• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Very odd syslog messages

Scheduled Pinned Locked Moved General pfSense Questions
6 Posts 2 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    skywalker
    last edited by Apr 15, 2011, 7:07 PM

    Hello .,

    I need some hints with a very odd logging thing.
    System is pfsense 2.0RC1 running nanoBSD (Alix board).
    I have enabled remote syslogging for firewall events.
    Every couple of minutes I get something like thw following (along the expected messages):
    Apr 15 20:27:37 pfsense6.middle.earth pf:      From: "Fritz" sip:620@10.2.254.1;tag=897mz0flp6
    Apr 15 20:27:37 pfsense6.middle.earth pf:      To: "Fritz" <\0x18\0x8e\0xa8M\0xa7\0x8b\0x07\0x00p\0x00\0x00\0x00p\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x00\0x00vr1\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x1f\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00"\0xf6\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x000sW@\0x00r\0x06(\0xe6\d\0x05#\0x0a\0x02\0x01\0x02\0xfb\0xa1\0x1a\0xe1\0x05\0x1e{\0xbb\0x00\0x00\0x00\0x00p\0x02 \0x00_j\0x00\0x00\0x02\0x04\0x05\0x82\0x01\0x01\0x04\0x02\0x18\0x8e\0xa8M\0xdc\0x84\0x08\0x00\0x9d\0x00\0x00\0x00\0x9d\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x00\0x00vr1\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00 \0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00"\0xf6\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x00]\0x00\0x00@

    Well, this looks like something which is SIP related.
    10.2.254.1 is my cable router (AVM Fritzbox) running a SIP software and inside there is a SIP phone.
    However, I have no idea why pfsense would log this kind of message. It is not a firewall message but rather some kind of packet trace.

    Anyone having an idea why this is happening?

    thanks!</sip:620@10.2.254.1>

    1 Reply Last reply Reply Quote 0
    • J Offline
      jimp Rebel Alliance Developer Netgate
      last edited by Apr 18, 2011, 5:24 PM

      Certain protocols that tcpdump knows and can decode sometimes will cause logged info like that, since tcpdump is used for getting info out of the pf log. Normally that would mean that some packet matching that connection was logged, either a pass or a block.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • S Offline
        skywalker
        last edited by Jul 25, 2011, 11:29 AM

        @jimp:

        Certain protocols that tcpdump knows and can decode sometimes will cause logged info like that, since tcpdump is used for getting info out of the pf log. Normally that would mean that some packet matching that connection was logged, either a pass or a block.

        picking this topic up again.
        Thanks. So you are saying that tcpdump is used to create pf logs?
        So why woudl it only in this particular case (SIP protocol) dump payload into the log? It still seems odd to me.
        I have nowhere configured that pfsense should log payload…
        Any idea how to debug this?

        1 Reply Last reply Reply Quote 0
        • J Offline
          jimp Rebel Alliance Developer Netgate
          last edited by Jul 25, 2011, 11:48 AM

          Yes, the pflog interface is read by tcpdump. There is no way to configure logging the payload, that's just how it works.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S Offline
            skywalker
            last edited by Jul 25, 2011, 8:56 PM

            Understand.
            So why then would pf for every connection log correctly (like Rule (1/0) ..blabla) and only for this particular SIP communication dump the payload into the log?
            I would not expect that and it is pretty unexpected for a log parser that is looking for a consistent formatting.

            1 Reply Last reply Reply Quote 0
            • J Offline
              jimp Rebel Alliance Developer Netgate
              last edited by Jul 25, 2011, 9:02 PM

              Because it logged that packet - and there was apparently enough information in the packet that tcpdump decoded it when it was blocked/passed/whatever.

              You'll also see that sometimes with SMB traffic.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                [[user:consent.lead]]
                [[user:consent.not_received]]