Re: iptables syslog mumbojumbo key?

To: debian-user@lists.debian.org
Subject: Re: iptables syslog mumbojumbo key?
From: Vineet Kumar <debian-user@virtual.doorstop.net>
Date: Mon, 8 Jul 2002 02:33:45 -0700
Message-id: <[🔎] 20020708093345.GB1059@doorstop.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 1025687616.30652.49.camel@atlas>
References: <[🔎] 87n0t91hu7.fsf@jidanni.org> <[🔎] 1025687616.30652.49.camel@atlas>

* Adrian 'Dagurashibanipal' von Bidder (avbidder@fortytwo.ch) [020703 02:13]:
> On Wed, 2002-07-03 at 07:49, Dan Jacobson wrote:
> > So where is the page that tells us what all the iptables mumbojumbo in
> > syslog means?
> > MAC= SRC=168.95.4.122 DST=61.227.44.161 LEN=90 TOS=0x00 PREC=0x00
> > TTL=249 ID=60171 DF PROTO=TCP SPT=25 DPT=61157 WINDOW=10136 RES=0x00
> > ACK PSH FIN URGP=0
> 
> Dunno about any docs - but you can figure out much of it if you're
> familiar with IP and TCP packets. Here's what I know or guess:
> 
> MAC: (ethernet) MAC address of source and dest (but this has an unusual
> format, dunno why: 00:50:ba:7b:4a:1f:00:30:19:73:09:54:08:00 - not sure
> how to decode this. source and destination MAC are in there, for sure,
> but there are 2 bytes more.
> 
> SRC, DST: source, dest IP address
> 
> LEN: length of the packet. Not sure, but I think this'd be the length of
> the IP packet.
> 
> TOS: TOS field of the IP packet. Unused on most networks, btw, so
> anything but 0 would be strange.
> 
> PREC: ???

Precedence. It's also a routing optimization thing, afaik.

> 
> TTL: Time to Live (hop count) of the IP Package
> 
> ID, DF?

IP Packet ID number, followed by IP flags. DF is the "don't fragment"
bit, set when using P-MTU discovery. Others you might see are CE and MF.
CE means "congestion experienced", used in ECN. MF means "more
fragments", indicating that this is packet is part of a fragmented
packet.

> 
> PROTO: the protocol fiel of the IP header. Usually TCP, UDP or ICMP.
> 
> SPT, DPT: source and destination TCP (or UDP) port.
> 
> WINDOW: not sure. Must be related to the TCP windowing algorithm.
> 
> RES: ?

TCP's reserved bits. ECN would show up here.

> 
> ACK, PSH, FIN: read what the various TCP flags are. SYN also may appear
> here.

and RST.

> 
> URGP: TCP may transport 'urgent' (out of band) data, this is indicated
> with the URGP

HTH.

good times,
Vineet

-- 
http://www.doorstop.net/
-- 
"Computer Science is no more about computers
than astronomy is about telescopes." -E.W. Dijkstra

Attachment: pgpM6nLpGRXKk.pgp
Description: PGP signature

Reply to:

References:
- iptables syslog mumbojumbo key?
  - From: Dan Jacobson <jidanni@dman.ddts.net>
- Re: iptables syslog mumbojumbo key?
  - From: Adrian 'Dagurashibanipal' von Bidder <avbidder@fortytwo.ch>

Prev by Date: Email conversion
Next by Date: RE: Ethernet controller
Previous by thread: Re: iptables syslog mumbojumbo key?
Next by thread: Exim and amavis
Index(es):
- Date
- Thread