capture question pix 6.3

Discussion in 'Cisco' started by mak, Mar 19, 2007.

  1. mak

    mak Guest

    hi,
    trying to debug syslog,
    admin tells me, he doesnt receive any packets,
    obviously pix (172.27.0.156.514)is sending syslog messages on udp port 514, which is the port the syslog server is
    listening on.
    i see this in my capture file:


    11:40:00.312972 172.27.0.156.514 > 172.27.0.103.514: udp 118

    11:40:00.313170 172.27.0.156.514 > 172.27.0.103.514: udp 118
    11:40:00.414651 172.27.0.156.514 > 172.27.0.103.514: udp 119
    11:40:00.414834 172.27.0.156.514 > 172.27.0.103.514: udp 119

    11:40:01.294647 172.27.0.156.514 > 172.27.0.103.514: udp 183
    11:40:01.304549 172.27.0.156.514 > 172.27.0.103.514: udp 183

    BUT: what are these numbers at the end?

    and since this is udp i am not supposed to see return packets, right?

    tia
    M
     
    mak, Mar 19, 2007
    #1
    1. Advertising

  2. On 2007-03-19 11:56, mak wrote:
    > hi,
    > trying to debug syslog,
    > admin tells me, he doesnt receive any packets,
    > obviously pix (172.27.0.156.514)is sending syslog messages on udp port
    > 514, which is the port the syslog server is listening on.
    > i see this in my capture file:
    >
    >
    > 11:40:00.312972 172.27.0.156.514 > 172.27.0.103.514: udp 118
    >
    > 11:40:00.313170 172.27.0.156.514 > 172.27.0.103.514: udp 118
    > 11:40:00.414651 172.27.0.156.514 > 172.27.0.103.514: udp 119
    > 11:40:00.414834 172.27.0.156.514 > 172.27.0.103.514: udp 119
    >
    > 11:40:01.294647 172.27.0.156.514 > 172.27.0.103.514: udp 183
    > 11:40:01.304549 172.27.0.156.514 > 172.27.0.103.514: udp 183
    >
    > BUT: what are these numbers at the end?
    >


    Packet lengths?


    --
    Michał Iwaszko
     
    =?UTF-8?B?TWljaGHFgiBJd2Fzemtv?=, Mar 19, 2007
    #2
    1. Advertising

  3. In article <>,
    mak <> wrote:

    >trying to debug syslog,
    >admin tells me, he doesnt receive any packets,
    >obviously pix (172.27.0.156.514)is sending syslog messages on udp port
    >514, which is the port the syslog server is
    >listening on.
    >i see this in my capture file:


    Some syslog servers require that the admin specifically allow
    the source -- that is, if they receive a syslog packet from
    a system they haven't been configured to pay attention to, they
    will ignore the packet. (Such packets would still be seen by
    a "sniffer" running on the destination system through.)
     
    Walter Roberson, Mar 19, 2007
    #3
  4. mak

    mak Guest

    Walter Roberson wrote:
    > In article <>,
    > mak <> wrote:
    >
    >> trying to debug syslog,
    >> admin tells me, he doesnt receive any packets,
    >> obviously pix (172.27.0.156.514)is sending syslog messages on udp port
    >> 514, which is the port the syslog server is
    >> listening on.
    >> i see this in my capture file:

    >
    > Some syslog servers require that the admin specifically allow
    > the source -- that is, if they receive a syslog packet from
    > a system they haven't been configured to pay attention to, they
    > will ignore the packet. (Such packets would still be seen by
    > a "sniffer" running on the destination system through.)

    makes sense, otherwise you could "spam" a syslogserver,

    still,
    what are these numbers? is it the packet length?

    thanks,
    M
     
    mak, Mar 19, 2007
    #4
  5. In article <>,
    mak <> wrote:
    >Walter Roberson wrote:
    >> In article <>,
    >> mak <> wrote:


    >>> i see this in my capture file:


    >still,
    >what are these numbers? is it the packet length?


    Yes.
     
    Walter Roberson, Mar 20, 2007
    #5
  6. mak

    mak Guest

    Walter Roberson wrote:
    > In article <>,
    > mak <> wrote:
    >
    >> trying to debug syslog,
    >> admin tells me, he doesnt receive any packets,
    >> obviously pix (172.27.0.156.514)is sending syslog messages on udp port
    >> 514, which is the port the syslog server is
    >> listening on.
    >> i see this in my capture file:

    >
    > Some syslog servers require that the admin specifically allow
    > the source -- that is, if they receive a syslog packet from
    > a system they haven't been configured to pay attention to, they
    > will ignore the packet. (Such packets would still be seen by
    > a "sniffer" running on the destination system through.)


    ok,
    pix logged in a directory that the admin didn't check...so again,
    it was NOT the firewalls fault :)

    thanks walter,
    M
     
    mak, Mar 20, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Livengood

    PIX capture problem

    John Livengood, Dec 12, 2003, in forum: Cisco
    Replies:
    0
    Views:
    2,457
    John Livengood
    Dec 12, 2003
  2. ejikn
    Replies:
    2
    Views:
    1,188
    Walter Roberson
    Apr 7, 2004
  3. Amaury Ronflard

    PIX 6.3 - capture command

    Amaury Ronflard, Aug 14, 2005, in forum: Cisco
    Replies:
    3
    Views:
    6,114
    Francois Labreque
    Aug 14, 2005
  4. SAto

    PIX capture pppoe traffic

    SAto, Aug 30, 2006, in forum: Cisco
    Replies:
    2
    Views:
    577
  5. hely0123
    Replies:
    0
    Views:
    2,162
    hely0123
    Oct 30, 2007
Loading...

Share This Page