[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  Pat Ellison <pat at zbit dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] M0N0Wall Syslog Client
 Date:  Thu, 19 Aug 2004 14:46:45 -0700 (PDT)
On Thu, 19 Aug 2004, Pat Ellison wrote:

> Also if anybody would be gracious enough to send me any weird lines that
> they get that is
> out of the norm such as this one I came accross.
> 
> 09:16:50.302903 rl0 @0:17 b 217.81.173.76 -> 9.3.18.20 PR icmp len 20 56
> icmp unreach/port for 9.3.18.20,13794 - 192.168.0.34,4675 PR udp len 20 61
> IN
> 
> 
> 09:26:54.775565 rl0 @0:15 b 68.248.200.13,63021 -> 9.3.18.20,13802 PR tcp
> len 20 40 -AR IN
> |-Time---------| IF  ?    ?   Src        , Port      Dest   , Port ?  Prot ?
> ?  ?  ?   ?

These things get messy with line wrap. :-)

> -S   ? Are these TCP packet flags?  Ack Syn etc?
> -AF  ?
> -AFP ?
> -AP  ?

Yes.

The items in the above example are, in order:

Time
Interface
Rule (group:number) *
Disposition (b = blocked, p = passed)
Source IP,port
Destination IP,port
"PR" is constant, meaning "protocol"
IP protocol (e.g. tcp, udp, etc.)
"len" is constant, meaning "length"
IP header length
Total packet length (including header)
For TCP only, TCP flags (Syn, Ack, Psh, Fin, Rst, Urg)
Direction (IN or OUT) **

* The group and number match the values displayed by "ipfstat -hnio",
though the formatting is less covenient in the latter.

** In m0n0wall, this is usually "IN", since m0n0wall's rules do most
filtering on the incoming sides of the interfaces.  E.g. outbound traffic
from LAN->WAN is actually filtered as it comes in on LAN.

					Fred Wright