Le ven 27/02/2004 à 18:56, Graham Swallow a écrit : > I've never seen this log before (split lines). > Is it simply someones modem noise > How can it have two SRC addresses? This log is an ICMP error. And, as such, it contains a citation from the IP packet that have raised it. > Feb 27 17:50:37 sky1 kernel: fw-drop IN=eth1 > OUT= MAC=.... > SRC=216.200.115.66 ICMP error source : level3-mfn.fra1.de.mfnx.net > DST=80.5.144.39 Destination : probably you :) > LEN=56 > TOS=0x00 > PREC=0x00 > TTL=247 > ID=0 > PROTO=ICMP > TYPE=11 > CODE=0 Type 11, code 0 is TTL exceeded in transit. > [SRC=80.5.144.39 DST=200.179.192.14 LEN=40 TOS=0x00 PREC=0x00 TTL=1 > ID=12701 PROTO=TCP INCOMPLETE [8 bytes] ] This is original packet citation so your kernel can associate the error to the right sent IP packet. The source is 80.5.144.39 (normal) and the destination 200.179.192.14 (dns1.rjo.virtua.com.br). As you can see, packet was received with TTL=1. That's why the error was raised. Then we know the payload was TCP but the citation was truncated at 8 bytes although we need 20 to analyse TCP header (RFC says at least IP header + 8 bytes). By the way, it could have been cool if theses 8 bytes were shown ;) For more information on Netfilter logging, you can see : http://logi.cc/linux/netfilter-log-format.php3 You can also paste your trace in the online analyser : http://logi.cc/linux/NetfilterLogAnalyzer.php3 -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
