolved before
filtering (which may take some time).
If no files are specified, ipfwcount reads from standard input.
OPTIONS-a Count allowed packets
-d Count denied packets
-i Count incoming packets
-n Lookup host and service names
-N Lookup names before filtering
-o Count outgoing packets
-q Don't print headers
-e expr
Filter expression - see "EXAMPLES"
-k key[,key...]
Sort key(s)-t top
Show only the top top entries
EXAMPLES
Show the top 10 denied ports for incoming traffic:
ipfwcount-di -k dport -t 10 /var/log/security
Show the hosts attempting to connect to those ports:
ipfwcount-di -k dport,shost -t 10 /var/log/security
Sort incoming connections by interface and protocol:
ipfwcount-ai -k iface,proto /var/log/security
For more sophisticated filtering, use the -e option - it takes a Perl
expression, using field names as variables.
Show denied ports above 1024:
ipfwcount-di -e 'dport > 1024' -k dport /var/log/security
Show traffic leaving the local network:
ipfwcount-ao -e 'dhost !~ /^192\.168/' -k dhost /var/log/security
The expression passed to -e can also modify field values. This
'feature' may occasionally be useful.
Show the class C network of denied hosts:
ipfwcount-di -e 'shost =~ s/\d+$/0/' -k shost /var/log/security
Note that Perl uses different comparison operators for numbers and
strings - see perlop(1).
SEE ALSOipfw(8), perlop(1)AUTHOR
Robert Archer <ipfwcount@deathbeforedecaf.net>
perl v5.20.3 2015-10-07 IPFWCOUNT(1)