On Sun 30 May, Ralph Clark wrote:
> The debug 31 option will generate messages like this in the system messages log
> file, as directed by /etc/syslog.conf:
>
> filter accepted rule 9 proto 6 len 295 seq f4e10d7d ack bbd0a25b flags PUSH ACK
> packet 195.11.50.200,8080 => 193.237.131.114,2742
> filter ignored rule 5 proto 6 len 40 seq f4e10e7c ack bbd0a25b flags FIN ACK
> packet 195.11.50.200,8080 => 193.237.131.114,2742
> The rule numbers quoted are allocated sequentially to your filter rules in the
> order they appear in your diald configuration files, i.e. the first filter rule
> to appear is rule no. 1. The 'proto' protocol number is the protocol number of
> the service as allocated in /etc/protocols.
aha! I've been wondering what 'proto' was for a while. Does it say this
anywhere in the diald docs? I haven't been able to find a spec for these
debug messages anywhere (I have diald 0.16, but I've also just downladed
diald 0.99 and looked through the docs in that, and on the web.)
The 'rule number' is not very convenient if you are trying to use this
info to find a rule problem, as there is no easy way to find out which
rule is which without parsing the filter files to get rid of all the
comments and blank lines (or is there?).
I've written a noddy bit of AWK to do this and generate a numbered rule list,
but it is primitive if you have 'includes' as it only processes the one
file so you have to manually set the starting count. Is there a smarter
solution to this? Seems to me that diald really ought to be able to write
out its rule list (perhaps via syslog?) if you ask it nicely.
-----rulefilter.awk------
# You can set count to some other value if this is an included rule file
BEGIN { count = -1 }
{ snipped = 0 }
/^#/ { snipped = 1 }
/^$/ { snipped = 1 }
{if (!snipped) { count += 1; print count,"\t", $0} }
use the above with something like:
cat standard.filter | awk -f rulefilter.awk > rules.txt
The above is embarassingly basic, but I've found it very handy when
trying to work out what is going on.
> The number separated by a comma from
> the IP address is the port number of the service used, as allocated in
> /etc/services.
OK, that's what I thought, but I don't understand why when I monitor
packets the 'to' port is usually something sensible, like '25' (SMTP),
but the 'from' port is usually something like 6586, which is way off the
end of my /etc/services list. I had wondered if it was a pid not a port,
but that didn't seem to pan out either. So why these large port numbers?
I get feeling I am missing something fundamental...
> I haven't yet found a way to identify which process is responsible for each
> packet. If anyone knows how to find the PID of the process sending or receiving
> a given packet (and presumably this involves finding out which socket it is
> going to or coming from, and separately identifying the process which is using
> that socket) ... PLEASE let me know.
yes, I'd like to know that too...
Wookey
--
Aleph One Ltd, Bottisham, CAMBRIDGE, CB5 9BA, UK Tel (00 44) 1223 811679
work: http://www.aleph1.co.uk/ play: http://www.chaos.org.uk/~wookey/
-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]
