On Mon, May 22, 2000 at 01:12:34PM -0700, Sam Bayne said:
<snip>
> PROTO=17 -- The IP Protocol ID, in this case UDP. This field is how
> you tell if a given packet is UDP, TCP, ICMP, whatever. I
> deduced that this was UDP based on other info in the log
> entry, but also found corroboration in O'Reilly & Assoc's
> Internet Core Protocols, by Eric A. Hall. Great book for
> serious network geeks. For the definative answer, you should
> read the relavent RFC, (available several places around the
> internet) but I'll be the first to admit that the language
> of most RFC's glazes the eyes of most hardened network
> administrators.
You can simply check the file /etc/protocols and most of the major
protocols and their Protocol ID are there.
Here's something from the IPCHAINS-HOWTO
Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025
L=34 S=0x00 I=18 F=0x0000 T=254
`L=34' means that packet was a total of 34 bytes long.
`S=0x00' means the Type of Service field (divide by 4 to get the
Type of Service as used by ipchains).
`I=18' is the IP ID.
`F=0x0000' is the 16-bit fragment offset plus flags. A value
starting with `0x4' or `0x5' means that the Don't Fragment bit is
set. `0x2' or `0x3' means the `More Fragments' bit is set; expect
more fragments after this. The rest of the number is the offset of
this fragment, divided by 8.
`T=254' is the Time To Live of the packet. One is subtracted from
this value for every hop, and it usually starts at 15 or 255.
HTH,
G-3
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
