How to interprete the LOG?
-
I had configure firewall log to be stored in my syslog server.
Before upgrade to 1.0-RC3 i could able to interprete the log whether is it a TCP or UDP Packets by reading the proto: TCP / UDP
Sep 21 12:50:21 pfsense01 pf: 2. 905267 rule 516/0(match): pass in on em1: (tos 0x20, ttl 57, id 36053, offset 0, flags [DF], proto: TCP (6), length: 44) 202.187.239.21.19733 > x.x.x.x.25: S, cksum 0xa6d6 (correct), 3020808753:3020808753(0) win 16384 <mss 1460="">However after upgrade i got the log like this without any proto: indication
Oct 12 16:44:37 pfsense01 pf: 056827 rule 1053/0(match): pass in on em1: 60.48.48.188.1561 > x.x.x.x.110: S 1678932496:1678932496(0) win 16384
ct 12 16:44:37 pfsense01 pf: 002317 rule 2178/0(match): pass in on em3: x.x.x.x.1784 > x.x.x.x.53: 41396+[|domain]
Oct 12 16:44:30 pfsense01 pf: 180883 rule 2290/0(match): block in on em1: 211.24.233.8.25 > x.x.x.x.1904: P 386833176:386833211(35) ack 1974387638 win 8760
Oct 12 16:44:28 pfsense01 pf: 310596 rule 2290/0(match): block in on em3: x.x.x.x.25 > 212.13.166.106.3159: F 1:1(0) ack 0 win 17520
Oct 12 16:44:27 pfsense01 pf: 301729 rule 2290/0(match): block in on em1: 203.115.231.50.80 > x.x.x.x.50632: FP 4294966983:133(446) ack 1 win 16384
Oct 12 16:44:25 pfsense01 pf: 232403 rule 2290/0(match): block in on em1: 203.146.140.133.80 > x.x.x.x.55611: R 1448:1460(12) ack 1 win 16384After the destination IP, what does the Letter means?? These are the few letter i found
P, S, FP, F, R, . (just a fullstop)1. What does it means??
2. How i can know what type of packets is this?Regards
Hsiang</mss>
-
The letters correspond to the flags in a TCP packet.
–Bill
-
so i can safely assume that log with those letter are TCP packets?
-
-
thanks Billm.
Working now on interpreting the log.