📄 filters.html
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"><HTML><HEAD><TITLE>Filters</TITLE><METANAME="GENERATOR"CONTENT="Modular DocBook HTML Stylesheet Version 1.64"><LINKREL="HOME"TITLE="IPTraf User's Manual"HREF="manual.html"><LINKREL="PREVIOUS"TITLE="Additional Information"HREF="morelanmoninfo.html"><LINKREL="NEXT"TITLE="UDP Filters"HREF="udpfilters.html"></HEAD><BODYCLASS="CHAPTER"BGCOLOR="#FFFFFF"TEXT="#000000"LINK="#0000FF"VLINK="#840084"ALINK="#0000FF"><DIVCLASS="NAVHEADER"><TABLEWIDTH="100%"BORDER="0"CELLPADDING="0"CELLSPACING="0"><TR><THCOLSPAN="3"ALIGN="center">IPTraf User's Manual</TH></TR><TR><TDWIDTH="10%"ALIGN="left"VALIGN="bottom"><AHREF="morelanmoninfo.html"><<< Previous</A></TD><TDWIDTH="80%"ALIGN="center"VALIGN="bottom"></TD><TDWIDTH="10%"ALIGN="right"VALIGN="bottom"><AHREF="udpfilters.html">Next >>></A></TD></TR></TABLE><HRALIGN="LEFT"WIDTH="100%"></DIV><DIVCLASS="CHAPTER"><H1><ANAME="FILTERS">Filters</A></H1><P> Filters are used to control the information displayed by the IP traffic monitor, general and detailed interface statistics, and TCP/UDP statistical breakdown. You may want to view statistics only on particular traffic, so you must restrict the information displayed. The filters also apply to logging activity.</P><DIVCLASS="NOTE"><P></P><TABLECLASS="NOTE"WIDTH="100%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="./stylesheet-images/note.gif"HSPACE="5"ALT="Note"></TD><THALIGN="LEFT"VALIGN="CENTER"><B>Note</B></TH></TR><TR><TD> </TD><TDALIGN="LEFT"VALIGN="TOP"><P> The filters affect the IP traffic monitor, the general and detailed interface statistics, and the TCP/UDP service monitor. The packet size breakdown and LAN station monitor are not affected. </P></TD></TR></TABLE></DIV><P> The IPTraf filter management system is accessible through the <ICLASS="EMPHASIS">Filters...</I> submenu.</P><DIVCLASS="FIGURE"><ANAME="AEN1245"></A><P><IMGSRC="iptraf-filtermenu.png"></P><P><B>Figure 1. The Filters submenu</B></P></DIV><DIVCLASS="SECT1"><H1CLASS="SECT1"><ANAME="TCPFILTERS">TCP Filters</A></H1><P> The <ICLASS="EMPHASIS">Filters/TCP...</I> main menu option allows you to define a set of parameters that determine what TCP traffic to pass to the monitors. Selecting this option pops up another menu with the tasks used to define and apply custom TCP filters.</P><DIVCLASS="FIGURE"><ANAME="AEN1252"></A><P><IMGSRC="iptraf-tcpfltmenu.png"></P><P><B>Figure 2. The TCP filter menu</B></P></DIV><DIVCLASS="SECT2"><H2CLASS="SECT2"><ANAME="AEN1255">Defining a New Filter</A></H2><P> A freshly installed program will have no filters defined, so before anything else, you will have to define a filter. You can do this by selecting the <ICLASS="EMPHASIS">Define new filter...</I> option.</P><P> Selecting this option displays a box asking you to enter a short description of the filter you are going to define. Just enter any text that clearly identifies the nature of the filter.</P><DIVCLASS="FIGURE"><ANAME="AEN1260"></A><P><IMGSRC="iptraf-tcpflt-dlg1.png"></P><P><B>Figure 3. The TCP filter name dialog</B></P></DIV><P> Press Enter when you're done with that box. As an alternative, you can also press Ctrl+X to cancel the operation. Following that will be another dialog box asking you for the source and target IP addresses, wildcard masks, and service ports.</P><P> You can enter addresses of individual hosts, networks, or a catch-all address. The nature of the address will be determined by the wildcard mask.</P><P> You'll notice two sets of fields. You fill these out with the information about your source and targets. Strictly speaking, because packets alone don't provide information about which side initiated the connection (except for SYN packets), you may think of these as "endpoint" fields rather than as strict source/destination fields. That means you can enter information about the "from" side in the first set of fields, and the "to" side in the second set, or vice versa. It doesn't matter, each filter entry will match packets flowing in the reverse direction.</P><P> Fill out the IP address of the hosts or networks in the first field marked <TTCLASS="COMPUTEROUTPUT">Host name/IP Address</TT>. Enter it in standard dotted- decimal notation. When done, press Tab to move to the Wildcard mask field. The wildcard mask is similar but not exactly identical to the standard IP subnet masks. The wildcard mask is used to determine which bits to ignore when processing the filter. In most cases, it will work very closely like a subnet mask. Place ones (1) under the bits you want the filter to recognize, and keep zeros (0) under the bits you want the filter to ignore. For example:</P><P>To recognize the host 207.0.115.44</P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1269"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP">IP address</TD><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">207.0.115.44</TT></TD></TR><TR><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.255</TT></TD></TR></TBODY></TABLE><P></P></DIV><P>To recognize all hosts belonging to network202.47.132.<TTCLASS="REPLACEABLE"><I>x</I></TT></P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1284"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP">IP address</TD><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">202.47.132.0</TT></TD></TR><TR><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.0</TT></TD></TR></TBODY></TABLE><P></P></DIV><P>To recognize all hosts with any address:</P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1298"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP">IP address</TD><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD></TR><TR><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="50%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD></TR></TBODY></TABLE><P></P></DIV><P> The IP address/wildcard mask mechanism of the display filter doesn't recognize IP address class. It uses a simple bit- pattern matching algorithm.