On Thu, 30 Oct 2008 08:15:14 +0100 Patrick McHardy <kaber@xxxxxxxxx> wrote: > One thing you need is to specify the amount of bytes you want transfered > to userspace: > > iptables ... -j NFLOG --nflog-range 65535 Another one (now with --nflog-range 65535 as requested): 1) using LOG: Oct 30 23:14:34 tux vmunix: :d0:87:60:0SC6.3.310DT121812LN4 O=x0PE=x0TL4 D0POOTPST8 P=94 IDW0RS00 C S RP0 Oct 30 23:14:34 tux vmunix: 6DO NU:I=t0OT A=01:3e:79:01:fe:b2:80 R=3267.9 S=9.6.. E=0TS00 RC00 T=4I= RT=C P=0DT585WNO= E=x0AKRTUG= 2) using NFLOG (syslog emul): Oct 30 23:14:34 tux DROP INPUT: IN=eth0 OUT= MAC=00:18:f3:e4:47:9f:00:1d:0f:e8:7b:26:08:00 SRC=63.236.73.190 DST=192.168.1.2 LEN=40 TOS=00 PREC=0x00 TTL=44 ID=0 PROTO=TCP SPT=80 DPT=59845 SEQ=0 ACK=2739255566 WINDOW=0 ACK RST URGP=0 MARK=0 Oct 30 23:14:34 tux DROP INPUT: IN=eth0 OUT= MAC=00:18:f3:e4:47:9f:00:1d:0f:e8:7b:26:08:00 SRC=63.236.73.190 DST=192.168.1.2 LEN=40 TOS=00 PREC=0x00 TTL=44 ID=0 PROTO=TCP SPT=80 DPT=59845 SEQ=0 ACK=2739255566 WINDOW=0 ACK RST URGP=0 MARK=0 Oct 30 23:14:34 tux DROP INPUT: IN=eth0 OUT= MAC=00:18:f3:e4:47:9f:00:1d:0f:e8:7b:26:08:00 SRC=63.236.73.190 DST=192.168.1.2 LEN=40 TOS=00 PREC=0x00 TTL=44 ID=0 PROTO=TCP SPT=80 DPT=59845 SEQ=0 ACK=2739255566 WINDOW=0 ACK RST URGP=0 MARK=0 Oct 30 23:14:34 tux DROP INPUT: IN=eth0 OUT= MAC=00:18:f3:e4:47:9f:00:1d:0f:e8:7b:26:08:00 SRC=63.236.73.190 DST=192.168.1.2 LEN=40 TOS=00 PREC=0x00 TTL=44 ID=0 PROTO=TCP SPT=80 DPT=59845 SEQ=0 ACK=2739255567 WINDOW=0 ACK RST URGP=0 MARK=0 It's interesting to note that NFLOG always give the double of the entries of the "wrong" LOG entries. 3) and the attached pcap log file. I hope that it will give you some hint. Thanks! --
Attachment:
ulogd-final.pcap.bz2
Description: Binary data
