Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages

Manual Reference Pages  -  IPFCOUNT (1)

.ds Aq ’


ipfcount - Summarise ipf logs



ipfcount [-binNopq] [-e expr] -k key[,key...] [-t top] [file...]


ipfcount summarises ipf(8) logs by counting and sorting the fields. The following fields are recognised:

iface group rule action shost sport dhost dport proto flags type dir

By default, all input lines are processed - this can be restricted with the -b, -p, -i and -o options to count blocked, passed, incoming and outgoing packets respectively.

The logs can be filtered further with the -e option - see EXAMPLES.

At least one sort key must be given using the -k option. ipfcount will list all the unique values in this field, from the most to the least common. Repeat this option to create multiple lists, or use comma separated keys to create nested lists.

To list only the first top values in each field, use the -t option.

If the -n option is given, port numbers and IP addresses are resolved in the output. With the -N, option, all input lines are resolved before filtering (which may take some time).

If no files are specified, ipfcount reads from standard input.


-b Count blocked packets
-i Count incoming packets
-n Lookup host and service names
-N Lookup names before filtering
-o Count outgoing packets
-p Count passed packets
-q Don’t print headers
-e expr Filter expression - see EXAMPLES
-k key[,key...] Sort key(s)
-t top Show only the top top entries


Show the top 10 blocked ports for incoming traffic:

    ipfcount -bi -k dport -t 10 /var/log/local0

Show the hosts attempting to connect to those ports:

    ipfcount -bi -k dport,shost -t 10 /var/log/local0

Sort incoming connections by interface and protocol:

    ipfcount -pi -k iface,proto /var/log/local0

For more sophisticated filtering, use the -e option - it takes a Perl expression, using field names as variables.

(These examples assume that ipmon(8) was invoked without the -n option.)

Show blocked ports above 1024:

    ipfcount -bi -e dport > 1024 -k dport /var/log/local0

Show traffic leaving the local network:

    ipfcount -po -e dhost !~ /^192\.168/ -k dhost /var/log/local0

The expression passed to -e can also modify field values. This ’feature’ may occasionally be useful.

Show the class C network of blocked hosts:

    ipfcount -bi -e shost =~ s/\d+$/0/ -k shost /var/log/local0

Note that Perl uses different comparison operators for numbers and strings - see perlop(1).


ipf(8), ipmon(8), perlop(1)


Robert Archer <>
Search for    or go to Top of page |  Section 1 |  Main Index

perl v5.20.3 IPFCOUNT (1) 2016-03-17

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.