[buug] Reading ipchains logs
Rick Moen
rick at linuxmafia.com
Wed Jul 23 12:33:09 PDT 2003
Quoting Bill Honeycutt (wfhoney at pacbell.net):
> These entries popped up in /var/log/messages today.
>
> ------------- start of log snippet -------------
> Jul 7 02:51:01 radhost kernel: Packet log: input REJECT eth0 PROTO=6
> 211.167.233.24:4080 10.1.0.2:80 L=48 S=0x00 I=11967 F=0x4000 T=113 SYN
> (#58)
> Jul 7 02:51:08 radhost kernel: Packet log: input REJECT eth0 PROTO=6
> 211.167.233.24:4080 10.1.0.2:80 L=48 S=0x00 I=12550 F=0x4000 T=113 SYN
> (#58)
> ------------- end of log snippet -------------
>
> It begged the question, "What is 'I=11967 F=0x4000 T=113'?"
>
> Any suggestions on where to find ipchains log information would be
> appreciated.
input: Name of the chian containing the rule that matched this packet.
REJECT: What that rule said to do.
eth0: Interface name.
PROTO: protocol family per /etc/protocol. In this case, TCP.
211.167.233.24: Source IP.
4080: Source port.
10.1.0.2: Destination IP.
80: Destination port.
L: Packet length in bytes. In this case, 48 bytes.
S: Type of service x 4. In this case, service 0.
I: IP ID. In this case, 11967. Basically just sequence #, I think.
F: Fragment offset. The 0x4 prefix means "Don't fragment" (as would 0x5).
T: Time to love
SYN: Flag value.
#58: Rule number that generated this log entry.
Oh, just found this handy quick reference:
http://logi.cc/linux/ipchains-log-format.html
--
Cheers, "Transported to a surreal landscape, a young girl kills the first
Rick Moen woman she meets, and then teams up with three complete strangers
rick at linuxmafia.com to kill again." -- Rick Polito's That TV Guy column,
describing the movie _The Wizard of Oz_
More information about the buug
mailing list