One for the comms experts
redhowlingwolves at nc.rr.com
Sun Sep 20 07:57:20 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> Below is a line from one of my log files. I want to know whether it's an
> incoming or outgoing packet.
> Sep 9 12:03:34 username-computername kernel:
> Inbound IN=eth0
> OUT= MAC=00:1a:4d:6b:72:93:00:25:69:59:3d:c8:08:00
> TYPE=3 CODE=4
> ** Note: next 14 items in [square brackets]
> ID=36160 DF
> PSH URGP=0 ]
> It's all in one line, so I'm assuming it's related to one packet only.
> Could that be wrong? Could part of this be a return packet?
> The first part would appear to indicate that it's coming in through the
> router. The source 10.1.1.1 is the router, the destination 10.1.1.2 is
> the computer (or would that be the kernel??)
> using that logic, the bit in square brackets would seem to be an
> outgoing packet Source 10.1.1.2 (the computer) destination is the IP
> address I've hidden to protect the guilty.
> Both have an individual length, so that might lean toward this line
> containing details of two packets. Perhaps the first part being
> acknowledgment of receipt of an earlier packet that was sent out.
> How's my thinking?
It's an ICMP. or ping, packet. Type 3 is a 'Destination Unreachable' and
the code=4 is an error meaning 'Fragmentation Needed and Don't Fragment
was Set'. It's more than likely a DHCP packet asking who has what
address. The second is just an acknowledgment (ACK).
Are you blocking pings?
Try using Wireshark to see if you can find the actual packets.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the ubuntu-users