[logs] Re: PIX message PIX-6-303002?

From: Adrian Grigorof (adi@private)
Date: Sun Sep 18 2005 - 12:13:38 PDT


PIX-6-302014 represents the end of a TCP connection. Look for PIX-6-302013
for the start of that connection.

For example:
PIX-6-302013: Built outbound TCP connection 47631732 for
outside:207.46.196.108/80 (207.46.196.108/80) to inside:10.1.11.9/2374
(209.76.245.60/41472)
PIX-6-302014: Teardown TCP connection 47631732 for outside:207.46.196.108/80
to inside:10.1.11.9/2374 duration 0:00:01 bytes 825 TCP FINs

The PIX-6-302014 contains the number of bytes transferred: 825. You can
identify the connection by its id: 47631732.

These messages are recorded for any type of TCP connection, not just FTP.

For FTP transfers, you should see a PIX-6-303002 message between the
connection-related ones:

PIX-6-303002: 192.168.0.40 Retrieved 212.100.229.185:nvc5.txt

* * *

The PIX-6-302016 is recorded when a UDP connection is terminated (and it is
paired with a PIX-6-302015 message):

PIX-6-302016: Teardown UDP connection 2430193 for outside:207.217.120.83/53
to inside:10.8.3.2/1193 duration 0:00:01 bytes 186

Again, the PIX-6-302016 contains the number of bytes: 186. Please note that
only Pix 6.3.x and higher record the number of bytes for UDP connections.


Regards,

Adrian Grigorof
FireGen - Firewall Log Analyzers
www.firegen.com


----- Original Message ----- 
From: "Walter" <walter_100@private>
To: <loganalysis@private>
Sent: Sunday, September 11, 2005 18:21
Subject: [logs] PIX message PIX-6-303002?


> Is this a part of a connection message e.g.
> PIX-6-302014/PIX-6-302016?
>
> Is it always for ftp messages? How do I find out the
> number of bytes transferred?
> Thanks much!
> Walter

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Sep 19 2005 - 19:11:16 PDT