Logged Network Packet Enhancements
SunScreen logs contain network traffic that arrives on multiple link-layer interfaces in a contemporarily interspersed manner. For this reason, it is important to record the interface upon which the traffic was received. The interface is noted by the name of its Solaris device (for example, le0, elx0).
Note -
For snoop, the interface being monitored is specified as a command-line option. This information is not retained in a snoop-produced capture file.
Additionally, you can configure a Screen to log network traffic for a variety of reasons, such as packets that passed successfully, those that failed to match rules, those that arrived after session state expired, etc. The reason is recorded as an unsigned integer, commonly referred to as the why code. (See Appendix D, Error Messages for a complete table of these reasons.)
logdump displays these extended items and allows filtering based on these extended items as shown in the table below.
Table 11-3 Examples: Extended Items for logdump|
Extended Items for logdump |
Description |
|---|---|
|
logiface interface |
To restrict output based on an interface with the logifaceoperator. It takes as its argument the name (or name prefix) of the interface desired. The name is compared in a case-insensitive manner. For example, to restrict log events to network traffic arriving on any qe network device, type ssadm -r Screen log get | ssadm logdump -i- logiface qe. |
|
logwhy # |
To restrict output based on the reason a packet was logged. The logwhy operator takes as its argument a number representing a reason code described above. For example, to restrict log events to network traffic that was passed and logged, type ssadm -r Screen log get | ssadm logdump -i- logwhy 1. |
- © 2010, Oracle Corporation and/or its affiliates