Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 26 May 2002 13:16:47 +0200
From:      Mark Rowlands <mark.rowlands@minmail.net>
To:        "Chad Albert" <chadalbert@mchsi.com>, "freebsd-questions" <freebsd-questions@FreeBSD.ORG>
Subject:   Re: ipfw and logging TCP flags
Message-ID:  <200205261316.47069.mark.rowlands@minmail.net>
In-Reply-To: <200205251214.21648.mark.rowlands@minmail.net>
References:  <005601c203b2$9ec221e0$15010f0a@SPGCALBERTA> <200205251147.46953.mark.rowlands@minmail.net> <200205251214.21648.mark.rowlands@minmail.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Saturday 25 May 2002 12:14 pm, Mark Rowlands wrote:
> On Saturday 25 May 2002 11:47 am, Mark Rowlands wrote:
> > On Saturday 25 May 2002 8:08 am, Chad Albert wrote:
> > > Does anyone know how to get IP Firewall to report what TCP flags (s=
yn,
> > > syn+ack, fin, etc...) were set in the logged packets?  As it is
> > > configured on my box right now, I don't really know how someone is
> > > probing a port when they are probing.  It is not terribly important=
,
> > > but it would be nice to see in my logs.
> >
> > http://archives.neohapsis.com/archives/freebsd/2000-12/0222.html
> > is what you looking for I think....
> >
> >
> > not tested by me, your mileage may vary, this way up, use no hooks.
>
> and further investigation reveals
>
> http://people.freebsd.org/~cjc/ipfw_verbose_stable.patch
>
> and now tested......  gives

sysctl net.inet.ip.fw.verbose=3D4

May 26 13:02:08 pcmarpxy /kernel: ipfw: 2 Accept TCP 192.168.0.2:2932=20
194.213.75.109:80 f=3D11 s=3Ddeaee460 a=3D9bb20d9c in via xl0

where f=3Dhex representation of tcpflags
fin syn  rst psh ack urg
01 02   04 08  16   32  (decimal)
01 02   04  08  10  20  (hex)

so in this instance f=3D11 which implies syn and ack set .....which with =
crafty=20
hping packet....they certainly were.

sysctl net.inet.ip.fw.verbose=3D2
May 26 13:05:03 pcmarpxy /kernel: ipfw: 2 Accept TCP 192.168.0.2:2101=20
192.168.0.1:64 in via xl0 [tos 0x00] (ttl 64, id 65496, len 40)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205261316.47069.mark.rowlands>