iptable log analysis - LEN property appears twice

iptable log analysis - LEN property appears twice
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
iptable log analysis - LEN property appears twice crowl 03-12-2007
Posted by on March 12, 2007, 5:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Wondering browsing my iptable logs I see some logs which have the LEN
properties twice.

kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
LEN=484
kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58

>From netfilter documentation LEN is described as:
Total length of IP packet in bytes

For what reason is there more than one LEN counter? And also important
to know, what is the difference (what does each each LEN mean, in
which case is more than one LEN counter is used)?

Thanks for help.


Posted by Eirik Seim on March 12, 2007, 10:28 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 12 Mar 2007 02:54:17 -0700, crowl@gmx.de wrote:
> Wondering browsing my iptable logs I see some logs which have the LEN
> properties twice.
>
> kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
> TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
> LEN=484
> kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
> TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58
>
> >From netfilter documentation LEN is described as:
> Total length of IP packet in bytes
>
> For what reason is there more than one LEN counter? And also important
> to know, what is the difference (what does each each LEN mean, in
> which case is more than one LEN counter is used)?

It's iptables' somewhat awkward way of saying the IP header is
20 bytes. The first line represents an IP packet of 504 bytes
containing an UDP packet of 484 bytes. The second is an IP packet
of 78 bytes containing an UDP packet of 58 bytes.


Posted by on March 12, 2007, 11:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On Mar 12, 3:28 pm, e...@mi.uib.no (Eirik Seim) wrote:
> It's iptables' somewhat awkward way of saying the IP header is
> 20 bytes. The first line represents an IP packet of 504 bytes
> containing an UDP packet of 484 bytes. The second is an IP packet
> of 78 bytes containing an UDP packet of 58 bytes.

Hello Eirik,

Thanks for the reply and the helpful answer. Did you have any
reference for me? I have search google for this topic but did not get
useful results.

Thanks in advance.


Posted by Moe Trin on March 12, 2007, 3:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On 12 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article

>Wondering browsing my iptable logs I see some logs which have the LEN
>properties twice.
>
>kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
>TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
>LEN=484

504 - 484 = 20 Hmmm, I'll bet this was windoze messenger spam. The
source IP address is _probably_ faked.

>kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
>TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58

78 - 58 = 20 Windoze name request "would you like to share viruses?"

>For what reason is there more than one LEN counter? And also important
>to know, what is the difference (what does each each LEN mean, in
>which case is more than one LEN counter is used)?

LENgth of IP packet = LENgth of UDP/TCP packet plus header length. See

0768 User Datagram Protocol. J. Postel. August 1980. (Format: TXT=5896
bytes) (Also STD0006) (Status: STANDARD)

0791 Internet Protocol. J. Postel. September 1981. (Format: TXT=97779
bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005)
(Status: STANDARD)

0792 Internet Control Message Protocol. J. Postel. September 1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

0793 Transmission Control Protocol. J. Postel. September 1981.
(Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007)
(Status: STANDARD)

These RFCs can be found in many places - use your favorite search engine.
Briefly, see figure 4 of RFC0791. These packets consist of a 20 byte
IPv4 header (Version, Header length, Type of Service, Total LENgth, an
Identification [serial number] word, flags and fragment offset, Time To
Live, Protocol number, header checksum, source and destination IP address
which is a total of 20 bytes [there can be additional options in increments
of 4 from zero to 40 additional bytes for a maximum IP header of 60 bytes)
followed by a UDP/TCP/ICMP pack, which itself consists of 4 to 60 bytes of
protocol headers (ICMP = 4, UDP = 8, TCP = 20 to 60) followed by the actual
data.

Old guy

Similar ThreadsPosted
IPtable filter by mac address October 13, 2005, 5:20 am
Organizations lose Confidential&Intellectual property through unauthorized data transfer May 10, 2007, 4:44 pm
Free Zone Alarm log analysis August 8, 2005, 5:50 am
looking for IDS's based on network behavior analysis October 24, 2007, 8:44 am
Tool for log analysis of Symantec 5400 firewall appliance May 16, 2005, 2:53 pm
Excel protected workbook appears opaque to virus-scan? March 13, 2006, 12:51 pm
Excel protected workbook appears opaque to virus-scan? March 13, 2006, 1:17 pm
Home Security eBook - Home Security - How to Protect Your Family and Your Property - Home_Security.exe (0/2) November 5, 2004, 5:25 pm

The site map in XML format XML site map

Contact Us | Privacy Policy