1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Analysis of Tomato's IPTables Log Output

Discussion in 'Tomato Firmware' started by mrap, Jul 21, 2009.

  1. mrap

    mrap Addicted to LI Member

    I've been trying for a while to get some easily understandable reports from the iptables output. Finally, using fwanalog and analog I was able to get a very nice report. Here's a text sample (it outputs HTML and Text):

    Code:
    [SIZE=2]Block statistics of your firewall, created by fwanalog 0.6.9
    ============================================================
    
    Analyzed blocked packets from Mon, Jul 20 2009 00:38 to Mon, Jul 20 2009
      20:53 (0.84 days).
    ----------------------------------------------------------------------------
    
    General Summary
    ---------------
    Blocked packets: 102
    Average blocked packets per day: 119
    Distinct blocked packets: 28
    Distinct hosts blocked: 51
    Unwanted logfile entries (because of a date range, EXCLUDE etc.): 1,779
    Size of all dropped packets together: 5.28 kilobytes
    Average size of dropped packets per day: 6.26 kilobytes
    ----------------------------------------------------------------------------
    
    Blocked Packet Report
    ---------------------
    Listing blocked packets, sorted by the number of blocked packets.
    
    #blocks: %blocks: kbytes:       last time: blocked packet
    -------: -------: ------: ---------------: --------------
        102:    100%:   5.28: Jul/20/09 20:53: firewall
         75:  73.53%:   3.31: Jul/20/09 20:16:   firewall/tcp
         12:  11.76%:   0.62: Jul/20/09 19:43:     firewall:ftp (21)/tcp
         11:  10.78%:   0.43: Jul/20/09 20:16:     firewall:2967/tcp
         11:  10.78%:   0.43: Jul/20/09 19:56:     firewall:ms-sql-s (1433)/tcp
          6:   5.88%:   0.23: Jul/20/09 16:07:     firewall:8000/tcp
          4:   3.92%:   0.16: Jul/20/09 16:07:     firewall:7212/tcp
          3:   2.94%:   0.19: Jul/20/09 19:44:     firewall:41394/tcp
          3:   2.94%:   0.14: Jul/20/09 04:44:     firewall:vnc (5900)/tcp
          3:   2.94%:   0.18: Jul/20/09 16:34:     firewall:49612/tcp
          3:   2.94%:   0.12: Jul/20/09 17:06:     firewall:socks (1080)/tcp
          2:   1.96%:   0.12: Jul/20/09 19:56:     firewall:telnet (23)/tcp
          2:   1.96%:   0.09: Jul/20/09 17:47:     firewall:3072/tcp
          2:   1.96%:   0.08: Jul/20/09 18:34:     firewall:8008/tcp
          2:   1.96%:   0.08: Jul/20/09 13:12:     firewall:oracle (1521)/tcp
          1:   0.98%:   0.04: Jul/20/09 19:55:     firewall:zeus-admin (9090)/tcp
          1:   0.98%:   0.04: Jul/20/09 15:27:     firewall:32326/tcp
          1:   0.98%:   0.04: Jul/20/09 11:42:     firewall:blackice-icecap (8081)/tcp
          1:   0.98%:   0.06: Jul/20/09 04:33:     firewall:ssh (22)/tcp
          1:   0.98%:   0.05: Jul/20/09 10:46:     firewall:snet-sensor-mgmt (10000)/tcp
          1:   0.98%:   0.04: Jul/20/09 11:42:     firewall:http-proxy (8080)/tcp
          1:   0.98%:   0.04: Jul/20/09 05:34:     firewall:squid-http (3128)/tcp
          1:   0.98%:   0.05: Jul/20/09 11:28:     firewall:20000/tcp
          1:   0.98%:   0.04: Jul/20/09 18:58:     firewall:8085/tcp
          1:   0.98%:   0.04: Jul/20/09 11:42:     firewall:http (80)/tcp
          1:   0.98%:   0.04: Jul/20/09 18:20:     firewall:ni-mail (61)/tcp
         21:  20.59%:   1.25: Jul/20/09 19:15:   firewall/icmp
         21:  20.59%:   1.25: Jul/20/09 19:15:     firewall/icmp/echo (8)
          6:   5.88%:   0.71: Jul/20/09 20:53:   firewall/udp
          3:   2.94%:   0.44: Jul/20/09 16:01:     firewall:1055/udp
          2:   1.96%:   0.22: Jul/20/09 20:53:     firewall:59239/udp
          1:   0.98%:   0.06: Jul/20/09 19:55:     firewall:16423/udp
    ----------------------------------------------------------------------------
    
