IPPL.CONF(5) | File Formats Manual | IPPL.CONF(5) |
NAME¶
ippl.conf - IP Protocols Logger configuration fileDESCRIPTION¶
The ippl.conf file is the only configuration file for the ippl logger. It defines what protocols to log, and the kind of packets to log.USER RUNNING THREADS¶
ippl does not run (unless specified) the protocol logging threads as root for security reasons. You can specify which user should be use with the runas keyword.PROTOCOLS¶
Each protocol is run by an different thread. To run a thread, use the:ADDRESS RESOLUTION¶
You can enable or disable IP address resolution on a protocol basis. To enable address resolution, use:LOGGING FORMAT¶
ippl can log IP protocols in a more or less detailed format. By default, it only shows the source address and the type or the destination port. A more detailed version can be used. There is also a shortest version.IDENT MECHANISM¶
To enable the IDENT remote username resolution, use the ident keyword. To disable it, use the noident keyword. Note that the information returned is *NOT* reliable in general since it is returned by the remote host. By default, the ident resolution is off.TCP CONNECTION TERMINATION¶
ippl can detect when a TCP connection is closed. To enable this feature, use the logclosing keyword. To disable it, use the nologclosing keyword. By default, TCP connection terminations are ignored.LOGGING MECHANISM¶
ippl can log messages using syslog (using the LOG_DAEMON facility) or it can write directly into a file. This is specified using log-in keyword.RULES¶
When a thread is run, it will catch all the packets using the protocol logged. The user may want to ignore certain packets. This is done with Apache-like rules. There are two different types of rules. The first one describes what packets to log, and the second one describes the packets that should be ignored. The syntax of a rule is as follows:Option¶
The option keyword will permit to override the default values for this rule only. options is also recognized. Valid options are: resolve enable IP address resolution. noresolve disable IP address resolution. portresolve enable IP service resolution. noportresolve disable IP service resolution. ident use ident logging (only for TCP). noident disable ident logging (only for TCP). logclosing log connection termination (only for TCP). nologclosing do not log connection termination (only for TCP). short use the short logging format. normal use the normal logging format. detailed use the detailed logging format.Protocol¶
protocol is one of the supported protocols (see the protocols section).Description¶
description holds the type of packet and the hosts to which the rule applies. Type of packet:type <number> Specify an ICMP message type.
port <number> Specify a destination TCP or UDP port number.
port <name> Specify a destination TCP or UDP port name.
srcport <number> Specify a source TCP or UDP port number.
srcport <name> Specify a source TCP or UDP port name. number is specified like this:
n Number n.
n-- Every number m >= n.
--n Every number m <= n.
l--k Every number m, with l <= m <= k.
string If a string is specified, it is
either the name of a service
(see /etc/services) or an
ICMP message.
Keywords for ICMP messages are:
echo_reply 0
dest_unreach 3
src_quench 4
redirect 5
echo_req 8
router_advert 9
router_solicit 10
time_exceeded 11
param_problem 12
ts_req 13
ts_reply 14
info_req 15
info_reply 16
addr_mask_req 17
addr_mask_reply 18 Source of the packets:
from <host> where host is specifed as follows:
x.x.x.x IP address of a host
x.x.x.x/x.x.x.x IP address, followed by a network mask to specify a subnet
x.x.x.x/n IP address, followed by the number of 1's at the left side of the network mask
host.net.domain host name (wildcards accepted) Destination of the packets:
to <host> where host is specified as follows:
x.x.x.x IP address of the local interface
host.net.domain host name of the local interface (*no* wildcards accepted) This rule is useful only if you have multiple interfaces connected to your box, or if you use IP aliasing. This can also be useful if you want to log or ignore broadcasts. To do so, just use your broadcast address as destination IP address. Please note that rules using IP addresses are faster to check than rules using host names. If you log UDP, it is *strongly* recommended to ignore the broadcasts! (until we implement an option for that).
EXPIRATION OF DNS CACHE¶
The time for which ippl holds cached DNS data without performing any queries can be changed.FILES¶
/etc/ippl.conf - configuration file
/usr/share/doc/ippl/* - files worth reading if you still have a question
SEE ALSO¶
ippl(8)AUTHORS¶
Hugo Haas (hugo@larve.net) Etienne Bernard (eb@via.ecp.fr)Last change: 11 February 2000 |