</P><P> The wildcard mask also does not have to end on a byte boundary; you may mask right into a byte itself. For example, 255.255.255.224 masks 27 bits (255 is 11111111, 224 is 11100000 in binary).</P><P> Leaving the wildcard mask fields blank or storing invalid data in them causes the filter to recognize the entries as 255.255.255.255.</P><P> IPTraf also accepts host names in place of the IP addresses. IPTraf will resolve the host name when the filter is loaded. When the filter is interpreted, the wildcard mask will also be applied. This can be useful in cases where a single host name may resolve to several IP addresses.</P><DIVCLASS="TIP"><P></P><TABLECLASS="TIP"WIDTH="100%"BORDER="0"><TR><TDWIDTH="25"ALIGN="CENTER"VALIGN="TOP"><IMGSRC="./stylesheet-images/tip.gif"HSPACE="5"ALT="Tip"></TD><THALIGN="LEFT"VALIGN="CENTER"><B>Tip</B></TH></TR><TR><TD> </TD><TDALIGN="LEFT"VALIGN="TOP"><P> See the <ICLASS="EMPHASIS">Linux Network Administrator's Guide</I> if you need more information on IP addresses and subnet masking.</P></TD></TR></TABLE></DIV><P> The <TTCLASS="COMPUTEROUTPUT">Port</TT> fields should contain a port number of the service you may be interested in. Leave it at 0 to let the filter ignore it. You will most likely be interested in target ports rather than source ports (which are usually unpredictable anyway, perhaps with the exception of FTP data).</P><P> Fill out the second set of fields with the parameters of the opposite end of the connection. As previously mentioned, you may place either set of parameters in either set of fields. By default, the second set of parameters are preset to 0.0.0.0, 0.0.0.0, 0. Just Backspace or Delete over them and replace them if needed.</P><P> The last field is marked <TTCLASS="COMPUTEROUTPUT">Include/Exclude</TT>. This field allows you to decide whether to include or exclude matching packets from the display. Setting this field to <TTCLASS="COMPUTEROUTPUT">I</TT> causes the filter to display matching entries, while setting it to <TTCLASS="COMPUTEROUTPUT">E</TT> causes the filter to suppress the display of matching entries. This field is set to <TTCLASS="COMPUTEROUTPUT">I</TT> by default.</P><P> Press Enter to accept all parameters when done. The parameters will be accepted and you'll be presented with another blank form. You can enter as many sets of parameters as you wish. Press Ctrl+X at a blank form when done.</P><DIVCLASS="FIGURE"><ANAME="AEN1328"></A><P><IMGSRC="iptraf-tcpflt-dlg2.png"></P><P><B>Figure 4. The TCP filter parameters dialog</B></P></DIV><DIVCLASS="SECT3"><H3CLASS="SECT3"><ANAME="AEN1331">Examples</A></H3><P>To see all traffic to/from host 202.47.132.1 from/to 207.0.115.44, regardless of TCP port </P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1334"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Host name/IP Address</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">202.47.132.2</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">207.0.115.44</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.255</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.255</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Port</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Include/Exclude</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">I</TT></TD><TD> </TD></TR></TBODY></TABLE><P></P></DIV><P>To see all traffic from/to host 207.0.115.44 to/from all hostson network 202.47.132.x</P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1363"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Host name/IP Address</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">207.0.115.44</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">202.47.132.0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.255</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Port</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Include/Exclude</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">I</TT></TD><TD> </TD></TR></TBODY></TABLE><P></P></DIV><P> To see all Web traffic, regardless of source or destination</P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1392"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Host name/IP Address</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Port</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">80</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Include/Exclude</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">I</TT></TD><TD> </TD></TR></TBODY></TABLE><P></P></DIV><P> To see all mail (SMTP) traffic to a single host (202.47.132.2) from anywhere </P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1421"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Host name/IP Address</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">202.47.132.2</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Wildcard mask</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">255.255.255.255</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0.0.0.0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Port</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">25</TT></TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">0</TT></TD></TR><TR><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP">Include/Exclude</TD><TDWIDTH="33%"ALIGN="LEFT"VALIGN="TOP"><TTCLASS="COMPUTEROUTPUT">I</TT></TD><TD> </TD></TR></TBODY></TABLE><P></P></DIV><P> To see traffic to/from host sunsite.unc.edu from/to cebu.mozcom.com</P><DIVCLASS="INFORMALTABLE"><ANAME="AEN1450"></A><P></P><TABLEBORDER="0"WIDTH="100%"BGCOLOR="#E0E0E0"CELLSPACING="0"CELLPADDING="4"CLASS="CALSTABLE"><TBODY><TR><TDWIDTH="33%"ALIGN="LEFT"⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -