iptable log analysis - LEN property appears twice

iptable log analysis - LEN property appears twice

am 12.03.2007 10:54:17 von crowl

Wondering browsing my iptable logs I see some logs which have the LEN
properties twice.

kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
LEN=484
kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58

>From netfilter documentation LEN is described as:
Total length of IP packet in bytes

For what reason is there more than one LEN counter? And also important
to know, what is the difference (what does each each LEN mean, in
which case is more than one LEN counter is used)?

Thanks for help.

Re: iptable log analysis - LEN property appears twice

am 12.03.2007 15:28:48 von Eirik

On 12 Mar 2007 02:54:17 -0700, crowl@gmx.de wrote:
> Wondering browsing my iptable logs I see some logs which have the LEN
> properties twice.
>
> kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
> TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
> LEN=484
> kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
> TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58
>
> >From netfilter documentation LEN is described as:
> Total length of IP packet in bytes
>
> For what reason is there more than one LEN counter? And also important
> to know, what is the difference (what does each each LEN mean, in
> which case is more than one LEN counter is used)?

It's iptables' somewhat awkward way of saying the IP header is
20 bytes. The first line represents an IP packet of 504 bytes
containing an UDP packet of 484 bytes. The second is an IP packet
of 78 bytes containing an UDP packet of 58 bytes.

Re: iptable log analysis - LEN property appears twice

am 12.03.2007 16:21:23 von crowl

On Mar 12, 3:28 pm, e...@mi.uib.no (Eirik Seim) wrote:
> It's iptables' somewhat awkward way of saying the IP header is
> 20 bytes. The first line represents an IP packet of 504 bytes
> containing an UDP packet of 484 bytes. The second is an IP packet
> of 78 bytes containing an UDP packet of 58 bytes.

Hello Eirik,

Thanks for the reply and the helpful answer. Did you have any
reference for me? I have search google for this topic but did not get
useful results.

Thanks in advance.

Re: iptable log analysis - LEN property appears twice

am 12.03.2007 20:51:33 von ibuprofin

On 12 Mar 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1173693257.730859.143610@j27g2000cwj.googlegroups.com>, crowl@gmx.de wrote:

>Wondering browsing my iptable logs I see some logs which have the LEN
>properties twice.
>
>kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=504
>TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=33800 DPT=1026
>LEN=484

504 - 484 = 20 Hmmm, I'll bet this was windoze messenger spam. The
source IP address is _probably_ faked.

>kernel: INPUT IN=ppp0 OUT= MAC= SRC=x.x.x.x DST=x.x.x.x LEN=78
>TOS=0x00 PREC=0x00 TTL=115 ID=12573 PROTO=UDP SPT=1028 DPT=137 LEN=58

78 - 58 = 20 Windoze name request "would you like to share viruses?"

>For what reason is there more than one LEN counter? And also important
>to know, what is the difference (what does each each LEN mean, in
>which case is more than one LEN counter is used)?

LENgth of IP packet = LENgth of UDP/TCP packet plus header length. See

0768 User Datagram Protocol. J. Postel. August 1980. (Format: TXT=5896
bytes) (Also STD0006) (Status: STANDARD)

0791 Internet Protocol. J. Postel. September 1981. (Format: TXT=97779
bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005)
(Status: STANDARD)

0792 Internet Control Message Protocol. J. Postel. September 1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

0793 Transmission Control Protocol. J. Postel. September 1981.
(Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007)
(Status: STANDARD)

These RFCs can be found in many places - use your favorite search engine.
Briefly, see figure 4 of RFC0791. These packets consist of a 20 byte
IPv4 header (Version, Header length, Type of Service, Total LENgth, an
Identification [serial number] word, flags and fragment offset, Time To
Live, Protocol number, header checksum, source and destination IP address
which is a total of 20 bytes [there can be additional options in increments
of 4 from zero to 40 additional bytes for a maximum IP header of 60 bytes)
followed by a UDP/TCP/ICMP pack, which itself consists of 4 to 60 bytes of
protocol headers (ICMP = 4, UDP = 8, TCP = 20 to 60) followed by the actual
data.

Old guy