The Events window
The events window is where you can see all the events that the daemon has registered.
It's divided in tabs, where you can search for events based on the type: nodes, rules, hosts, applications, etc.
This is the main log of all the connections that the daemon has intercepted. You can filter connections by action applied, word or limit the number of entries displayed. You can also sort connections by columns.
Note: When you double click on a row, it will open the detail view of the item clicked.
For example: double click on a Node to open all the connections of that node:
Note: The size of the columns is saved when closing the GUI, and restored whe you open it again.
Here you can see all the rules you have defined. Double clicking on a rule will open the details for that view.
You can also perform operations over the rules, one by one or in batch, by right-clicking over a rule:
The rules tab not only lists the application rules, but also the system firewall rules (that is, regular netfilter rules):
Double click on a rule to edit it, or right-click on it to view more options:
This view lists all the connections of a node. It's similar to netstat or ss.
Double click on a row to view the details of the item.
The search text box allows to filter data of the current view:
By default it'll search the text in all columns of the view.
If you type one of the keywords (conn., rule., node.) you can build complex queries:
You can type . to show the list of available fields.
Syntaxis:
| Field | description |
|---|---|
| conn.time | Creation time |
| conn.srcip | Source IP |
| conn.srcport | Source port |
| conn.dstip | Destination IP |
| conn.dstport | Destination port |
| conn.dsthost | Destination host |
| conn.uid | UID of the connection |
| conn.pid | PID of the connection |
| conn.process | Absolute path of the process |
| conn.process_args | Command line (what the user typed) |
| conn.process_cwd | Current Working Directory of the process |
| conn.rule | The rule that was applied on this connection |
| conn.node | The node where the connection was originated |
| node.addr | alias of conn.node |
| rule.name | alias of conn.rule |
| rule.action | The action that was applied on the connection |
| Operand | Description |
|---|---|
| = | matches the item exactlly |
| >= | Matches an item equal or greater than the value |
| <= | Matches an item equal or less than the value |
| ~ | Searches for strings with the value typed: github.com -> *github.com*
|
| >~ | Searches for right side of the string: github.com -> github.com*
|
| <~ | Searches for left side of the string: github.com -> *github.com
|
| and | combines expressions: conn.dstport=53 and conn.dsthost<~github.com
|
| or | combines expressions: conn.dstport=53 or conn.dsthost<~github.com
|