On Tuesday 20 January 2004 3:26 pm, David C. Hart wrote: > What is this telling me? Example: > > Jan 20 09:50:18 mail2 kernel: Firewall: IN=eth1 OUT= > MAC=00:09:5b:22:29:d1:00:06:25:e4:ed:a3:08:00 SRC=141.156.35.166 > DST=192.168.0.31 LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=56322 DF PROTO=TCP > SPT=3134 DPT=445 SEQ=1244763263 ACK=0 WINDOW=64170 RES=0x00 SYN URGP=0 > OPT (0204059201010402) > > What do I need to read to learn how to understand this? A TCP/IP book would probably be best - I can recommend Craig Hunt's O'Reilly book. As soon as you look at what fields exist inside TCP, UDP, ICMP, IP etc headers I don't think you'll have any problem understanding what the abbreviations used in netfilter's log format refer to. Have you checked the tutorials and other documentation on the netfilter home page at http://www.netfilter.org to see whether anyone discusses the log entries in detail? I can't say I can point you at one which I know does, however I wouldn't be surprised if someone who's done a good job on netfilter itself (Oskar Andreassen comes to mind) has also discussed the logging... Regards, Antony. -- Never write it in Perl if you can do it in Awk. Never do it in Awk if sed can handle it. Never use sed when tr can do the job. Never invoke tr when cat is sufficient. Avoid using cat whenever possible. Please reply to the list; please don't CC me.
