Re: [logs] Re: Granular Analysis of PIX syslogs

• Previous message: ArkanoiD: "[logs] sdsc syslog on bsd?"
• In reply to: Walter: "[logs] Re: Granular Analysis of PIX syslogs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello,

For Pix v.6.1.x and I guess 6.2.x, each connection is recorded by Pix with 2 
messages (referenced by the the connection number, 360478 for the example 
below):
%PIX-6-302001: Built inbound TCP connection 360478 for faddr 
205.19.214.250/2277 gaddr 209.161.100.227/25 laddr 192.168.0.40/25
%PIX-6-302002: Teardown TCP connection 360478 faddr 205.19.214.250/2277 
gaddr 209.161.100.227/25 laddr 192.168.0.40/25 duration 0:00:01 bytes 1643 
(TCP FINs)
The "Teardown" messages contains the number of bytes. From my expericence, 
only the TCP connections have the number of bytes, the messages related to 
UDP connections do not record it (and no connection number either):
%PIX-6-302005: Built UDP connection for faddr 209.161.100.227/514 gaddr 
209.161.200.226/37435 laddr 192.168.0.10/1233
%PIX-6-302006: Teardown UDP connection for faddr 209.161.100.227/514 gaddr 
209.161.200.226/37435 laddr 192.168.0.10/1233

Pix v. 6.3.x record the number of bytes for the UDP connections as well:
%PIX-6-302015: Built outbound UDP connection 33 for outside:192.175.48.1/53 
(192.175.48.1/53) to inside:192.168.5.20/1250 (209.161.100.236/1250)
%PIX-6-302016: Teardown UDP connection 33 for outside:192.175.48.1/53 to 
inside:192.168.5.20/1250 duration 0:00:01 bytes 153

BTW, you need logging level 6 in order to record this type of information.

Regards,

Adrian Grigorof
www.eventid.net
www.firegen.com

----- Original Message ----- 
From: "Walter" <walter_100@private>
To: <loganalysis@private>
Sent: Monday, February 14, 2005 1:44 AM
Subject: [logs] Re: Granular Analysis of PIX syslogs


> Hello,
>   I gleaned over PIX v6.2 messages and then looked at
> some of the links that had some reports on Bandwidth
> consumed by a Source IP Address. (I think it was from
> eventid.net) Most of the PIX logs are really
> permit/deny messages without any message really
> mentioning bytes sent/recvd. I was wondering is then
> the BW consumed calculated. Am I missing something?
> Thanks!
> Walter 

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: ArkanoiD: "[logs] sdsc syslog on bsd?"
• In reply to: Walter: "[logs] Re: Granular Analysis of PIX syslogs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Feb 14 2005 - 08:08:18 PST