Honeypots mailing list archives
Re: Log help
From: Seth Arnold <sarnold () wirex com>
Date: Sun, 16 Mar 2003 22:37:28 -0800
On Sat, Mar 15, 2003 at 12:56:17AM -0500, Rhett Butler wrote: [Rhett, your email would be easier to read if you wrapped your lines at 72 characters. Thanks.]
2003-03-12-23:07:34.0153 tcp(6) - 61.172.195.154 80 192.168.0.112 43545: 40 RA 2003-03-13-02:59:05.0851 tcp(6) - 202.102.232.145 80 192.168.0.112 43545: 44 SA 2003-03-13-17:12:38.0643 tcp(6) - 61.172.246.21 80 192.168.0.112 43545: 40 RA
Also what do the characters after the port number mean? I believe the number is the time the "connection" was used, but is that in seconds? What do the last charaters mean SA RA? Why does that differ from this entry?
I'm going to guess that the numbers after the colon are the size of the packet, and the characters are the TCP flags that are set: RST, ACK, and SYN in these examples. I'd expect PSH, URG, FIN, and maybe ECN, depending if honeyd groks Explicit Congestion Notification yet.
2003-03-15-00:36:57.0601 tcp(6) S 153.39.89.142 48795 192.168.0.112 80 2003-03-15-00:37:13.0824 tcp(6) E 153.39.89.142 48795 192.168.0.112 80: 386 20078
I'm going to guess that these two numbers are the incoming and outgoing byte counts. But I'm a lot less sure about this guess than I was about the previous guess... -- "Dependence on computers is apparently making a significant fraction of the population incurably stupid." -- Fritz Whittington
Attachment:
_bin
Description:
Current thread:
- Log help Rhett Butler (Mar 15)
- Re: Log help Seth Arnold (Mar 17)
- <Possible follow-ups>
- Re: Log help paul (Mar 17)