[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

odd things in pf drop logs...



Hi I am writing a program to analyize the drop logs from our pf firewall. I read the logs from pflog0 with tcpdump.

Currently I am only interested in outbound packets that are being dropped so I filter on src net <local network>. But I get a steady trickle of packets that are not from our network and which I can not identify after reading the tcpdump man page.

sudo tcpdump -ttn -i pflog0 src net 130.216 | grep -v '130.216'
1132197414.953036 44.201.164.226 > 223.198.129.20: at-#150 2
1132197414.953216 162.179.205.94 > 201.126.84.84: at-#205 2
1132197414.953249 118.221.55.38 > 202.250.187.185: at-#8 2
1132197414.953356 10.111.197.35 > 206.119.250.10: at-#63 2
1132197419.017820 222.1.252.13 > 205.243.180.221: at-#141 2
1132197420.020168 243.11.220.239 > 199.109.236.92: at-#246 2
1132197420.020232 39.101.239.105 > 196.233.184.35: at-#141 2
1132197420.020466 91.215.220.115 > 192.100.78.192: at-#135 2
1132197420.020716 143.185.248.140 > 195.224.249.254: at-#150 2
1132197425.029290 202.227.188.37 > 157.143.187.152: at-#231 2
1132197426.033726 30.141.191.130 > 158.11.15.71: at-#202 2

There are two questions here:
1/ what are these 'packets' and
2/ why are they getting selected when the filter says src net 130.216?

Cheers and thanks, Russell