ipfm.conf - IP Flow Meter configuration file
(8) configuration file.
A hash mark (``#'') indicates that the end of the line is a comment and it will
The configuration rules will be interpreted from the end, and the first matching
rule will be used, unless specified here.
uses local and global variables, so it can manage multiple logs
(different time delay, different hosts, different log filename ...) at the
Global variables will be used for all logs and local variables will only be used
in the log being defined.
- is the device on witch ipfm will log packets. IPFM monitors
only one device.
This decides if IPFM will use UTC or local time in its outputs (log filename and
the timestamp inside the file). Default is local.
Note that IPFM works internally with UTC, and that the dates entered in the
config file are UTC (see AFTER Syntax).
This creates a new log entry, where you can define new local variables.
HOSTS TO LOG
logs only specified hosts.
LOG [[NONE|FROM|TO|BOTH] <host>] [[NOT] WITH <host>]
- do not log anything from or to this <host>
- do log packets from this <host>
- do log packets to this <host>
- (default) do log packets from and to this <host>
- <host> can be :
- x.x.x.x : an IP. x.x.x.x/x.x.x.x : an IP followed by a
- specifies if the packet is ignored (NOT WITH) or logged
(WITH), in function of the second IP present in the packet.
- Examples :
- LOG 10.10.10.0/255.255.255.0 NOT WITH 10.10.10.1
will log any packets from or to hosts in subnet 10.10.10.0/255.255.255.0,
except packets involving host 10.10.10.1 .
LOG WITH 10.10.10.23
will log any packets in relation with host 10.10.10.23
will log everything.
OUTPUT TIME DELAY
outputs its statistics every fixed period, with the ability to fix
an exact time origin and offset, in Coordinated Universal Time (UTC).
DUMP EVERY <time> [AFTER <time>]
- <time> is composed of :
Default DUMP time is 24 hours
Default AFTER time is 0 seconds
- DUMP EVERY 30 minutes
will dump the stats every 30 minutes at x:00 and x:30.
DUMP EVERY 1 hour AFTER 7 minutes
will dump the stats every hour, at 0:07, 1:07, 2:07, and so on, regardless
of the time at which ipfm was launched.
DUMP EVERY 1 day AFTER 14 hours
will dump data every day, at 14:00:00 UTC (for France localtime (during the
summer), at 16:00:00 +0200)
You may want to clear your statistics sometimes, or after each dump.
CLEAR [ ALWAYS | NEVER | EVERY <time> [AFTER <time>]
- <time> is composed of :
Default CLEAR mode is ALWAYS. Default AFTER time is 0 seconds. Note that
both time values MUST be a multiple of the DUMP delay. Also, this line
MUST come after the DUMP line.
- CLEAR ALWAYS
will clear the stats after every DUMP.
will never clear the stats, which means you are doing incremental
CLEAR EVERY 30 minutes
will clear the stats every 30 minutes at x:00 and x:30. Note that if your
DUMP line had an AFTER value such as 3 minutes, this rule will clear the
stats at x:03 and x:33.
CLEAR EVERY 1 hour AFTER 10 minutes
will clear the stats every hour, at 0:10, 1:10, 2:10, and so on. Note that
if your DUMP line had an AFTER value such as 3 minutes, this rule will
clear the stats at 0:13, 1:13, 2:13 and so on.
Every delay, ipfm
writes its output into a file, which name is specified
by the rule FILENAME
- is a quoted string (eg. "/path/to/filename") that
is parsed using strftime(3) syntax.
- Default FILENAME is /var/log/ipfm/%d-%b.%H-%M
- NOTE : The file will be overwritten without any check.
You can activate or deactivate reverse DNS in the output file.
: activating reverse DNS can delay a lot the production of the
log file, due to DNS timeouts.
- Default is NORESOLVE
SORT OUTPUT FILE
can sort output file depending on IN, OUT or TOTAL.
- Default is to sort nothing. Please note that this option
could delay a bit
- the production of the log file.
SET PROMISCUOUS MODE
You can choose to log all packets on the network (default) or only packets which
destination is your network device.
This option could also be useful if you wish to set the promiscuous mode
yourself (ifconfig eth0 [-]promisc), as the promisc mode is very badly handled
Please note that under Linux, if you run a program that sets the promiscuous
mode (for example tcpdump), ipfm
will also see its network interface
set into promiscuous mode.
- Default is PROMISC
You can choose to append the output to an existing logfile or to replace the old
file by a new one.
- Default is REPLACE
Robert CHERAMY <email@example.com>
Andres KRAPF <firstname.lastname@example.org>