Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to interprete the LOG?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hsiang
      last edited by

      I had configure firewall log to be stored in my syslog server.

      Before upgrade to 1.0-RC3 i could able to interprete the log whether is it a TCP or UDP Packets by reading the proto: TCP / UDP

      Sep 21 12:50:21 pfsense01 pf: 2. 905267 rule 516/0(match): pass in on em1: (tos 0x20, ttl  57, id 36053, offset 0, flags [DF], proto: TCP (6), length: 44) 202.187.239.21.19733 > x.x.x.x.25: S, cksum 0xa6d6 (correct), 3020808753:3020808753(0) win 16384 <mss 1460="">However after upgrade i got the log like this without any proto: indication

      Oct 12 16:44:37 pfsense01 pf: 056827 rule 1053/0(match): pass in on em1: 60.48.48.188.1561 > x.x.x.x.110: S 1678932496:1678932496(0) win 16384
      ct 12 16:44:37 pfsense01 pf: 002317 rule 2178/0(match): pass in on em3: x.x.x.x.1784 > x.x.x.x.53: 41396+[|domain]
      Oct 12 16:44:30 pfsense01 pf: 180883 rule 2290/0(match): block in on em1: 211.24.233.8.25 > x.x.x.x.1904: P 386833176:386833211(35) ack 1974387638 win 8760
      Oct 12 16:44:28 pfsense01 pf: 310596 rule 2290/0(match): block in on em3: x.x.x.x.25 > 212.13.166.106.3159: F 1:1(0) ack 0 win 17520
      Oct 12 16:44:27 pfsense01 pf: 301729 rule 2290/0(match): block in on em1: 203.115.231.50.80 > x.x.x.x.50632: FP 4294966983:133(446) ack 1 win 16384
      Oct 12 16:44:25 pfsense01 pf: 232403 rule 2290/0(match): block in on em1: 203.146.140.133.80 > x.x.x.x.55611: R 1448:1460(12) ack 1 win 16384

      After the destination IP, what does the Letter means?? These are the few letter i found
      P, S, FP, F, R, . (just a fullstop)

      1. What does it means??
      2. How i can know what type of packets is this?

      Regards
      Hsiang</mss>

      1 Reply Last reply Reply Quote 0
      • B
        billm
        last edited by

        The letters correspond to the flags in a TCP packet.

        –Bill

        pfSense core developer
        blog - http://www.ucsecurity.com/
        twitter - billmarquette

        1 Reply Last reply Reply Quote 0
        • H
          hsiang
          last edited by

          so i can safely assume that log with those letter are TCP packets?

          1 Reply Last reply Reply Quote 0
          • B
            billm
            last edited by

            @hsiang:

            so i can safely assume that log with those letter are TCP packets?

            Yes

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • H
              hsiang
              last edited by

              thanks Billm.

              Working now on interpreting the log.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.