    Log Prefix Report
    -----------------
    Listing log prefixes, sorted by the number of blocked packets.
    
     #: #blocks: %blocks: kbytes: %bytes:       last time: log prefix
    --: -------: -------: ------: ------: ---------------: ----------
     1:     102:    100%:   5.28:   100%: Jul/20/09 20:53: drop
    ----------------------------------------------------------------------------
    
    Packet Source Host Report
    -------------------------
    Listing hosts with at least 0.5% of the blocked packets, sorted by the
      number of blocked packets.
    
     #: #blocks: %blocks: bytes:       last time: host
    --: -------: -------: -----: ---------------: ----
     1:       8:   7.84%:   320: Jul/20/09 19:55: 61.160.216.63
     2:       4:   3.92%:   160: Jul/20/09 20:16: 218.6.15.146
     3:       4:   3.92%:   160: Jul/20/09 09:08: 221.195.73.68
     4:       3:   2.94%:   180: Jul/20/09 16:34: 64.213.163.98
     5:       3:   2.94%:   120: Jul/20/09 17:06: 121.15.245.215
     6:       3:   2.94%:   144: Jul/20/09 04:44: 213.9.166.172
     7:       3:   2.94%:   136: Jul/20/09 15:06: 211.215.22.181
     8:       3:   2.94%:   120: Jul/20/09 19:56: 218.29.54.177
     9:       3:   2.94%:   192: Jul/20/09 19:44: 59.172.17.99
    10:       3:   2.94%:   447: Jul/20/09 16:01: svk001.mlonet.de
    11:       3:   2.94%:   136: Jul/20/09 10:30: 211.194.140.9
    12:       3:   2.94%:   120: Jul/20/09 17:25: 125.89.77.146
    13:       2:   1.96%:    80: Jul/20/09 12:49: 61.160.216.160
    14:       2:   1.96%:   120: Jul/20/09 01:36: 204.51.253.140.servepath.com
    15:       2:   1.96%:   122: Jul/20/09 17:28: 24.69.3.152
    16:       2:   1.96%:    88: Jul/20/09 17:47: zagreb.hr.eu.undernet.org
    17:       2:   1.96%:   122: Jul/20/09 19:15: 81.90.232.162
    18:       2:   1.96%:   122: Jul/20/09 01:32: 123.109.112.136
    19:       2:   1.96%:   122: Jul/20/09 03:31: 219-70-77-66.hyabd.com.tw
    20:       2:   1.96%:   122: Jul/20/09 12:48: 209.33.37.61
    21:       2:   1.96%:   122: Jul/20/09 09:27: dsl88-247-13296.ttnet.net.tr
    22:       2:   1.96%:   122: Jul/20/09 10:34: 206.248.211.228
    23:       2:   1.96%:   122: Jul/20/09 10:27: 211.226.162.83
    24:       2:   1.96%:   122: Jul/20/09 03:36: 62.205.227.181
    25:       2:   1.96%:    80: Jul/20/09 09:36: 125.65.112.161
    26:       2:   1.96%:   120: Jul/20/09 01:00: 85.190.44.130
    27:       2:   1.96%:    80: Jul/20/09 15:03: 61.164.143.19
    28:       2:   1.96%:    96: Jul/20/09 11:28: 210.82.113.102
    29:       2:   1.96%:   120: Jul/20/09 19:56: 41.237.175.19
    30:       2:   1.96%:   120: Jul/20/09 19:43: 202.211.131.84
    31:       2:   1.96%:   122: Jul/20/09 09:51: 66.158.154.15
    32:       2:   1.96%:    80: Jul/20/09 18:34: 125.65.165.139
    33:       1:   0.98%:    40: Jul/20/09 18:20: 60.191.196.72
    34:       1:   0.98%:    40: Jul/20/09 02:24: 60.190.223.76
    35:       1:   0.98%:    40: Jul/20/09 07:28: 221.195.40.32
    36:       1:   0.98%:    53: Jul/20/09 20:53: 123.115.158.238
    37:       1:   0.98%:    40: Jul/20/09 10:30: 218.6.15.138
    38:       1:   0.98%:    40: Jul/20/09 08:16: 211.233.62.189
    39:       1:   0.98%:    64: Jul/20/09 06:25: 180.109.56.59.broad.fz.fj.dynamic.163data.com.cn
    40:       1:   0.98%:    60: Jul/20/09 04:33: 168.red-217-127-64.staticip.rima-tde.net
    41:       1:   0.98%:    40: Jul/20/09 00:38: 222.215.230.49
    42:       1:   0.98%:    40: Jul/20/09 15:27: 221.192.8.90
    43:       1:   0.98%:    40: Jul/20/09 13:12: 61.63.28.163
    44:       1:   0.98%:    40: Jul/20/09 09:13: 219.150.187.30
    45:       1:   0.98%:    40: Jul/20/09 07:52: 61.191.190.26
    46:       1:   0.98%:    40: Jul/20/09 18:58: 219.133.43.197
    47:       1:   0.98%:    40: Jul/20/09 11:10: 61.164.116.52
    48:       1:   0.98%:    40: Jul/20/09 15:49: 222.73.204.93
    49:       1:   0.98%:   172: Jul/20/09 14:58: 190.39.162.139
    50:       1:   0.98%:    40: Jul/20/09 09:27: 60.172.219.12
    51:       1:   0.98%:    59: Jul/20/09 19:55: 142.68.93.121
    ----------------------------------------------------------------------------
    
    Organization Report
    -------------------
    Listing organizations with at least 0.5% of the blocked packets, sorted by 
      the number of blocked packets.
    
     #: #blocks: %blocks: bytes:       last time: organization
    --: -------: -------: -----: ---------------: ------------
     1:      10:   9.80%:   400: Jul/20/09 19:55: 61.160
     2:       7:   6.86%:   280: Jul/20/09 18:34: 125
     3:       5:   4.90%:   200: Jul/20/09 09:08: 221.195
     4:       5:   4.90%:   200: Jul/20/09 20:16: 218.6
     5:       3:   2.94%:   447: Jul/20/09 16:01: mlonet.de
     6:       3:   2.94%:   192: Jul/20/09 19:44: 59
     7:       3:   2.94%:   180: Jul/20/09 16:34: 64.213
     8:       3:   2.94%:   120: Jul/20/09 17:06: 121
     9:       3:   2.94%:   175: Jul/20/09 20:53: 123
    10:       3:   2.94%:   136: Jul/20/09 15:06: 211.215
    11:       3:   2.94%:   144: Jul/20/09 04:44: 213.9
    12:       3:   2.94%:   136: Jul/20/09 10:30: 211.194
    13:       3:   2.94%:   120: Jul/20/09 18:20: 60
    14:       3:   2.94%:   120: Jul/20/09 15:03: 61.164
    15:       3:   2.94%:   120: Jul/20/09 19:56: 218.29
    16:       2:   1.96%:   122: Jul/20/09 19:15: 81.90
    17:       2:   1.96%:   122: Jul/20/09 17:28: 24.69
    18:       2:   1.96%:   122: Jul/20/09 09:51: 66.158
    19:       2:   1.96%:    88: Jul/20/09 17:47: undernet.org
    20:       2:   1.96%:   122: Jul/20/09 10:34: 206.248
    21:       2:   1.96%:   120: Jul/20/09 19:56: 41
    22:       2:   1.96%:    96: Jul/20/09 11:28: 210.82
    23:       2:   1.96%:   120: Jul/20/09 01:00: 85
    24:       2:   1.96%:   122: Jul/20/09 03:36: 62.205
    25:       2:   1.96%:   122: Jul/20/09 03:31: hyabd.com.tw
    26:       2:   1.96%:   122: Jul/20/09 12:48: 209.33
    27:       2:   1.96%:   120: Jul/20/09 19:43: 202.211
    28:       2:   1.96%:   122: Jul/20/09 09:27: ttnet.net.tr
    29:       2:   1.96%:   122: Jul/20/09 10:27: 211.226
    30:       2:   1.96%:   120: Jul/20/09 01:36: servepath.com
    31:       1:   0.98%:    64: Jul/20/09 06:25: 163data.com.cn
    32:       1:   0.98%:    40: Jul/20/09 15:49: 222.73
    33:       1:   0.98%:    40: Jul/20/09 07:52: 61.191
    34:       1:   0.98%:    59: Jul/20/09 19:55: 142.68
    35:       1:   0.98%:    40: Jul/20/09 08:16: 211.233
    36:       1:   0.98%:    40: Jul/20/09 13:12: 61.63
    37:       1:   0.98%:    40: Jul/20/09 09:13: 219.150
    38:       1:   0.98%:    40: Jul/20/09 18:58: 219.133
    39:       1:   0.98%:    60: Jul/20/09 04:33: rima-tde.net
    40:       1:   0.98%:   172: Jul/20/09 14:58: 190.39
    41:       1:   0.98%:    40: Jul/20/09 00:38: 222.215
    42:       1:   0.98%:    40: Jul/20/09 15:27: 221.192
    ----------------------------------------------------------------------------
    
    Hourly Summary
    --------------
    Each unit (+) represents 1 blocked packet.
    
    hour: #blocks: %blocks: bytes: 
    ----: -------: -------: -----: 
       0:       4:   3.92%:   180: ++++
       1:       7:   6.86%:   491: +++++++
       2:       3:   2.94%:   120: +++
       3:       5:   4.90%:   284: +++++
       4:       5:   4.90%:   244: +++++
       5:       3:   2.94%:   229: +++
       6:       2:   1.96%:   108: ++
       7:       2:   1.96%:    80: ++
       8:       1:   0.98%:    40: +
       9:      10:   9.80%:   484: ++++++++++
      10:      10:   9.80%:   508: ++++++++++
      11:       7:   6.86%:   288: +++++++
      12:       4:   3.92%:   202: ++++
      13:       1:   0.98%:    40: +
      14:       2:   1.96%:   212: ++
      15:       8:   7.84%:   336: ++++++++
      16:       6:   5.88%:   409: ++++++
      17:       5:   4.90%:   246: +++++
      18:       3:   2.94%:   120: +++
      19:      12:  11.76%:   693: ++++++++++++
      20:       2:   1.96%:    93: ++
      21:       0:        :     0: 
      22:       0:        :     0: 
      23:       0:        :     0: 
    ----------------------------------------------------------------------------
    
    Packet Size Report
    ------------------
    
           size: #blocks: %blocks: kbytes: %bytes:       last time: 
    -----------: -------: -------: ------: ------: ---------------: 
              0:       0:        :   0.00:       :                : 
       1B-  10B:       0:        :   0.00:       :                : 
      11B- 100B:      98:  96.08%:   4.68: 88.55%: Jul/20/09 20:53: 
     101B-  1kB:       4:   3.92%:   0.60: 11.45%: Jul/20/09 16:01: 
    ----------------------------------------------------------------------------
    
    Interface Report
    ----------------
    Listing interfaces with at least 5 blocked packets, sorted by the number of
      blocked packets.
    
    #blocks: %bytes: interface
    -------: ------: ---------
        102:   100%: ppp0
    ----------------------------------------------------------------------------
    
    This analysis was produced by analog 6.0.[/SIZE]
    
     

Share This Page