[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: offtopic : disecting an iptables log message

Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> Here's an example:
> Oct 1 18:30:09 stimpy kernel: Firewall:IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:80:5a:e6:33:00:08:00 SRC=
> DST= LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=17211
> PROTO=UDP SPT=137 DPT=137 LEN=58
> I'm reading that as:
> -coming IN to my eth0
> -going OUT my MAC address because it doesn't belong to my ip

The OUT= field is blank - from the networking POV the packet isn't being
pushed back out.

The MAC= field is read as dst-mac:src-mac:08:00.

I don't know that the last 2 bytes mean.

> -SRC is the source ip
> -DST is the destination ip, but the last .255 makes me wonder if this isn't
> being broadcast to everyone on the network

It's being broadcast to everyone on your IP subnet.  Incidentally it's a
Windows networking broadcast (probably name announcement)

> -LEN is the lenght? but of what?

Length of the entire packet probably

> -TOS ??

Type of service - specifies whether the packet should have minimum latency
or maximum throughput and stuff like that.

> -PREC ??

No idea

> -TTL ??

Time To Live - how many maximum router hops the packet is specified to go

> -ID ??

If you look each ID number is different.  I recently had some funny stuff
going on against my firewalling code (lots of connection attempts, from
the same UDP port to the same UDP port from the same computer) and the
number incremented each time.

I'm guessing it's part of the connection tracking capabilities of

> -PROTO is using the UDP protocol
> -SPT i assume is source port 137 from 'their' machine
> -DPT i assume is the destination port on DST (which isn't me)
> -LEN 2nd lenght??

Length of the UDP part of the packet.

> Is there a faq somewhere that can help me break this stuff down so I
> can pour over the logs and understand what I'm looking at.

I'm not aware of any such faq but you do learn some of this stuff pretty
fast when dealing with Ciscos :)  Try one of their entry-level
certification books.

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org


Reply to: