On Monday 16 October 2000 9:14 pm, Rowan Reid wrote: > I'm writing a small script to parse through my logs and filter nodes > trying to establish new connections to filtered ports. Below is a > typical entry. What part of that log entry tells me that this person is > trying to establish a new connection ? > Oct 16 05:42:57 s3a-www kernel: IN=eth1 OUT= > MAC=00:04:75:b1:3d:6c:00:60:49:01:5a:de:08:00 SRC=216.99.233.253 > DST=**.**.76.66 LEN=72 TOS=0x00 PREC=0x00 TTL=241 ID=8598 DF PROTO=UDP > SPT=53 DPT=1592 LEN=52 Nothing does. This is a UDP packet, and UDP is a connectionless protocol, therefore there is no concept of setting up a new connection, different from continuing an existing one. All UDP packets are the same, whether they're the first, middle, or last packets of a communication between machines. If it were a TCP packet, on the other hand, you could tell from the flags whether it was an initial request to set up a new connection (SYN flag set), or a reply to that request (SYN and ACK flags set) or part of an established connection (ACK flag only). Antony. -- Success is a lousy teacher. It seduces smart people into thinking they can't lose. - William H Gates III
