Date: Thu, 6 Apr 2000 06:01:00 -0700 (PDT) From: Dave Runkle <drunkle@home.com> To: BobF <FBob@wt.net> Cc: questions@FreeBSD.ORG Subject: Re: Log File Entry Decoding Message-ID: <Pine.BSF.4.10.10004060536280.40807-100000@xb.fiddi.com> In-Reply-To: <0004060118160L.00416@desk1>
next in thread | previous in thread | raw e-mail | index | archive | help
Bob, check out the Linux HOWTO on IPCHAINS. This one is at Rusty Russel's website (he wrote IPCHAINS). Check down around the middle of this page for the section "Logging Packets". It will tell you everything you need to know about decoding those logs. http://www.rustcorp.com/linux/ipchains/HOWTO-4.html You probably are most interested in the IP address parts, though. This log entry says that your rule 'input' DENIED (dropped) the probe from 155.230.152.165. You can often find out exactly who that is by using tools such as 'whois' or 'nslookup', or if you want an easy web-based search, try: http://www.samspade.org/ This hit came in over your ppp0 link, the protocol was TCP (6). Other probes might use 17 (UDP) or 1 (ICMP). The hit came to your port 635. Check /etc/services, generally: grep 635 /etc/services returned no match, so check IANA for further information: rlzdbase 635/tcp RLZ DBase rlzdbase 635/udp RLZ DBase Find port numbers at: http://www.iana.org/numbers.html The probe came from the address 155.230.152.165, from his port 24134. His port doesn't matter, as it's just assigned as needed and really has no correlation to what he's trying to do. If you're interested, protocol numbers are available at IANA as well. The unimportant entries L, S, I, F and T are explained on Rusty's website, noted above at rustcorp. Dave On Thu, 6 Apr 2000, BobF wrote: > Is there a tutorial, white paper or (least preferred) RFC that > would show me how to turn the following log entry into useful > information? > > desk1 kernel: Packet log: input DENY ppp0 PROTO=6 > 155.230.152.165:24134 xxx.xxx.xxx.xxx:635 > L=40 S=0x00 I=36797 F=0x0000 T=238(#1) > > -- Bob F > > EMail FBob@wt.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10004060536280.40807-100000>