-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
> Here's an example: > > Oct 1 18:30:09 stimpy kernel: Firewall:IN=eth0 OUT= > MAC=ff:ff:ff:ff:ff:ff:00:80:5a:e6:33:00:08:00 SRC=24.216.244.211 > DST=24.216.244.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=17211 > PROTO=UDP SPT=137 DPT=137 LEN=58 > > I'm reading that as: > > -coming IN to my eth0 > -going OUT my MAC address because it doesn't belong to my ip The OUT= field is blank - from the networking POV the packet isn't being pushed back out. The MAC= field is read as dst-mac:src-mac:08:00. I don't know that the last 2 bytes mean. > -SRC is the source ip > -DST is the destination ip, but the last .255 makes me wonder if this isn't > being broadcast to everyone on the network It's being broadcast to everyone on your IP subnet. Incidentally it's a Windows networking broadcast (probably name announcement) > -LEN is the lenght? but of what? Length of the entire packet probably > -TOS ?? Type of service - specifies whether the packet should have minimum latency or maximum throughput and stuff like that. > -PREC ?? No idea > -TTL ?? Time To Live - how many maximum router hops the packet is specified to go through > -ID ?? If you look each ID number is different. I recently had some funny stuff going on against my firewalling code (lots of connection attempts, from the same UDP port to the same UDP port from the same computer) and the number incremented each time. I'm guessing it's part of the connection tracking capabilities of iptables. > -PROTO is using the UDP protocol > -SPT i assume is source port 137 from 'their' machine > -DPT i assume is the destination port on DST (which isn't me) > -LEN 2nd lenght?? Length of the UDP part of the packet. > Is there a faq somewhere that can help me break this stuff down so I > can pour over the logs and understand what I'm looking at. I'm not aware of any such faq but you do learn some of this stuff pretty fast when dealing with Ciscos :) Try one of their entry-level certification books. - -- - ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE519Ir/ZTSZFDeHPwRAsb0AJwLxRY38i+BdxWtwFdpXgTMODc/NACgitQr 3W51K0NHK51Pc34YOddujBA= =23DC -----END PGP SIGNATURE-----
