Re: offtopic : disecting an iptables log message
On Sun, Oct 01, 2000 at 06:42:11PM -0500, William Jensen wrote:
> Here's an example:
>
> Oct 1 18:30:09 stimpy kernel: Firewall:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:80:5a:e6:33:00:08:00 SRC=24.216.244.211 DST=24.216.244.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=17211 PROTO=UDP SPT=137 DPT=137 LEN=58
>
> I'm reading that as:
>
> -coming IN to my eth0
> -going OUT my MAC address because it doesn't belong to my ip
> -SRC is the source ip
> -DST is the destination ip, but the last .255 makes me wonder if this isn't
> being broadcast to everyone on the network
> -LEN is the lenght? but of what?
> -TOS ??
> -PREC ??
> -TTL ??
> -ID ??
> -PROTO is using the UDP protocol
> -SPT i assume is source port 137 from 'their' machine
> -DPT i assume is the destination port on DST (which isn't me)
> -LEN 2nd lenght??
>
> Is there a faq somewhere that can help me break this stuff down so I can pour
> over the logs and understand what I'm looking at.
# locate ipchains
/usr/share/doc/netbase/ipchains-HOWTO.txt.gz
/usr/share/doc/netbase/ipchains-quickref.ps.gz
/usr/share/man/man8/ipchains-save.8.gz
/usr/share/man/man8/ipchains.8.gz
/usr/share/man/man8/ipchains-restore.8.gz
/var/log/ipchains
/sbin/ipchains-restore
/sbin/ipchains
/sbin/ipchains-save
so:
1) man ipchains
man ipchains-save -restore
2) zmore /usr/share/doc/netbase/ipchains-HOW*
3) print !$:h/ipchains-quick* (or convert to pdf)
check out the HOWTO under /usr/share/doc/netbase and
try the postscript quickref file there, too.
Reply to: