Re: ipchains syslog messages

Mon, 15 Jan 2001 01:46:44 -0800 

On Mon, 15 Jan 2001, Gilad Ben-Yossef wrote:

> Tzafrir Cohen wrote:
> 
> > Hi
> > 
> > I'm trying to understand a certain reoccouring denied packet. The trouble
> > is I can't find any reference to the meaning of all the fields in the
> > syslog message. Can anybody point me to such a reference?
> 
> Use the source, Luke: ;-)
> 
> printk("%s PROTO=%d %d.%d.%d.%d:%hu %d.%d.%d.%d:%hu"
> " L=%hu S=0x%2.2hX I=%hu F=0x%4.4hX T=%hu",
> ifname, ip->protocol,
> (ntohl(ip->saddr)>>24)&0xFF,
> (ntohl(ip->saddr)>>16)&0xFF,
> (ntohl(ip->saddr)>>8)&0xFF,
> (ntohl(ip->saddr))&0xFF,
> src_port,
> (ntohl(ip->daddr)>>24)&0xFF,
> (ntohl(ip->daddr)>>16)&0xFF,
> (ntohl(ip->daddr)>>8)&0xFF,
> (ntohl(ip->daddr))&0xFF,
> dst_port,
> ntohs(ip->tot_len), ip->tos, ntohs(ip->id),
> ntohs(ip->frag_off), ip->ttl);
> 
> for (opti = 0; opti < (ip->ihl- sizeof(struct iphdr) / 4); opti++)
> printk(" O=0x%8.8X", *opt++);
> printk(" %s(#%d)\n", syn ? "SYN " : /* "PENANCE" */ "", count);
> 
> 
> It goes like this:
> 
> Packet log: <ipchains label that caught packet> <ipchains action name>
> [if action=FW_REDIRECTthen destniation ip] <interface name (like 
> "eth0")> <IP protocol (like 6)>
> <source ip> <source port> <dest ip> <dest port> <Total lenght of packet 
> as adevertised in header>
> < the Terms of Service bit field> <IP packet id> <The fragment offset 
> field from header>
> <Time to live field from header> [IP options mambo jumob, if exists] [ 
> SYN, if it is]
> (#<count - probably the real packet length>)

OK. After Boaz pointed me to the IPCHAINS-HOWTO, I thought I might just as
well complete your answer (using the source alone has its limitation...)
  
http://linux.org.il/LDP/HOWTO/IPCHAINS-HOWTO-4.html
  
(It's a lengthy text. search for "Packet log"). quoting from there:

   `(#5)' there may be a final number in brackets on more recent kernels
   (perhaps after 2.2.9). This is the rule number which caused the packet log.

Calling it "count" is indeed a bit misleading.

Thanks everybody

-- 
Tzafrir Cohen
mailto:[EMAIL PROTECTED]
http://www.technion.ac.il/~tzafrir


=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]

Reply via email to