{ "mode": "man", "parameter": "xtables-monitor", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables-monitor/8/json", "generated": "2026-06-11T02:25:28Z", "synopsis": "xtables-monitor [-t] [-e] [-4||-6]", "sections": { "NAME": { "content": "xtables-monitor — show changes to rule set and trace-events\n", "subsections": [] }, "SYNOPSIS": { "content": "xtables-monitor [-t] [-e] [-4||-6]\n", "subsections": [] }, "DESCRIPTION": { "content": "xtables-monitor is used to monitor changes to the ruleset or to show rule evaluation events\nfor packets tagged using the TRACE target. xtables-monitor will run until the user aborts\nexecution, typically by using CTRL-C.\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "-e --event", "content": "Watch for updates to the rule set.\nUpdates include creation of new tables, chains and rules and the name of the program\nthat caused the rule update.\n", "flag": "-e", "long": "--event" }, { "name": "-t --trace", "content": "Watch for trace events generated by packets that have been tagged using the TRACE tar‐\nget.\n", "flag": "-t", "long": "--trace" }, { "name": "-4", "content": "", "flag": "-4" }, { "name": "-6", "content": "", "flag": "-6" } ] }, "EXAMPLE OUTPUT": { "content": "", "subsections": [ { "name": "xtables-monitor --trace", "content": "1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp\n-j TRACE\n2 PACKET: 0 fc475095 IN=lo LL=0x304 0000000000000000000000000800 SRC=127.0.0.1\nDST=127.0.0.1 LEN=84 TOS=0x0 TTL=64 ID=38349DF\n3 TRACE: 2 fc475095 raw:PREROUTING:return:\n4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT\n5 TRACE: 2 fc475095 filter:INPUT:return:\n6 TRACE: 2 fc475095 filter:INPUT:policy:DROP\n7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp\n-j TRACE\n\nThe first line shows a packet entering rule set evaluation. The protocol number is shown\n(AFINET in this case), then a packet identifier number that allows to correlate messages\ncoming from rule set evaluation of this packet. After this, the rule that was matched by the\npacket is shown. This is the TRACE rule that turns on tracing events for this packet.\n\nThe second line dumps information about the packet. Incoming interface and packet headers\nsuch as source and destination addresses are shown.\n\nThe third line shows that the packet completed traversal of the raw table PREROUTING chain,\nand is returning, followed by use the chain policy to make accept/drop decision (the example\nshows accept being applied). The fifth line shows that the packet leaves the filter INPUT\nchain, i.e., no rules in the filter tables INPUT chain matched the packet. It then got\nDROPPED by the policy of the INPUT table, as shown by line six. The last line shows another\npacket arriving -- the packet id is different.\n\nWhen using the TRACE target, it is usually a good idea to only select packets that are rele‐\nvant, for example via\niptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE\n" }, { "name": "xtables-monitor --event", "content": "1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444\n2 EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop\npackets 0 bytes 0\n3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy ac‐\ncept packets 0 bytes 0\n4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept\npackets 0 bytes 0\n5 EVENT: -4 -t filter -N TCP\n6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT\n7 EVENT: -4 -t filter -A TCP -p tcp -m multiport --dports 80,443 -j ACCEPT\n8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP\n9 EVENT: -4 -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\n10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore\n\nThis example shows event monitoring. Line one shows creation of a table (filter in this\ncase), followed by three base hooks INPUT, FORWARD and OUTPUT. The iptables-nftables tools\nall create tables and base chains automatically when needed, so this is expected when a table\nwas not yet initialized or when it is re-created from scratch by iptables-nftables-restore.\nLine five shows a new user-defined chain (TCP) being added, followed by addition a few rules.\nthe last line shows that a new ruleset generation has become active, i.e., the rule set\nchanges are now active. This also lists the process id and the programs name.\n" } ] }, "LIMITATIONS": { "content": "xtables-monitor only works with rules added using iptables-nftables, rules added using ipta‐\nbles-legacy cannot be monitored.\n", "subsections": [] }, "BUGS": { "content": "Should be reported or by sending email to netfilter-devel@vger.kernel.org or by filing a re‐\nport on https://bugzilla.netfilter.org/.\n", "subsections": [] }, "SEE ALSO": { "content": "iptables(8), xtables(8), nft(8)\n\n\n\niptables 1.8.7 XTABLES-MONITOR(8)", "subsections": [] } }, "summary": "xtables-monitor — show changes to rule set and trace-events", "flags": [ { "flag": "-e", "long": "--event", "arg": null, "description": "Watch for updates to the rule set. Updates include creation of new tables, chains and rules and the name of the program that caused the rule update." }, { "flag": "-t", "long": "--trace", "arg": null, "description": "Watch for trace events generated by packets that have been tagged using the TRACE tar‐ get." }, { "flag": "-4", "long": null, "arg": null, "description": "" }, { "flag": "-6", "long": null, "arg": null, "description": "" } ], "examples": [], "see_also": [ { "name": "iptables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/iptables/8/json" }, { "name": "xtables", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/xtables/8/json" }, { "name": "nft", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/nft/8/json" }, { "name": "XTABLES-MONITOR", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/XTABLES-MONITOR/8/json" } ] }