Re: Format of ipchains packet log entries?

To: "Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE>
Cc: Debian Firewalling Mailing List <debian-firewall@lists.debian.org>
Subject: Re: Format of ipchains packet log entries?
From: Jim B <vader@conflict.net>
Date: Tue, 18 Jan 2000 14:58:26 -0500 (EST)
Message-id: <[🔎] Pine.LNX.4.21.0001181457030.786-100000@tarkin.conflict.net>
In-reply-to: <[🔎] E12AZDP-0004hp-00@ADSL-Bergs.RZ.RWTH-Aachen.DE>

>From http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html :


The kernel logs this information looking like: 

       Packet log: input DENY eth0 PROTO=17 192.168.2.1:53
192.168.1.1:1025
         L=34 S=0x00 I=18 F=0x0000 T=254

This log message is designed to be terse, and contain technical
information useful only to networking gurus, but it can be useful to the
rest of
us. It breaks down like so: 

    1.`input' is the chain which contained the rule which matched the
packet, causing the log message. 
    2.`DENY' is what the rule said to do to the packet. If this is `-'
then the rule didn't effect the packet at all (an accounting rule). 
    3.`eth0' is the interface name. Because this was the input chain, it
means that the packet came in `eth0'. 
    4.`PROTO=17' means that the packet was protocol 17. A list of protocol
numbers is given in `/etc/protocols'. The most common are 1
       (ICMP), 6 (TCP) and 17 (UDP). 
    5.`192.168.2.1' means that the packet's source IP address was
192.168.2.1. 
    6.`:53' means that the source port was port 53. Looking in
`/etc/services' shows that this is the `domain' port (ie. this is probably
an DNS
       reply). For UDP and TCP, this number is the source port. For ICMP,
it's the ICMP type. For others, it will be 65535. 
    7.`192.168.1.1' is the destination IP address. 
    8.`:1025' means that the destination port was 1025. For UDP and TCP,
this number is the destination port. For ICMP, it's the ICMP
       code. For others, it will be 65535. 
    9.`L=34' means that packet was a total of 34 bytes long. 
  10.`S=0x00' means the Type of Service field (divide by 4 to get the Type
of Service as used by ipchains). 
  11.`I=18' is the IP ID. 
  12.`F=0x0000' is the 16-bit fragment offset plus flags. A value starting
with `0x4' or `0x5' means that the Don't Fragment bit is set. `0x2'
       or `0x3' means the `More Fragments' bit is set; expect more
fragments after this. The rest of the number is the offset of this
fragment,
       divided by 8. 
  13.`T=254' is the Time To Live of the packet. One is subtracted from
this value for every hop, and it usually starts at 15 or 255. 
  14.`(#5)' there may be a final number in brackets on more recent kernels
(perhaps after 2.2.9). This is the rule number which caused the
       packet log.


Sorry about the bad formatting, that's how it got pasted when I copied it
out of Netscape and I didn't feel like cleaning it up.  :)


On Tue, 18 Jan 2000, Ralf G. R. Bergs wrote:

> Hi there,
> 
> is there any documentation available about the format that ipchains uses to 
> log rules that have "-l" set?

Reply to:

References:
- Format of ipchains packet log entries?
  - From: "Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE>

Prev by Date: Format of ipchains packet log entries?
Next by Date: Re: /proc/sys/net/ipv4/ip_forward
Previous by thread: Format of ipchains packet log entries?
Next by thread: NAT vs. Masquerading
Index(es):
- Date
- Thread