RE: [logs] Cisco PIX logs

• Previous message: Anton A. Chuvakin: "Re: [logs] Log Analysis Book"
• Maybe in reply to: Rainer Gerhards: "[logs] Cisco PIX logs"
• Next in thread: Rainer Gerhards: "RE: [logs] Cisco PIX logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Don't want to sound pedantic, but how are you sure the packet you captured is the same one that generated the log message?  What device/program did you do the capture with?

Shawn

    +---------------------------------------------------------------------+
    | Shawn Carroll                       Network Infrastructure Group    |
    | Tel:     (802) 660-7812             ALLTEL Information Services     |
    | Email:   scarrollat_private    2 Burlington Sq.                |
    | Cell:    (802) 233-4037             Burlington, VT 05401            |
    +---------------------------------------------------------------------+

-----Original Message-----
From: Rainer Gerhards [mailto:rgerhardsat_private]
Sent: Friday, January 31, 2003 1:00 PM
To: loganalysisat_private
Subject: [logs] Cisco PIX logs


Hi all, 
I am banging my head for some time now, so I think it is time to ask for assistance... I am sure I am overlooking the obvious, but I simply don't see it ;)
As an example, I have those two log lines in my PIX log (a little sanitized, though). According to Cisco's message description (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/syslog/pixemsgs.htm#xtocid5) this tells me that the local machine at 172.20.0.1 initiates a connection (via NAT) to 64.71.191.26. What makes me stumble are  the ports. In the message, I see my local machine using port 1071 and connecting to pt 5780 on the remote one. 
--- 
2003-01-31,18:20:20,2003-01-31,18:20:20,172.19.0.1,20,6,Jan 31 2003 17:12:41: %PIX-6-302005: Built UDP connection for faddr 64.71.191.26/5780 gaddr 10.6.190.187/1071 laddr 172.20.0.1/1071


2003-01-31,18:20:49,2003-01-31,18:20:49,172.19.0.1,20,6,Jan 31 2003 17:13:10: %PIX-6-302006: Teardown UDP connection for faddr 64.71.191.26/5780 gaddr 10.6.190.187/1071 laddr 172.20.0.1/1071
--- 
So far, so good. When I look now at a packet capture taken on 172.20.0.1, I see that the source port is indeed 1071 but the destination is 53 (DNS). The same holds true for the packet coming back. I did not (yet) take a packet capture at the Internet side of the firewall.
Any explanation for this? 
Thanks, 
Rainer 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] Cisco PIX logs"
• Previous message: Anton A. Chuvakin: "Re: [logs] Log Analysis Book"
• Maybe in reply to: Rainer Gerhards: "[logs] Cisco PIX logs"
• Next in thread: Rainer Gerhards: "RE: [logs] Cisco PIX logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 31 2003 - 15:26:12 PST