Ladies & Gents
I am trying to make sense of what I am seeing in my logs but I am not finding the answers I am looking for via google. Most of the entries in my logs look like the ones below. The problem is that I don't understand what these lines mean.
Dec 13 14:13:24 hiveserver kernel: [896006.906172] Inbound IN=eth1 OUT= MAC=00:40:05:08:23:ff:00:13:5f:06:6d:05:08:00
SRC=220.127.116.11 DST=xx.xx.xx.xx LEN=131 TOS=0x00 PREC=0x00 TTL=111 ID=38381 PROTO=UDP
SPT=63690 DPT=61524 LEN=111
Dec 13 14:13:26 hiveserver kernel: [896008.712367] Inbound IN=eth1 OUT= MAC= SRC=xx.xx.xx.xx DST=18.104.22.168 LEN=240 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138
I get what some of the parts mean like 'inbound, IN, src, etc. Let's take TOS=0x00, I get that it is the type of service, http or what ever, but what service is associated with 0x00? I assume that LEN is length, TTL is time to live. Don't know PREC, ID, DF, PROTO, LEN, DPT. I haven't been able to find the page I saw one day that had a basic description, though limited, of what some of them were. Does any one have a link to such a page?
I also notice that in the first example there is a mac that is 14 pairs long. All of the mac's I have had to deal with are much shorter than that. Is this a spoofed mac? Or maybe part of the new ip6?
Most of the time these hourly emails are 3 to 5k in size but some times they are 15 to 20k. Usually there are 2 or 3 comps accessing the web through my router but there may be twice that many at any one time. I suppose a little info about the router is in order. Debian Lenny Up to date as of last week. Firestarter built the firewall but their is some kind of bug in the gui that causes the gui to crash all the time but the rules keep working and so far I have had no problems that I know of.
The biggest question is 'Are these log entries something to be concerned about or not?'
If not, then how do I stop them from filling up my logs?