Honeypots mailing list archives
Log help
From: Rhett Butler <rbutler () UU NET>
Date: Sat, 15 Mar 2003 00:56:17 -0500
Greetings, I'm still a bit new to honeyd, if I've missed where this information is stored I'll be happy to drink from the firehose. Can someone help me to understand what the information in these entries mean? 2003-03-12-23:07:34.0153 tcp(6) - 61.172.195.154 80 192.168.0.112 43545: 40 RA 2003-03-13-02:59:05.0851 tcp(6) - 202.102.232.145 80 192.168.0.112 43545: 44 SA 2003-03-13-17:12:38.0643 tcp(6) - 61.172.246.21 80 192.168.0.112 43545: 40 RA The parts I do not understand are: "How" is this traffic coming through my firewall. I'm not allowing port 43545 into this device. This device shouldn't be trying to get to any web pages, and I'm not seeing the SYN packet attempt on the way out. Also what do the characters after the port number mean? I believe the number is the time the "connection" was used, but is that in seconds? What do the last charaters mean SA RA? Why does that differ from this entry? 2003-03-15-00:36:57.0601 tcp(6) S 153.39.89.142 48795 192.168.0.112 80 2003-03-15-00:37:13.0824 tcp(6) E 153.39.89.142 48795 192.168.0.112 80: 386 20078 Thank You for any input, Rhett
Current thread:
- Log help Rhett Butler (Mar 15)
- Re: Log help Seth Arnold (Mar 17)
- <Possible follow-ups>
- Re: Log help paul (Mar 17)