OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • Logging data length
« previous next »
  • Print
Pages: [1]

Author Topic: Logging data length  (Read 2326 times)

rhyse

  • Newbie
  • *
  • Posts: 14
  • Karma: 0
    • View Profile
Logging data length
« on: January 23, 2019, 01:55:58 pm »
Hi

I am having an issue, whereby all TCP connections are showing a data-length of 0, in the logs.

The UDP and ICMP logs seem to be returning the values, although icmp could do with dropping the string "datalength="


TCP log - I assume data size should be the field after "443" (destination port) and before the "SEC" (meant to be TCP-Flags)
Code: [Select]
filterlog: 74,,,0,vmx1,match,pass,out,4,0x2,0,127,27104,0,DF,6,tcp,52,192.168.0.22,54.225.132.4,7680,443,0,SEC,362891810,,8192,,mss;nop;wscale;nop;nop;sackOK
UDP data size last entry
Code: [Select]
filterlog: 74,,,0,vmx1,match,pass,out,4,0x0,,64,4717,0,none,17,udp,96,192.168.0.22,9.9.9.9,52596,53,76
ICMP data size last entry
Code: [Select]
filterlog: 65,,,0,vmx1,match,pass,out,4,0x0,,63,21011,0,none,1,icmp,56,192.168.105.11,192.168.105.1,datalength=36
Now I may be completely reading the logs wrong, but I just can't seem to figure it out

Any help or clarification is appreciated

Thanks
PS: I have been reviewing the log format against https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13957
  • Karma: 1210
    • View Profile
Re: Logging data length
« Reply #1 on: January 23, 2019, 04:53:20 pm »
https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt

SEC would mean SYN ECE CWR. Important is SYN as in handshake, which has no payload, hence the 0.


Cheers,
Franco
Logged

rhyse

  • Newbie
  • *
  • Posts: 14
  • Karma: 0
    • View Profile
Re: Logging data length
« Reply #2 on: January 24, 2019, 12:00:40 am »
Ok, then there must be something wrong with my logging all I am seeing is the SEC (or S) entries.

Code: [Select]
Jan 23 22:54:38 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9857,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56986,443,0,SEC,44432861,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:51:01 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9790,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56954,443,0,SEC,1062647564,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:51:01 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9782,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56953,443,0,SEC,378084500,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:48:13 filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9733,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56937,443,0,SEC,3979926657,,8192,,mss;nop;wscale;nop;nop;sackOK

for any connection, any ideas on how to fix my logging. Or am I completely not understanding something?


Your help is appreciated

Thanks
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.7 Legacy Series »
  • Logging data length
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2