{
    "mode": "info",
    "parameter": "XTABLES-MONITOR",
    "section": "",
    "url": "https://www.chedong.com/phpMan.php/info/XTABLES-MONITOR/json",
    "generated": "2026-07-05T11:50:06Z",
    "synopsis": "xtables-monitor [-t] [-e] [-4||-6]",
    "sections": {
        "NAME": {
            "content": "xtables-monitor -- show changes to rule set and trace-events\n",
            "subsections": []
        },
        "SYNOPSIS": {
            "content": "xtables-monitor [-t] [-e] [-4||-6]\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "xtables-monitor  is  used  to monitor changes to the ruleset or to show\nrule evaluation events for packets tagged using the TRACE target.  xta-\nbles-monitor will run until the user aborts execution, typically by us-\ning CTRL-C.\n",
            "subsections": []
        },
        "OPTIONS": {
            "content": "",
            "subsections": [
                {
                    "name": "-e, --event",
                    "content": "Watch for updates to the rule set.\nUpdates include creation of new tables, chains and rules and the\nname of the program that caused the rule update.\n",
                    "flag": "-e",
                    "long": "--event"
                },
                {
                    "name": "-t, --trace",
                    "content": "Watch  for  trace  events  generated  by  packets that have been\ntagged using the TRACE target.\n\n-4     Restrict output to IPv4.\n\n-6     Restrict output to IPv6.\n",
                    "flag": "-t",
                    "long": "--trace"
                }
            ]
        },
        "EXAMPLE OUTPUT": {
            "content": "xtables-monitor --trace\n\n1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t  raw\n-A PREROUTING -p icmp -j TRACE\n2       PACKET:       0       fc475095      IN=lo      LL=0x304\n0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1  LEN=84\nTOS=0x0 TTL=64 ID=38349DF\n3 TRACE: 2 fc475095 raw:PREROUTING:return:\n4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT\n5 TRACE: 2 fc475095 filter:INPUT:return:\n6 TRACE: 2 fc475095 filter:INPUT:policy:DROP\n7  TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw\n-A PREROUTING -p icmp -j TRACE\n\nThe first line shows a packet entering rule set evaluation.  The proto-\ncol  number  is  shown (AFINET in this case), then a packet identifier\nnumber that allows to correlate messages coming from rule  set  evalua-\ntion  of  this  packet.   After  this, the rule that was matched by the\npacket is shown.  This is the TRACE rule that turns on  tracing  events\nfor this packet.\n\nThe  second line dumps information about the packet. Incoming interface\nand packet headers such as source and destination addresses are shown.\n\nThe third line shows that the packet completed traversal of the raw ta-\nble  PREROUTING chain, and is returning, followed by use the chain pol-\nicy to make accept/drop decision (the example shows  accept  being  ap-\nplied).   The  fifth line shows that the packet leaves the filter INPUT\nchain, i.e., no rules in the filter  tables  INPUT  chain  matched  the\npacket.  It then got DROPPED by the policy of the INPUT table, as shown\nby line six.  The last line shows another packet arriving -- the packet\nid is different.\n\nWhen  using  the TRACE target, it is usually a good idea to only select\npackets that are relevant, for example via\niptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE\n\nxtables-monitor --event\n1 EVENT: nft: NEW table: table filter ip flags 0 use 4  handle\n444\n2  EVENT:  # nft: ip filter INPUT use 2 type filter hook input\nprio 0 policy drop packets 0 bytes 0\n3 EVENT: # nft: ip filter FORWARD use 0 type filter hook  for-\nward prio 0 policy accept packets 0 bytes 0\n4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output\nprio 0 policy accept packets 0 bytes 0\n5 EVENT: -4 -t filter -N TCP\n6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp  -m  tcp\n--dport 22 -j ACCEPT\n7  EVENT:  -4  -t  filter  -A TCP -p tcp -m multiport --dports\n80,443 -j ACCEPT\n8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP\n9 EVENT: -4 -t filter -A  INPUT  -m  conntrack  --ctstate  RE-\nLATED,ESTABLISHED -j ACCEPT\n10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore\n\nThis  example shows event monitoring.  Line one shows creation of a ta-\nble (filter in this case), followed by three base hooks INPUT,  FORWARD\nand  OUTPUT.   The  iptables-nftables  tools all create tables and base\nchains automatically when needed, so this is expected when a table  was\nnot  yet initialized or when it is re-created from scratch by iptables-\nnftables-restore.  Line five shows a new user-defined chain (TCP) being\nadded, followed by addition a few rules. the last line shows that a new\nruleset generation has become active, i.e., the rule  set  changes  are\nnow active.  This also lists the process id and the programs name.\n",
            "subsections": []
        },
        "LIMITATIONS": {
            "content": "xtables-monitor  only  works  with rules added using iptables-nftables,\nrules added using iptables-legacy cannot be monitored.\n",
            "subsections": []
        },
        "BUGS": {
            "content": "Should be reported or by  sending  email  to  netfilter-devel@vger.ker-\nnel.org or by filing a report on https://bugzilla.netfilter.org/.\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "iptables(8), xtables(8), nft(8)\n\niptables 1.8.7                                              XTABLES-MONITOR(8)",
            "subsections": []
        }
    },
    "summary": "xtables-monitor -- show changes to rule set and trace-events",
    "flags": [
        {
            "flag": "-e",
            "long": "--event",
            "arg": null,
            "description": "Watch for updates to the rule set. Updates include creation of new tables, chains and rules and the name of the program that caused the rule update."
        },
        {
            "flag": "-t",
            "long": "--trace",
            "arg": null,
            "description": "Watch for trace events generated by packets that have been tagged using the TRACE target. -4 Restrict output to IPv4. -6 Restrict output to IPv6."
        }
    ],
    "examples": [],
    "see_also": [
        {
            "name": "iptables",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json"
        },
        {
            "name": "xtables",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/xtables/8/json"
        },
        {
            "name": "nft",
            "section": "8",
            "url": "https://www.chedong.com/phpMan.php/man/nft/8/json"
        }
    ]
}