<HTML>
  <HEAD>
    <TITLE>KSnuffle: Event Commands</TITLE>
  </HEAD>
  <BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#AA0000">
    <A HREF="http://www.kde.org/"><IMG SRC="logotp3.gif" ALT="The K Desktop Environment" BORDER=0 ></A>
    <FONT FACE="Helvetica">
    <BR>
    <HR noshade>
    <DIV ALIGN=right>
      <A HREF="index-4.6.html">Next</A>
      <A HREF="index-4.4.html">Previous</A>
      <A HREF="index.html#toc4">Table of Contents</A>
    </DIV>
    <BR>&nbsp;
    <H3>
      <A NAME="ss4.5"></A>4.5 Event Commands
    </H3>
    <P>
      KSnuffle provides events which can trigger the execution of
      commands. Associated with each <I>sniffer</I> are up to 6 events.
      These are displayed on the <I>Event Commands </I>page.
    </P>
    <P>
      <A HREF="events.html" target="Event Commands">Click for full size
      image</A><IMG SRC="events_s.png">
    </P>
    <P>
      Each event is a packet filter, and is constructed in the same way
      as the <A HREF="index-4.3.html">main packet filter</A>. Note,
      however, that unlike triggers, events are only applied to packets
      which have been passed by the main filter and the start and stop
      triggers. Associated with an event is a command which is executed
      whenever the event matches a packet. The command text is substituted
      as listed below, and is then executed asynchronously in a sub-shell.
    </P>
    <CENTER>
      <TABLE BORDER>
	<TR>
	  <TD>%Sa</TD>
	  <TD>IP address of packet source</TD>
	</TR>
	<TR>
	  <TD>%Sn</TD>
	  <TD>Host name of packet source or IP address if not known</TD>
	</TR>
	<TR>
	  <TD>%Sp</TD>
	  <TD>Packet source port</TD>
	</TR>
	<TR>
	  <TD>%Ss</TD>
	  <TD>Packet source service name or port if not known</TD>
	</TR>
	<TR>
	  <TD>%Da</TD>
	  <TD>IP address of packet destination</TD>
	</TR>
	<TR>
	  <TD>%Dn</TD>
	  <TD>Host name of packet destination or IP address if not known</TD>
	</TR>
	<TR>
	  <TD>%Dp</TD>
	  <TD>Packet destination port</TD>
	</TR>
	<TR>
	  <TD>%i</TD>
	  <TD>Decoded packet information field</TD>
	</TR>
	<TR>
	  <TD>%s</TD>
	  <TD>Decoded packet size field</TD>
	</TR>
	<TR>
	  <TD>%Ds</TD>
	  <TD>Packet destination service name or port if not known</TD>
	</TR>
	<TR>
	  <TD>%[...]</TD>
	  <TD>... is used as a format string to <I>strftime(3)</I> and
	      applied to the packet time</TD>
	</TR>
	<TR>
	  <TD>%t</TD>
	  <TD>Microsecond part of packet time</TD>
	</TR>
      </TABLE>
    </CENTER>
    <P>
      Care should be exercised is the use of this facility, to prevent
      a potentially huge number of events. For instance, an event which
      eMails <I>root</I> each time a packet is sent to the <I>telnet</I>
      port on a particular machine is probably not sensible, as a eMail will
      be generated for <B>every</B> such packet. Better would be to
      execute the command only on a TCP/IP <I>open</I> packet; see the
      <A HREF="man:tcpdump(8)">tcpdump(8)</A> manual page for details.
    </P>
    <P>
      <A HREF="index-4.6.html">Next</A>
      <A HREF="index-4.4.html">Previous</A>
      <A HREF="index.html#toc4">Table of Contents</A>
    </P>
    <P>
      <HR size="3" noshade>
    </P>
  </BODY>
</HTML>