PIX-6-302014 represents the end of a TCP connection. Look for PIX-6-302013 for the start of that connection. For example: PIX-6-302013: Built outbound TCP connection 47631732 for outside:207.46.196.108/80 (207.46.196.108/80) to inside:10.1.11.9/2374 (209.76.245.60/41472) PIX-6-302014: Teardown TCP connection 47631732 for outside:207.46.196.108/80 to inside:10.1.11.9/2374 duration 0:00:01 bytes 825 TCP FINs The PIX-6-302014 contains the number of bytes transferred: 825. You can identify the connection by its id: 47631732. These messages are recorded for any type of TCP connection, not just FTP. For FTP transfers, you should see a PIX-6-303002 message between the connection-related ones: PIX-6-303002: 192.168.0.40 Retrieved 212.100.229.185:nvc5.txt * * * The PIX-6-302016 is recorded when a UDP connection is terminated (and it is paired with a PIX-6-302015 message): PIX-6-302016: Teardown UDP connection 2430193 for outside:207.217.120.83/53 to inside:10.8.3.2/1193 duration 0:00:01 bytes 186 Again, the PIX-6-302016 contains the number of bytes: 186. Please note that only Pix 6.3.x and higher record the number of bytes for UDP connections. Regards, Adrian Grigorof FireGen - Firewall Log Analyzers www.firegen.com ----- Original Message ----- From: "Walter" <walter_100@private> To: <loganalysis@private> Sent: Sunday, September 11, 2005 18:21 Subject: [logs] PIX message PIX-6-303002? > Is this a part of a connection message e.g. > PIX-6-302014/PIX-6-302016? > > Is it always for ftp messages? How do I find out the > number of bytes transferred? > Thanks much! > Walter _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Sep 19 2005 - 19:11:16 PDT