MAC Addresses in Logfile Entries

MAC Addresses in Logfile Entries

[Tim Evans]

Some of our log entries contain MAC addresses, like this:

Apr 20 10:15:35 foo kernel: IPT IN_FIREWALL: IN=eth1 OUT= 
MAC=00:30:48:11:94:e5:00:d0:ba:45:ec:25:08:00 SRC=XXX.XX.XX.XX 
DST=XXX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP 
SPT=1572 DPT=1080 WINDOW=32430 RES=0x00 SYN URGP=0

While others don't:

Apr 14 07:55:35 foo kernel: IPT FORWARD: IN=eth0 OUT=eth1 
SRC=XXX.XX.XX.XX DST=XXX.XX.XX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=225 
DF PROTO=TCP SPT=1047 DPT=37 WINDOW=64512 RES=0x00 SYN URGP=0

I see the "OUT" field in the latter contains "eth1" instead of a MAC
address.

Can someone elaborate on the difference here? Thanks.
--
Tim Evans		|    5 Chestnut Court
tkevans@tkevans.com	|    Owings Mills, MD 21117
http://www.tkevans.com/	|    443-394-3864;410-748-0160 (pager)

Re: MAC Addresses in Logfile Entries

[Eric Poulin]

> Some of our log entries contain MAC addresses, like this:
> Apr 20 10:15:35 foo kernel: IPT IN_FIREWALL: IN=eth1 OUT=
> MAC=00:30:48:11:94:e5:00:d0:ba:45:ec:25:08:00 SRC=XXX.XX.XX.XX
> DST=XXX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP
> SPT=1572 DPT=1080 WINDOW=32430 RES=0x00 SYN URGP=0
> While others don't:
> Apr 14 07:55:35 foo kernel: IPT FORWARD: IN=eth0 OUT=eth1
> SRC=XXX.XX.XX.XX DST=XXX.XX.XX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=225
> DF PROTO=TCP SPT=1047 DPT=37 WINDOW=64512 RES=0x00 SYN URGP=0
>
> I see the "OUT" field in the latter contains "eth1" instead of a MAC
> address.
>
> Can someone elaborate on the difference here? Thanks.

I'm experiencing this bahavior for a while already, and from what I can see,
I will only see the MAC address in the log ONLY if the packet was destinated
for the local machine(Or was generated BY the machine), but I will never see
MACs if the packet logged was for another machine than the firewall.

If somebody can confirm...

Eric Poulin

Re: MAC Addresses in Logfile Entries

[Bjorn Ruberg]

On Wed, 2003-04-23 at 04:13, Eric Poulin wrote:
> > Some of our log entries contain MAC addresses, like this:
> > Apr 20 10:15:35 foo kernel: IPT IN_FIREWALL: IN=eth1 OUT=
> > MAC=00:30:48:11:94:e5:00:d0:ba:45:ec:25:08:00 SRC=XXX.XX.XX.XX
> > DST=XXX.XX.XX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=TCP
> > SPT=1572 DPT=1080 WINDOW=32430 RES=0x00 SYN URGP=0
> > While others don't:
> > Apr 14 07:55:35 foo kernel: IPT FORWARD: IN=eth0 OUT=eth1
> > SRC=XXX.XX.XX.XX DST=XXX.XX.XX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=225
> > DF PROTO=TCP SPT=1047 DPT=37 WINDOW=64512 RES=0x00 SYN URGP=0
> >
> > I see the "OUT" field in the latter contains "eth1" instead of a MAC
> > address.
> >
> > Can someone elaborate on the difference here? Thanks.
> 
> I'm experiencing this bahavior for a while already, and from what I can see,
> I will only see the MAC address in the log ONLY if the packet was destinated
> for the local machine(Or was generated BY the machine), but I will never see
> MACs if the packet logged was for another machine than the firewall.
> 
> If somebody can confirm...

Tim,

If you take a look at your own rules you will see that the rule with the
MAC address is one of your INPUT rules ("IPT IN_FIREWALL") while the
other one is a FORWARD rule ("IPT FORWARD").

Use that as a hint for further examination of your iptables rules and
the logs they produce.

Read the information on this web site as well:
http://logi.cc/linux/netfilter-log-format.php3


Bjorn