Re: Log help

[Seth Arnold <sarnold () wirex com>]

On Sat, Mar 15, 2003 at 12:56:17AM -0500, Rhett Butler wrote:

[Rhett, your email would be easier to read if you wrapped your lines at
72 characters. Thanks.]

> 2003-03-12-23:07:34.0153 tcp(6) - 61.172.195.154 80 192.168.0.112 43545: 40 RA
> 2003-03-13-02:59:05.0851 tcp(6) - 202.102.232.145 80 192.168.0.112 43545: 44 SA
> 2003-03-13-17:12:38.0643 tcp(6) - 61.172.246.21 80 192.168.0.112 43545: 40 RA

> Also what do the characters after the port number mean? I believe the
> number is the time the "connection" was used, but is that in seconds?
> What do the last charaters mean SA RA? Why does that differ from this
> entry?

I'm going to guess that the numbers after the colon are the size of the
packet, and the characters are the TCP flags that are set: RST, ACK, and
SYN in these examples. I'd expect PSH, URG, FIN, and maybe ECN,
depending if honeyd groks Explicit Congestion Notification yet.

> 2003-03-15-00:36:57.0601 tcp(6) S 153.39.89.142 48795 192.168.0.112 80
> 2003-03-15-00:37:13.0824 tcp(6) E 153.39.89.142 48795 192.168.0.112 80: 386 20078

I'm going to guess that these two numbers are the incoming and outgoing
byte counts. But I'm a lot less sure about this guess than I was about
the previous guess...

-- 
"Dependence on computers is apparently making a significant fraction
of the population incurably stupid." -- Fritz Whittington

Attachment: _bin
Description: