Logging data length

Started by rhyse, January 23, 2019, 01:55:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 23, 2019, 01:55:58 PM
Hi

I am having an issue, whereby all TCP connections are showing a data-length of 0, in the logs.

The UDP and ICMP logs seem to be returning the values, although icmp could do with dropping the string "datalength="


TCP log - I assume data size should be the field after "443" (destination port) and before the "SEC" (meant to be TCP-Flags)
Code Select
filterlog: 74,,,0,vmx1,match,pass,out,4,0x2,0,127,27104,0,DF,6,tcp,52,192.168.0.22,54.225.132.4,7680,443,0,SEC,362891810,,8192,,mss;nop;wscale;nop;nop;sackOK

UDP data size last entry
Code Select
filterlog: 74,,,0,vmx1,match,pass,out,4,0x0,,64,4717,0,none,17,udp,96,192.168.0.22,9.9.9.9,52596,53,76

ICMP data size last entry
Code Select
filterlog: 65,,,0,vmx1,match,pass,out,4,0x0,,63,21011,0,none,1,icmp,56,192.168.105.11,192.168.105.1,datalength=36

Now I may be completely reading the logs wrong, but I just can't seem to figure it out

Any help or clarification is appreciated

Thanks
PS: I have been reviewing the log format against https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html
January 23, 2019, 04:53:20 PM #1
https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt

SEC would mean SYN ECE CWR. Important is SYN as in handshake, which has no payload, hence the 0.


Cheers,
Franco
January 24, 2019, 12:00:40 AM #2
Ok, then there must be something wrong with my logging all I am seeing is the SEC (or S) entries.

Code Select

Jan 23 22:54:38 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9857,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56986,443,0,SEC,44432861,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:51:01 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9790,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56954,443,0,SEC,1062647564,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:51:01 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9782,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56953,443,0,SEC,378084500,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:48:13 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9733,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56937,443,0,SEC,3979926657,,8192,,mss;nop;wscale;nop;nop;sackOK


for any connection, any ideas on how to fix my logging. Or am I completely not understanding something?


Your help is appreciated

Thanks
Print
Go Up Pages1
User actions