IPFTEST(1)                 OpenBSD Reference Manual                 IPFTEST(1)

NAME
     ipftest - test packet filter rules with arbitrary input



SYNOPSIS
     ipftest [-vbdPSTEHX] [-I interface] -r filename [-i filename]

DESCRIPTION
     With ipftest operators can see the effects of an ipf filter ruleset on
     test packets, rather than having to observe the effects of the ruleset on
     live traffic. This can reduce the disruptions experienced during the de-
     velopment and refinement of secure IP environments.

     ipftest reads test packets from stdin or the file specified by the -i op-
     tion, applies the ruleset specified by the -r option to each, and gener-
     ates information about the effect of the ruleset on each packet to
     stdout.

     Captured or handcrafted packets to be tested can be supplied in a variety
     of formats. See the options -P, -S, -T, -H and -E for details. In addi-
     tion the -X option gives ipftest the ability to use its own text descrip-
     tion format to generate ``fake'' packets.  The format used is:

     in|out on if [tcp|udp|icmp] srchost [, port] dsthost [, port] [-FSRPAU]

     This allows for input or output ICMP, TCP, or UDP packets to be generated
     for any interface. For TCP or UDP it allows the specification of source
     and destination ports. For TCP it allows the specification of TCP flags.
     Some examples are:

           # a UDP packet coming in on le0
           in on le0 udp 10.1.1.1,2210 10.2.1.5,23
           # an IP packet coming in on le0 from localhost - hmm :)
           in on le0 localhost 10.4.12.1
           # a TCP packet going out of le0 with the SYN flag set.
           out on le0 tcp 10.4.12.1,2245 10.1.1.1,23 S

     The following options are available:

     -v          Verbose mode.  This provides more information about which
                 parts of rule matching the packet passes and fails.

     -d          Turn on filter rule debugging.  Currently, this only shows
                 what caused the rule to not match in the IP header checking
                 (addresses/netmasks, etc).

     -b          Cause the output to be a one word description of the result
                 of passing the packet through the filter: pass, block or no-
                 match.  This is used in the regression testing.

     -I interface
                 Set the interface name (used in rule matching) to be the name
                 supplied.  This is useful with the -P, -S and -E options,
                 where it is not otherwise possible to associate a packet with
                 an interface.  Normal ``text packets'' can override this set-
                 ting.

     -P          The input file is in the binary format produced using libpcap
                 (i.e., tcpdump version 3).  Packets are read from this file
                 as being input (for rule purposes).  An interface may be
                 specified using -I.

     -S          The input file is in ``snoop'' format (see RFC 1761).  Pack-
                 ets are read from this file and used as input from any inter-

                 face.  This is perhaps the most useful input type, currently.

     -T          The input file is text output from tcpdump.  The text formats
                 which are currently supported are those which result from the
                 following tcpdump option combinations:

                       tcpdump -n
                       tcpdump -nq
                       tcpdump -nqt
                       tcpdump -nqtt
                       tcpdump -nqte

     -H          The input file is hex digits, representing the binary makeup
                 of the packets.  No length correction is made if an incorrect
                 length is put in the IP header.

     -X          The input file is composed of text descriptions of IP pack-
                 ets.

     -E          The input file is text output from etherfind.  The text for-
                 mats which are currently supported are those which result
                 from the following etherfind option combinations:

                       etherfind -n
                       etherfind -n -t

     -i filename
                 Specify the filename from which to take input.  Default is
                 stdin.

     -r filename
                 Specify the filename from which to read filter rules.

SEE ALSO
     snoop(1m),  ipf(5),  ipf(8),  tcpdump(8),  etherfind(8c)

BUGS
     Not all of the input formats are capable of introducing a wide enough va-
     riety of packets to be useful in testing.

OpenBSD 2.6                      May 23, 1999                                2