- What kind of information do logs contain?
- Example entry:
Feb 1 00:00:02 bridge kernel: INBOUND TCP: IN=br0 PHYSIN=eth0OUT=br0 PHYSOUT=eth1 SRC=192.150.249.87 DST=11.11.11.84LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=12973PROTO=TCP SPT=220 DPT=6129
- WINDOW=16384 RES=0x00 SYN URGP=0
- Quite a lot of information, but very little at the same time
Cataloging the Information
- Feb 1 00:00:02: Date and time (GMT or Local)
- bridge kernel: NIC interface name
- INBOUND TCP: Type of traffic flow, direction and protocol
- IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1: Adapter traversal for the firewall
- SRC=192.150.249.87 DST=11.11.11.84: Source and destination IP
- LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=12973: IP Header information
- Sometimes includes DF as well
- PROTO=TCP SPT=220 DPT=6129: Protocol and port numbers
- Also have PROTO=UDP and PROTO=ICMP
- WINDOW=16384 RES=0x00 SYN URGP=0: Protocol specific information