1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato log identifiers

Discussion in 'Tomato Firmware' started by jay das, Apr 29, 2014.

  1. jay das

    jay das Network Newbie Member

    I'm trying to understand tomato's logs,
    once i retrieved the stream, basically I see two kinds of logs

    <12>Apr 29 07:55:46 kernel: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.1.147 DST=173.194.39.15 LEN=62 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=UDP SPT=14055 DPT=40028 LEN=42

    <12>Apr 29 07:55:52 kernel: DROP IN=vlan1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:00:aa:bb:80:41:08:00:45:00:00:0a SRC=142.254.164.189 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=18587 PROTO=UDP SPT=67 DPT=68 LEN=308


    some of the identifiers are obvious, others though... lets say not so obvious.

    someone please point to documentation where I can find meaning of these identifiers

    These i already understood :)
    Date
    SRC= source IP
    DST= destination ip
    PROTO= access protocol
    SPT=Source Port
    DPT=Desintation Port



    I need to know what following terms means :eek: also what does some of the value means... for example ACCEPT IN vs. DROP IN etc

    MAC= mac address (of client??)
    ACCEPT IN= ?
    OUT=?
    TOS=?
    PREC=
    TTL=
    ID=
    LEN=


    Thanks
     
    Last edited: Apr 29, 2014
  2. jerrm

    jerrm Network Guru Member

  3. jay das

    jay das Network Newbie Member

    Great! thanks a lot!!

    while we are on it, is there any way to make tomato to look little deeper in to tcp header and log that as well?
    I like to see destination url in little more detail then just the ip address and port?
    I mean what am I dealing with here, do i have to go as low as modify tomato source, or there are upper label approach for that.
    I understand search deeper into header may slow down the router. but that's ok.

    Thanks again.
     
  4. jerrm

    jerrm Network Guru Member

    Nothing in Tomato logs urls in a useful way. I played with the idea of adding true URL logging to the webmon module (used in the "Web Usage" page) or the web module (used for url filters in Access Restriction), but decided it wasn't worth the time.

    There are two ways I log URLs - both require entware. Set up a transparent proxy, or use the dsniff module urlsnarf. Urlsnarf is the simpler of the two, but a proxy provides more options.
     
    jay das likes this.

Share This Page