[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables syslog mumbojumbo key?



On Wed, Jul 03, 2002 at 11:13:36AM +0200, Adrian 'Dagurashibanipal' von Bidder wrote:
| On Wed, 2002-07-03 at 07:49, Dan Jacobson wrote:
| > So where is the page that tells us what all the iptables mumbojumbo in
| > syslog means?
| > MAC= SRC=168.95.4.122 DST=61.227.44.161 LEN=90 TOS=0x00 PREC=0x00
| > TTL=249 ID=60171 DF PROTO=TCP SPT=25 DPT=61157 WINDOW=10136 RES=0x00
| > ACK PSH FIN URGP=0
| 
| Dunno about any docs - but you can figure out much of it if you're
| familiar with IP and TCP packets. Here's what I know or guess:

Ditto.

| MAC: (ethernet) MAC address of source and dest (but this has an unusual
| format, dunno why: 00:50:ba:7b:4a:1f:00:30:19:73:09:54:08:00 - not sure
| how to decode this. source and destination MAC are in there, for sure,
| but there are 2 bytes more.

An ethernet MAC address is given in hex, and looks like
00:A0:CC:35:09:AA.  The first few bytes are the vendor's id, the rest
is "unique" (though I suspect the universe of unique numbers has run
out, just hope you don't get a duplicate on the same ethernet
segment).
 
| LEN: length of the packet. Not sure, but I think this'd be the length of
| the IP packet.

I too think this is the length of the IP packet since iptables is
(mostly) an IP-level tool, but I don't know if it includes the IP
headers or not.

| TOS: TOS field of the IP packet. Unused on most networks, btw, so
| anything but 0 would be strange.

Unless you use the ECN extension in which case bits 6 and 7 could be
set.
 
| PREC: ???

Precedence maybe?  Not really sure.
 
| TTL: Time to Live (hop count) of the IP Package

It became a "hop count" because early router implementations failed to
implement the time counter part of the spec.  It was supposed to be
decrement each second _and_ for each hop thus giving an absolute
maximum life of 4.25 minutes (8 bits, 255 is initial value).  Now the
maximum life is indefinite depending on how long some router holds on
to it.
 
| WINDOW: not sure. Must be related to the TCP windowing algorithm.

I think so.  TCP uses a "Go-Back-N" sliding window with cumulative
ACKs protocol to improve performance over a simple "send-and-wait"
protocol and also to eliminate the potential for a fast sender to
flood a slow receiver.

HTH,
-D

-- 

The light of the righteous shines brightly,
but the lamp of the wicked is snuffed out.
        Proverbs 13:9
 
http://dman.ddts.net/~dman/

Attachment: pgpzjDaehyo_U.pgp
Description: PGP signature


Reply to: