How to interprete the LOG?



  • I had configure firewall log to be stored in my syslog server.

    Before upgrade to 1.0-RC3 i could able to interprete the log whether is it a TCP or UDP Packets by reading the proto: TCP / UDP

    Sep 21 12:50:21 pfsense01 pf: 2. 905267 rule 516/0(match): pass in on em1: (tos 0x20, ttl  57, id 36053, offset 0, flags [DF], proto: TCP (6), length: 44) 202.187.239.21.19733 > x.x.x.x.25: S, cksum 0xa6d6 (correct), 3020808753:3020808753(0) win 16384 <mss 1460="">However after upgrade i got the log like this without any proto: indication

    Oct 12 16:44:37 pfsense01 pf: 056827 rule 1053/0(match): pass in on em1: 60.48.48.188.1561 > x.x.x.x.110: S 1678932496:1678932496(0) win 16384
    ct 12 16:44:37 pfsense01 pf: 002317 rule 2178/0(match): pass in on em3: x.x.x.x.1784 > x.x.x.x.53: 41396+[|domain]
    Oct 12 16:44:30 pfsense01 pf: 180883 rule 2290/0(match): block in on em1: 211.24.233.8.25 > x.x.x.x.1904: P 386833176:386833211(35) ack 1974387638 win 8760
    Oct 12 16:44:28 pfsense01 pf: 310596 rule 2290/0(match): block in on em3: x.x.x.x.25 > 212.13.166.106.3159: F 1:1(0) ack 0 win 17520
    Oct 12 16:44:27 pfsense01 pf: 301729 rule 2290/0(match): block in on em1: 203.115.231.50.80 > x.x.x.x.50632: FP 4294966983:133(446) ack 1 win 16384
    Oct 12 16:44:25 pfsense01 pf: 232403 rule 2290/0(match): block in on em1: 203.146.140.133.80 > x.x.x.x.55611: R 1448:1460(12) ack 1 win 16384

    After the destination IP, what does the Letter means?? These are the few letter i found
    P, S, FP, F, R, . (just a fullstop)

    1. What does it means??
    2. How i can know what type of packets is this?

    Regards
    Hsiang</mss>



  • The letters correspond to the flags in a TCP packet.

    –Bill



  • so i can safely assume that log with those letter are TCP packets?



  • @hsiang:

    so i can safely assume that log with those letter are TCP packets?

    Yes



  • thanks Billm.

    Working now on interpreting the log.


Log in to reply