On 16 Nov 2005 19:50:32 -0800, [EMAIL PROTECTED] (Russell Fulton) wrote: >Hi I am writing a program to analyize the drop logs from our pf >firewall. I read the logs from pflog0 with tcpdump. > >Currently I am only interested in outbound packets that are being >dropped so I filter on src net <local network>. But I get a steady >trickle of packets that are not from our network and which I can not >identify after reading the tcpdump man page. > >sudo tcpdump -ttn -i pflog0 src net 130.216 | grep -v '130.216' >1132197414.953036 44.201.164.226 > 223.198.129.20: at-#150 2 >1132197414.953216 162.179.205.94 > 201.126.84.84: at-#205 2 >1132197414.953249 118.221.55.38 > 202.250.187.185: at-#8 2 >1132197414.953356 10.111.197.35 > 206.119.250.10: at-#63 2 >1132197419.017820 222.1.252.13 > 205.243.180.221: at-#141 2 >1132197420.020168 243.11.220.239 > 199.109.236.92: at-#246 2 >1132197420.020232 39.101.239.105 > 196.233.184.35: at-#141 2 >1132197420.020466 91.215.220.115 > 192.100.78.192: at-#135 2 >1132197420.020716 143.185.248.140 > 195.224.249.254: at-#150 2 >1132197425.029290 202.227.188.37 > 157.143.187.152: at-#231 2 >1132197426.033726 30.141.191.130 > 158.11.15.71: at-#202 2 > >There are two questions here: >1/ what are these 'packets' and >2/ why are they getting selected when the filter says src net 130.216? > >Cheers and thanks, Russell
Curiouser and curiouser, did some quick grepage here /var/log # grep -i "at-#" /var/log/pflog.txt Nov 17 08:37:05 gw2 pf: rule 23/0(match): pass out on fxp0: 0.134.1.227 > 67.131.22.227: at-#20 358 Nov 17 10:47:02 gw2 pf: rule 23/0(match): pass out on fxp0: 226.107.237.229 > 227.48.149.48: at-#102 358 /var/log # gzip -dc /var/log/archive/pflog.txt.?.gz | grep "at-#" Nov 16 08:31:43 gw2 pf: rule 23/0(match): pass out on fxp0: 243.200.230.249 > 140.218.28.154: at-#129 5 Nov 15 04:38:04 gw2 pf: rule 0/0(match): block in on fxp0: 134.21.0.echo > 85.126.0.echo: at-#153 45 There is nothing Apple related on the network here. greg -- "Access to a waiting list is not access to health care"