Command Syntax in Detail

-h

Purpose	Shows command usage
Example	`packetmon -h`

-e expr

Purpose

Filters packets according to the given INSPECT expression (expr)

Example

packetmon -e "tcpport(23), accept;"

Default

If the -e option is not given, all packets are captured. This option is the same as running: packetmon -e "accept;"

Note: The -e option cannot be used with the -f option.

See also the -t option.

-f file

Purpose

This option filters packets according to INSPECT expressions in a given file. To use pre-defined INSPECT macros, the given file must include the '#include "fwmonitor.def"' directive.

Note: The -f option cannot be used with the -e option.

Example

packetmon -f inspect.dat

Inspect.dat contents:

#include "fwmonitor.def"

tcpport(23), accept;

-f

Purpose

This option filters packets according to INSPECT expressions given in the standard input. To use pre-defined INSPECT macros, the input must include the directive:

#include "fwmonitor.def"

To stop command input and start packet inspection based on the given input, enter Ctrl-Z+<Enter> at a new line.

Note: The -f option can not be used with the -e option.

Example

packetmon -f -

Standard input contents:

#include "fwmonitor.def"

tcpport(23), accept;

Ctrl-Z+<Enter>

-t

Purpose

The fwmonitor.def file includes all the INSPECT predefined macros you can use with the -e option. \The Fwmonitor.def file is included automatically when you use the -e option.

If you want to define new macros with the same name as those defined in fwmonitor.def, use the -t option to exclude fwmonitor.def, and include your own definition file.

-l len

Purpose	Limits packet capture length to the given `len` bytes. Note: len indicates number of bytes to capture starting at the IP header. Regardless of the `len` value, the MAC header is always captured.
Example	`packetmon -l 20`
Default	If the -l option is not given, all packet data is captured
Comment	This option is useful if you have to debug highly sensitive communication data. The options lets you capture only the headers of a packet (e.g. IP and TCP header) while omitting the actual sensitive payload. You can debug the communication without seeing the actual data transmitted. On computers experiencing a heavy load, you can use this option to reduce the file size by omitting the payload. The packetmon utility uses a buffer to transfer the packets from Kernel to user space. Reducing the packet length slows the rate at which the buffer fills.

-m mask

Purpose

By default packetmon captures packets before and after firewall inspection. The -m option lets you to specify capture on:

i
Inbound packets before firewall inspection.
I
Inbound packets after firewall inspection.
o
Outbound packets before firewall inspection
O
Outbound packets after firewall inspection

The mask can be a combination of the above.

Example

packetmon -m IO

Default

Not specifying the -m option is the same as running: packetmon -m iIoO

-x offset [, len]

Purpose

The -x option lets you print a packet's raw data. The value is an offset from the beginning of the IP header.

You can also use the len option to limit the data printed to the standard output (screen or file). If len is specified, data is printed from the offset for len number of bytes. If len is not specified, data is printed from the given offset until the end of the packet.

Note: Using the -l option can change the behavior of the -x offset option. Less data is printed to screen.

Examples

packetmon -x 20

packetmon -x 0,28

Default

Not specifying the -x options prevents a packet's raw from being printed to screen.

-o file

Purpose	The -o option saves raw packet data to a file. The file format used is the same format used by tools like snoop (RFC 1761). This file format can be examined using Wireshark, Snoop, tcpdump, or tools similar to these.
Example	`packetmon -o capture.cap`

-ci count / -co count

Purpose

This option limit the number of packets being captured. This is useful when you need to troubleshoot a firewall handling large amounts of traffic.

-ci
Defines how many inbound packets to capture
-co
Defines how many outbound packets to capture

Examples

packetmon -ci 5

packetmon -ci 3 -co 10

-I

Purpose	To avoid long interface names, this option prints the index of the interface on which the packet was received or sent. After the packet capture is stopped, a list of all interfaces (index and names) is printed.
Example	`packetmon -I`
Default	If the option is not specified, the interface name is printed.

-d

Purpose	This option shows packets dropped by the firewall. Use this option when you need to locate a packet missing from the output.
Example	`packetmon -d`
Default	Without this option, packetmon shows packets before they pass through the FW engine (i/o) and packets accepted by the FW engine (I/O). Packet that are dropped are not shown.

-r

Purpose	If a packet is dropped or accepted because of a rule, this option prints the name and the ID of the rule.
Example	`packetmon -r`

-T

Purpose	This option prints the time stamp for each packet.
Example	packetmon - T

-i

Purpose	Use this option to make sure that captured data for each packet is written immediately to the standard output (screen or file). This is useful if you want to kill a running packetmon capture process or be sure that all data is written to a file.
Example	`packetmon -i > output.log`