LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   netfilter/iptables log file format (https://www.linuxquestions.org/questions/linux-networking-3/netfilter-iptables-log-file-format-553556/)

xface66 05-13-2007 12:39 PM

netfilter/iptables log file format
 
hello everyone,
i am writing a iptables log file parser.
can someone tell me the log file format.
here is an example i found.

Code:

Feb  6 12:04:42 navara kernel: P2P IN=eth1 OUT=eth0 SRC=10.2.20.53
DST=82.20.129.162 LEN=108 TOS=0x00 PREC=0x00 TTL=127 ID=26465 DF
PROTO=TCP SPT=3466 DPT=23394 WINDOW=65535 RES=0x00 ACK PSH URGP=0
Feb  6 12:04:42 navara kernel: P2P IN=eth1 OUT=eth0 SRC=10.2.22.151
DST=62.219.160.113 LEN=108 TOS=0x00 PREC=0x00 TTL=127 ID=31099 DF
PROTO=TCP SPT=2566 DPT=60560 WINDOW=17520 RES=0x00 ACK PSH URGP=0
Feb  6 12:04:42 navara kernel: P2P IN=eth1 OUT=eth0 SRC=10.2.21.235
DST=60.50.83.153 LEN=108 TOS=0x00 PREC=0x00 TTL=127 ID=53682 DF
PROTO=TCP SPT=2878 DPT=12571 WINDOW=17424 RES=0x00 ACK PSH URGP=0
Feb  6 12:04:42 navara kernel: P2P IN=eth1 OUT=eth0 SRC=10.2.49.237
DST=217.91.58.88 LEN=46 TOS=0x00 PREC=0x00 TTL=127 ID=1822 PROTO=UDP
SPT=1079 DPT=4450 LEN=26
Feb  6 12:04:42 navara kernel: P2P IN=eth1 OUT=eth0 SRC=10.2.49.237
DST=80.103.100.105 LEN=63 TOS=0x00 PREC=0x00 TTL=127 ID=1823 PROTO=UDP
SPT=4672 DPT=42129 LEN=43


acid_kewpie 05-13-2007 12:48 PM

what don't you undestand about it? it's impressively straightforward i'd have thought... IN=[in interface] PROTO=[protocol] etc... dst= destination, ttl = time to live, prec = precision, tos = type of service, len = length...

xface66 05-13-2007 12:56 PM

i know what they mean.
the problem is about the sequence.

i dont know what 'DF' means.
and is there any site that explains what can be the values.

tos = 0x00 what does this mean?
and others?

acid_kewpie 05-13-2007 01:00 PM

just google for the terms... "tcp df" shows DF represents the Do Not Fragment bit. in general this output is for those who generally understand tcp/ip. you're asking about the tos value, well unless you understand type of service, then the hex value there is never going to mean anythign to you, so you may as well just report that verbatim. the tla, "TOS" is very well known to anyone who cares what it is... if the reader needs an explanation, he should ignore it...

ultimate explanaiotn is, of course, here... http://www.faqs.org/rfcs/rfc793.html


All times are GMT -5. The time now is 06:14 AM.