[wplug] syslog messages, what do they mean.

James O'Kane jo2y at midnightlinux.com
Fri Oct 17 13:24:09 EDT 2003


This one time, at band camp, John Harrold said:

> Oct 17 12:31:05 fw kernel: IN=eth0 OUT=eth0 SRC=123.456.789.987
> DST=123.456.789.987 LEN=1500 TOS=0x08 PREC=0x00 TTL=62 ID=62304 DF PROTO=TCP
> SPT=22 DPT=32767 WINDOW=63712 RES=0 x00 ACK URGP=0

I'm assuming you changed the IP addresses to protect the innocent, but are 
they really the same address?

The IN=eth0 and OUT=eth0 means the packets are going in and out of eth0. 
That seems a bit odd to me, but that might be the way you have things 
setup.

The SPT=22 means that it's a ssh session. You can look in /etc/serivces if 
you didn't already know that port number. The DPT is the port number for 
the other machine. From these, you can tell that SRC is the machine 
running the sshd, and DST is the machine who initiated the connection.

If you look on SRC and run lsof -i :22 it might give you some info on what 
user is using the connection. Conversely, if you have access ot DST, lsof 
-i :32767 should tell you something as well.

The other fields LEN, TOS, PREC, TTL, ID, DF, WINDOW, RES, ACK, URGP are 
boring technical details about the connection at that moment. I know some 
of them, but I've never had need to use them as a sysadmin. LEN is the 
length of the packet, TOS is type of service (I'd have to look this one up 
more), TTL is time to live; ie. how long until this packet dies of old 
age, DF is don't fragment, WINDOW is the amount of unACK'ed data can be on 
the wire before we slow down a bit and wait, ACK is an acknowledgement of 
data recieved. The other few I dont' remember off hand.

-james






More information about the wplug mailing list