Man Linux: Main Page and Category List


       ipfm.conf - IP Flow Meter configuration file


       ipfm.conf is ipfm(8) configuration file.

       A hash mark (‘‘#’’) indicates that the end of the line is a comment and
       it will be ignored.

       The configuration rules will be interpreted from the end, and the first
       matching rule will be used, unless specified here.

       IPFM  uses  local  and global variables, so it can manage multiple logs
       (different time delay, different hosts, different log filename ...)  at
       the same time.

       Global  variables  will  be  used for all logs and local variables will
       only be used in the log being defined.


       Syntax : DEVICE <device-name>

              is the device on witch ipfm will log packets. IPFM monitors only
              one device.

   Time Coordinates
       Syntax : [UTC|local]

       This  decides  if  IPFM  will use UTC or local time in its outputs (log
       filename and the timestamp inside the file). Default is local.

       Note that IPFM works internally with UTC, and that the dates entered in
       the config file are UTC (see AFTER Syntax).

       Syntax : NEWLOG

       This creates a new log entry, where you can define new local variables.


       ipfm logs only specified hosts.

       Syntax: LOG [[NONE|FROM|TO|BOTH] <host>] [[NOT] WITH <host>]

       NONE   do not log anything from or to this <host>

       FROM   do log packets from this <host>

       TO     do log packets to this <host>

       BOTH   (default) do log packets from and to this <host>

       <host> can be :
              x.x.x.x           : an IP.  x.x.x.x/x.x.x.x : an IP followed  by
              a subnet mask.

       WITH   specifies  if the packet is ignored (NOT WITH) or logged (WITH),
              in function of the second IP present in the packet.

       Examples :
              LOG NOT WITH
               will  log  any   packets   from   or   to   hosts   in   subnet
    ,    except   packets   involving   host

              LOG WITH
               will log any packets in relation with host

               will log everything.

       ipfm outputs its statistics every fixed period, with the ability to fix
       an exact time origin and offset, in Coordinated Universal Time (UTC).

       Syntax: DUMP EVERY <time> [AFTER <time>]

       <time> is composed of :
               <number> second(s)
               <number> minute(s)
               <number> hour(s)
               <number> day(s)

              Default DUMP time is 24 hours

              Default AFTER time is 0 seconds

              DUMP EVERY 30 minutes
               will dump the stats every 30 minutes at x:00 and x:30.

              DUMP EVERY 1 hour AFTER 7 minutes
               will dump the stats every hour, at 0:07, 1:07, 2:07, and so on,
              regardless of the time at which ipfm was launched.

              DUMP EVERY 1 day AFTER 14 hours
               will dump data every day, at 14:00:00 UTC (for France localtime
              (during the summer), at 16:00:00 +0200)

       You may want to clear your statistics sometimes, or after each dump.

       Syntax : CLEAR [ ALWAYS | NEVER | EVERY <time> [AFTER <time>] ]

       <time> is composed of :
               <number> second(s)
               <number> minute(s)
               <number> hour(s)
               <number> day(s)

              Default  CLEAR  mode is ALWAYS. Default AFTER time is 0 seconds.
              Note that both time values MUST be a multiple of the DUMP delay.
              Also, this line MUST come after the DUMP line.

              CLEAR ALWAYS
               will clear the stats after every DUMP.

              CLEAR NEVER
               will   never  clear  the  stats,  which  means  you  are  doing
              incremental statistics.

              CLEAR EVERY 30 minutes
               will clear the stats every 30 minutes at x:00  and  x:30.  Note
              that  if  your  DUMP  line had an AFTER value such as 3 minutes,
              this rule will clear the stats at x:03 and x:33.

              CLEAR EVERY 1 hour AFTER 10 minutes
               will clear the stats every hour, at 0:10, 1:10,  2:10,  and  so
              on.  Note  that  if  your DUMP line had an AFTER value such as 3
              minutes, this rule will clear the stats at 0:13, 1:13, 2:13  and
              so on.

       Every  delay,  ipfm  writes  its  output  into  a  file,  which name is
       specified by the rule FILENAME

       Syntax: FILENAME <filemask>

              is a quoted string  (eg.  "/path/to/filename")  that  is  parsed
              using strftime(3) syntax.

       Default FILENAME is /var/log/ipfm/%d-%b.%H-%M
              NOTE : The file will be overwritten without any check.

       You can activate or deactivate reverse DNS in the output file.

       WARNING  : activating reverse DNS can delay a lot the production of the
       log file, due to DNS timeouts.

       Syntax : [RESOLVE|NORESOLVE]

       Default is NORESOLVE

       ipfm can sort output file depending on IN, OUT or TOTAL.

       Syntax : SORT IN|OUT|TOTAL

       Default is to sort nothing. Please note that this option could delay  a
              the production of the log file.

       You can choose to log all packets on  the  network  (default)  or  only
       packets which destination is your network device.

       This  option  could  also  be useful if you wish to set the promiscuous
       mode yourself (ifconfig eth0 [-]promisc), as the promisc mode  is  very
       badly handled under Linux.

       Please  note  that  under  Linux,  if  you  run a program that sets the
       promiscuous mode (for example tcpdump), ipfm will also see its  network
       interface set into promiscuous mode.

       Syntax [NO]PROMISC

       Default is PROMISC

       You  can  choose  to  append  the  output  to an existing logfile or to
       replace the old file by a new one.

       Syntax : APPEND|REPLACE

       Default is REPLACE


       strftime(3), ipfm(8)


        Robert CHERAMY <>
        Andres KRAPF   <>

                         Last change: 26 October 2000