[buug] Reading ipchains logs

Rick Moen rick at linuxmafia.com
Wed Jul 23 12:33:09 PDT 2003

Quoting Bill Honeycutt (wfhoney at pacbell.net):

> These entries popped up in /var/log/messages today.
> ------------- start of log snippet -------------
> Jul  7 02:51:01 radhost kernel: Packet log: input REJECT eth0 PROTO=6
> L=48 S=0x00 I=11967 F=0x4000 T=113 SYN
> (#58)
> Jul  7 02:51:08 radhost kernel: Packet log: input REJECT eth0 PROTO=6
> L=48 S=0x00 I=12550 F=0x4000 T=113 SYN
> (#58)
> ------------- end of log snippet -------------
> It begged the question, "What is 'I=11967 F=0x4000 T=113'?"
> Any suggestions on where to find ipchains log information would be 
> appreciated.

input:  Name of the chian containing the rule that matched this packet.
REJECT:  What that rule said to do.
eth0:  Interface name.
PROTO:  protocol family per /etc/protocol.  In this case, TCP.  Source IP.
4080:  Source port.  Destination IP.
80:  Destination port.
L:  Packet length in bytes.  In this case, 48 bytes.
S:  Type of service x 4.  In this case, service 0.
I:  IP ID.  In this case, 11967.  Basically just sequence #, I think.
F:  Fragment offset.  The 0x4 prefix means "Don't fragment" (as would 0x5).
T:  Time to love
SYN:  Flag value.
#58:  Rule number that generated this log entry.

Oh, just found this handy quick reference:

Cheers,      "Transported to a surreal landscape, a young girl kills the first
Rick Moen     woman she meets, and then teams up with three complete strangers
rick at linuxmafia.com       to kill again."  -- Rick Polito's That TV Guy column,
              describing the movie _The Wizard of Oz_

More information about the buug mailing list