[SLUG] Easier Reading of Linux Firewall Logs

From: Glenn Meyer (me@glennmeyer.com)
Date: Mon Dec 24 2001 - 10:42:30 EST


I am trying to build a simple Perl script to make my firewall logs easier to
read. In doing so, I realized that I really don't understand the information
in the log very well. I am hoping someone can point me to a reference or
perhaps give a simple explanation of either what I am seeing or what I need
to watch out for.

For example...
I am using IPTables on RH7.1 kernel 2.4.3-12 and block/log all
incoming/outside-initiated connections except ports 22, 25, and 80. I am
seeing log data like this...

Dec 23 04:07:03 fire kernel: IN=eth0 OUT=
MAC=00:a0:cc:51:a5:c9:08:00:3e:13:19:ab:08:00 SRC=24.92.216.37
DST=24.92.194.245 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=23966 DF PROTO=TCP
SPT=21560 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0

Dec 23 06:56:46 fire kernel: IN=eth0 OUT=
MAC=00:a0:cc:51:a5:c9:08:00:3e:13:19:ab:08:00 SRC=65.32.1.66
DST=24.92.194.245 LEN=329 TOS=0x00 PREC=0x00 TTL=251 ID=61735 DF PROTO=UDP
SPT=67 DPT=68 LEN=309

We can skip the Date, Time, Hostname (fire), Source (kernel), IN=eth0, OUT=
.... I understand those alright.

MAC=00:a0:cc:51:a5:c9:08:00:3e:13:19:ab:08:00 is always the same and the
first 12 digits do match my card's Mac - but what are all of the trailing
digits (16 of them)?

SRC=Source IP Address. DST=My IP Address. SPT=Source Port. DPT=Destination
Port. PROTO=TCP, UDP or ICMP. Those I understand.

Here is the parts I DON'T understand...
LEN=somenumber - assume it is packet length?? Changes.
TOS=0x00 - not a clue - almost always the same - rarely changes
PREC=0x00 - not a clue - almost always the same - rarely changes
TTL=251 - I'm assuming this is a Time to Live number, but how is it helpful?
ID=61735 - not a clue - looks like it is never the same.

Thanks for your info. Learning more everyday.
Glenn.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:21:51 EDT