Very odd syslog messages

skywalker · Apr 15, 2011, 7:07 PM

Hello .,

I need some hints with a very odd logging thing.
System is pfsense 2.0RC1 running nanoBSD (Alix board).
I have enabled remote syslogging for firewall events.
Every couple of minutes I get something like thw following (along the expected messages):
Apr 15 20:27:37 pfsense6.middle.earth pf: From: "Fritz" sip:620@10.2.254.1;tag=897mz0flp6
Apr 15 20:27:37 pfsense6.middle.earth pf: To: "Fritz" <\0x18\0x8e\0xa8M\0xa7\0x8b\0x07\0x00p\0x00\0x00\0x00p\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x00\0x00vr1\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x1f\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00"\0xf6\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x000sW@\0x00r\0x06(\0xe6\d\0x05#\0x0a\0x02\0x01\0x02\0xfb\0xa1\0x1a\0xe1\0x05\0x1e{\0xbb\0x00\0x00\0x00\0x00p\0x02 \0x00_j\0x00\0x00\0x02\0x04\0x05\0x82\0x01\0x01\0x04\0x02\0x18\0x8e\0xa8M\0xdc\0x84\0x08\0x00\0x9d\0x00\0x00\0x00\0x9d\0x00\0x00\0x00\0x14\0x00\0x00\0x00=\0x02\0x00\0x00vr1\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00\0x00 \0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xff\0xa0\0x86\0x01\0x00\0x00\0x00\0x00\0x00"\0xf6\0x00\0x00\0x01\0x00\0x00\0x00E\0x00\0x00]\0x00\0x00@

Well, this looks like something which is SIP related.
10.2.254.1 is my cable router (AVM Fritzbox) running a SIP software and inside there is a SIP phone.
However, I have no idea why pfsense would log this kind of message. It is not a firewall message but rather some kind of packet trace.

Anyone having an idea why this is happening?

thanks!</sip:620@10.2.254.1>

jimp · Apr 18, 2011, 5:24 PM

Certain protocols that tcpdump knows and can decode sometimes will cause logged info like that, since tcpdump is used for getting info out of the pf log. Normally that would mean that some packet matching that connection was logged, either a pass or a block.

skywalker · Jul 25, 2011, 11:29 AM

@jimp:

Certain protocols that tcpdump knows and can decode sometimes will cause logged info like that, since tcpdump is used for getting info out of the pf log. Normally that would mean that some packet matching that connection was logged, either a pass or a block.

picking this topic up again.
Thanks. So you are saying that tcpdump is used to create pf logs?
So why woudl it only in this particular case (SIP protocol) dump payload into the log? It still seems odd to me.
I have nowhere configured that pfsense should log payload…
Any idea how to debug this?

jimp · Jul 25, 2011, 11:48 AM

Yes, the pflog interface is read by tcpdump. There is no way to configure logging the payload, that's just how it works.

skywalker · Jul 25, 2011, 8:56 PM

Understand.
So why then would pf for every connection log correctly (like Rule (1/0) ..blabla) and only for this particular SIP communication dump the payload into the log?
I would not expect that and it is pretty unexpected for a log parser that is looking for a consistent formatting.

jimp · Jul 25, 2011, 9:02 PM

Because it logged that packet - and there was apparently enough information in the packet that tcpdump decoded it when it was blocked/passed/whatever.

You'll also see that sometimes with SMB traffic.