[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: odd things in pf drop logs...





Daniel Hartmeier wrote:

I'm not sure. It looks like the only part of tcpdump that can potentially print the "at-#" part is print-atalk.c, pretty-printing AppleTalk packets.

Ah! it is possible that there are apple-talk packets out on the DMZ -- there should not be but I've just spoken to the Network folk and they admitted that it is possible...

Can you make sure you get untruncated packets and print them with


tcpdump -nvvvX -s 1600 -i pflog0 ...

so we get a little more verbose output?

Maybe try 'src net 130.216.0.0/16', in case this is an issue here.

Hmmmm... what ever is kip?


14:57:35.469584 kip 73.61.65.185 > 100.20.84.69: at-#105 2 (ttl 126, id 22132, len 46)
14:57:35.469695 kip 157.83.218.108 > 103.144.153.93: at-#159 2 (ttl 126, id 22133, len 46)
14:57:35.469946 kip 85.201.20.82 > 73.101.163.27: at-#116 2 (ttl 126, id 22134, len 46)
14:57:39.524638 kip 129.167.100.163 > 74.225.191: at-#208 2 (ttl 126, id 22598, len 46)
14:58:52.925617 kip 253.21.66.19 > 78.108.120.140: at-#100 2 (ttl 126, id 25035, len 46)
14:58:53.927337 kip 41.123.131.187 > 77.232.89.31: at-#72 2 (ttl 126, id 25038, len 46)
14:58:53.927376 kip 4.113.163.218 > 71.118.37.164: at-#87 2 (ttl 126, id 25039, len 46)
14:58:53.927442 kip 208.31.23.9 > 68.242.77.169: at-#186 2 (ttl 126, id 25040, len 46)
14:58:53.927472 kip 172.173.155.213 > 64.127.248.149: at-#111 2 (ttl 126, id 25041, len 46)
14:58:58.032723 kip 120.195.219.92 > 67.251.196.97: at-#72 2 (ttl 126, id 25096, len 46)
14:58:59.034934 kip 246.185.50.183 > 85.67.177.5: at-#210 2 (ttl 126, id 25099, len 46)
14:58:59.035129 kip 34.215.165.215 > 86.199.142.235: at-#84 2 (ttl 126, id 25100, len 46)
14:58:59.035254 kip 94.101.246.155 > 82.74.194.192: at-#141 2 (ttl 126, id 25101, len 46)
14:58:59.035653 kip 138.11.174.232 > 81.206.14.187: at-#83 2 (ttl 126, id 25102, len 46)
14:59:03.086446 kip 167.1.223.59 > 91.80.250.54: at-#13 2 (ttl 126, id 25159, len 46)