<HTML> <HEAD> <TITLE>KSnuffle: Event Commands</TITLE> </HEAD> <BODY TEXT="#000000" BGCOLOR="#FFFFFF" LINK="#AA0000"> <A HREF="http://www.kde.org/"><IMG SRC="logotp3.gif" ALT="The K Desktop Environment" BORDER=0 ></A> <FONT FACE="Helvetica"> <BR> <HR noshade> <DIV ALIGN=right> <A HREF="index-4.6.html">Next</A> <A HREF="index-4.4.html">Previous</A> <A HREF="index.html#toc4">Table of Contents</A> </DIV> <BR> <H3> <A NAME="ss4.5"></A>4.5 Event Commands </H3> <P> KSnuffle provides events which can trigger the execution of commands. Associated with each <I>sniffer</I> are up to 6 events. These are displayed on the <I>Event Commands </I>page. </P> <P> <A HREF="events.html" target="Event Commands">Click for full size image</A><IMG SRC="events_s.png"> </P> <P> Each event is a packet filter, and is constructed in the same way as the <A HREF="index-4.3.html">main packet filter</A>. Note, however, that unlike triggers, events are only applied to packets which have been passed by the main filter and the start and stop triggers. Associated with an event is a command which is executed whenever the event matches a packet. The command text is substituted as listed below, and is then executed asynchronously in a sub-shell. </P> <CENTER> <TABLE BORDER> <TR> <TD>%Sa</TD> <TD>IP address of packet source</TD> </TR> <TR> <TD>%Sn</TD> <TD>Host name of packet source or IP address if not known</TD> </TR> <TR> <TD>%Sp</TD> <TD>Packet source port</TD> </TR> <TR> <TD>%Ss</TD> <TD>Packet source service name or port if not known</TD> </TR> <TR> <TD>%Da</TD> <TD>IP address of packet destination</TD> </TR> <TR> <TD>%Dn</TD> <TD>Host name of packet destination or IP address if not known</TD> </TR> <TR> <TD>%Dp</TD> <TD>Packet destination port</TD> </TR> <TR> <TD>%i</TD> <TD>Decoded packet information field</TD> </TR> <TR> <TD>%s</TD> <TD>Decoded packet size field</TD> </TR> <TR> <TD>%Ds</TD> <TD>Packet destination service name or port if not known</TD> </TR> <TR> <TD>%[...]</TD> <TD>... is used as a format string to <I>strftime(3)</I> and applied to the packet time</TD> </TR> <TR> <TD>%t</TD> <TD>Microsecond part of packet time</TD> </TR> </TABLE> </CENTER> <P> Care should be exercised is the use of this facility, to prevent a potentially huge number of events. For instance, an event which eMails <I>root</I> each time a packet is sent to the <I>telnet</I> port on a particular machine is probably not sensible, as a eMail will be generated for <B>every</B> such packet. Better would be to execute the command only on a TCP/IP <I>open</I> packet; see the <A HREF="man:tcpdump(8)">tcpdump(8)</A> manual page for details. </P> <P> <A HREF="index-4.6.html">Next</A> <A HREF="index-4.4.html">Previous</A> <A HREF="index.html#toc4">Table of Contents</A> </P> <P> <HR size="3" noshade> </P> </BODY> </HTML>