Re: offtopic : disecting an iptables log message

To: William Jensen <jensenb@bodach.com>
Cc: Debian User <debian-user@lists.debian.org>
Subject: Re: offtopic : disecting an iptables log message
From: Phil Brutsche <pbrutsch@tux.creighton.edu>
Date: Sun, 1 Oct 2000 19:09:11 -0500 (CDT)
Message-id: <Pine.LNX.4.21.0010011850150.26150-100000@tux.creighton.edu>
In-reply-to: <20001001184211.A349@bodach.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> Here's an example:
> 
> Oct 1 18:30:09 stimpy kernel: Firewall:IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:80:5a:e6:33:00:08:00 SRC=24.216.244.211
> DST=24.216.244.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=17211
> PROTO=UDP SPT=137 DPT=137 LEN=58
> 
> I'm reading that as:
> 
> -coming IN to my eth0
> -going OUT my MAC address because it doesn't belong to my ip

The OUT= field is blank - from the networking POV the packet isn't being
pushed back out.

The MAC= field is read as dst-mac:src-mac:08:00.

I don't know that the last 2 bytes mean.

> -SRC is the source ip
> -DST is the destination ip, but the last .255 makes me wonder if this isn't
> being broadcast to everyone on the network

It's being broadcast to everyone on your IP subnet.  Incidentally it's a
Windows networking broadcast (probably name announcement)

> -LEN is the lenght? but of what?

Length of the entire packet probably

> -TOS ??

Type of service - specifies whether the packet should have minimum latency
or maximum throughput and stuff like that.

> -PREC ??

No idea

> -TTL ??

Time To Live - how many maximum router hops the packet is specified to go
through

> -ID ??

If you look each ID number is different.  I recently had some funny stuff
going on against my firewalling code (lots of connection attempts, from
the same UDP port to the same UDP port from the same computer) and the
number incremented each time.

I'm guessing it's part of the connection tracking capabilities of
iptables.

> -PROTO is using the UDP protocol
> -SPT i assume is source port 137 from 'their' machine
> -DPT i assume is the destination port on DST (which isn't me)
> -LEN 2nd lenght??

Length of the UDP part of the packet.

> Is there a faq somewhere that can help me break this stuff down so I
> can pour over the logs and understand what I'm looking at.

I'm not aware of any such faq but you do learn some of this stuff pretty
fast when dealing with Ciscos :)  Try one of their entry-level
certification books.

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE519Ir/ZTSZFDeHPwRAsb0AJwLxRY38i+BdxWtwFdpXgTMODc/NACgitQr
3W51K0NHK51Pc34YOddujBA=
=23DC
-----END PGP SIGNATURE-----

Reply to:

References:
- offtopic : disecting an iptables log message
  - From: William Jensen <jensenb@bodach.com>

Prev by Date: debian: dos2unix and unix2dos utilities.
Next by Date: How to handle exim frozen messages?
Previous by thread: offtopic : disecting an iptables log message
Next by thread: Re: offtopic : disecting an iptables log message
Index(es):
- Date
- Thread