[wplug] syslog messages, what do they mean.
James O'Kane
jo2y at midnightlinux.com
Fri Oct 17 13:24:09 EDT 2003
This one time, at band camp, John Harrold said:
> Oct 17 12:31:05 fw kernel: IN=eth0 OUT=eth0 SRC=123.456.789.987
> DST=123.456.789.987 LEN=1500 TOS=0x08 PREC=0x00 TTL=62 ID=62304 DF PROTO=TCP
> SPT=22 DPT=32767 WINDOW=63712 RES=0 x00 ACK URGP=0
I'm assuming you changed the IP addresses to protect the innocent, but are
they really the same address?
The IN=eth0 and OUT=eth0 means the packets are going in and out of eth0.
That seems a bit odd to me, but that might be the way you have things
setup.
The SPT=22 means that it's a ssh session. You can look in /etc/serivces if
you didn't already know that port number. The DPT is the port number for
the other machine. From these, you can tell that SRC is the machine
running the sshd, and DST is the machine who initiated the connection.
If you look on SRC and run lsof -i :22 it might give you some info on what
user is using the connection. Conversely, if you have access ot DST, lsof
-i :32767 should tell you something as well.
The other fields LEN, TOS, PREC, TTL, ID, DF, WINDOW, RES, ACK, URGP are
boring technical details about the connection at that moment. I know some
of them, but I've never had need to use them as a sysadmin. LEN is the
length of the packet, TOS is type of service (I'd have to look this one up
more), TTL is time to live; ie. how long until this packet dies of old
age, DF is don't fragment, WINDOW is the amount of unACK'ed data can be on
the wire before we slow down a bit and wait, ACK is an acknowledgement of
data recieved. The other few I dont' remember off hand.
-james
More information about the wplug
mailing list