Hey Everyone,
I'm trying to setup fwanalgo 6.9 on freebsd 6.1 running PF.
I thought that since openBSD and FreeBSD both use tcpdump to read the
pflog files that I might be able to use it without any modifications
but I was mistaken :)
[root@firestarter /]# fwanalog
tcpdump: bad dump file format
tcpdump: bad dump file format
tcpdump: bad dump file format
tcpdump: bad dump file format
reading from file -, link-type PFLOG (OpenBSD pflog file)
tcpdump: bad dump file format
tcpdump: bad dump file format
Analog found 368 corrupt lines. Please consider sending
/root/fwanalog.out/analog.err to
so the author is able to fix the problem.
Here is a bit of the analog.,err file:
/]# less /root/fwanalog.out/analog.err
analog: analog version 6.0/Unix
C: 840038 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 717
C: *
C: 1. 683051 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 2. 713604 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 2. 166504 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 2. 620014 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 000007 rule 1/0(match): block out on rl0: 192.168.y.y.7130 >
192.168.x.x.28961: UDP, length 21
C: *
C: 000006 rule 1/0(match): block out on rl0: 192.168.y.y.7130 >
192.168.x.x.28970: UDP, length 21
C: *
C: 000005 rule 1/0(match): block out on rl0: 192.168.y.y.7130 >
192.168.x.x.28971: UDP, length 21
C: *
C: 000072 rule 1/0(match): block out on rl0: 192.168.y.y.7130 >
192.168.x.x.28961: UDP, length 5
C: *
C: 000220 rule 1/0(match): block out on rl0: 192.168.y.y.7130 >
192.168.x.x.28961: UDP, length 5
C: *
C: 170323 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 719
C: *
C: 3. 837820 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 000978 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20700: UDP, length 95
C: *
C: 1. 812360 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20700: UDP, length 95
C: *
C: 091026 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20700: UDP, length 95
C: *
C: 2. 004020 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20700: UDP, length 95
C: *
C: 2. 072190 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 037231 rule 0/0(match): block in on rl0: 192.168.x.x.54581 >
72.14.205.27.25: tcp 0
C: *
C: 035805 rule 0/0(match): block in on rl0: 192.168.x.x.56408 >
64.233.167.27.25: tcp 0
C: *
C: 000135 rule 0/0(match): block in on rl0: 192.168.x.x.65268 >
64.233.167.114.25: tcp 0
C: *
C: 034422 rule 0/0(match): block in on rl0: 192.168.x.x.51157 >
66.249.83.27.25: tcp 0
C: *
C: 000128 rule 0/0(match): block in on rl0: 192.168.x.x.53756 >
66.249.83.114.25: tcp 0
C: *
C: 033363 rule 0/0(match): block in on rl0: 192.168.x.x.63945 >
64.233.183.27.25: tcp 0
C: *
C: 033049 rule 0/0(match): block in on rl0: 192.168.x.x.59844 >
64.233.163.27.25: tcp 0
C: *
C: 3. 212966 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 3. 195765 rule 0/0(match): block in on tun0: 165.145.192.x.1130 >
165.145.242.86.139: tcp 0
C: *
C: 514890 rule 0/0(match): block in on tun0: 165.145.192.x.1130 >
165.145.242.86.139: tcp 0
C: *
C: 548445 rule 0/0(match): block in on tun0: 165.145.192.x.1130 >
165.145.242.86.139: tcp 0
C: *
C: 111784 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 2. 110890 rule 0/0(match): block in on tun0: 165.145.192.x.3454 >
165.145.242.86.445: tcp 0
C: *
C: 640534 rule 0/0(match): block in on tun0: 165.145.192.x.3454 >
165.145.242.86.445: tcp 0
C: *
C: 409399 rule 0/0(match): block in on tun0: 165.145.192.x.3454 >
165.145.242.86.445: tcp 0
C: *
C: 006543 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 719
C: *
C: 2. 773857 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 2. 155568 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 000056 rule 1/0(match): block out on rl0: 192.168.0.2.7130 >
192.168.x.x.28961: UDP, length 21
C: *
C: 000005 rule 1/0(match): block out on rl0: 192.168.0.2.7130 >
192.168.x.x.28970: UDP, length 21
C: *
C: 000006 rule 1/0(match): block out on rl0: 192.168.0.2.7130 >
192.168.x.x.28971: UDP, length 21
C: *
C: 000040 rule 1/0(match): block out on rl0: 192.168.0.2.7130 >
192.168.x.x.28961: UDP, length 5
C: *
C: 000105 rule 1/0(match): block out on rl0: 192.168.0.2.7130 >
192.168.x.x.28961: UDP, length 5
C: *
C: 2. 014795 rule 0/0(match): block in on tun0: 87.105.169.93.46954 >
165.145.242.86.47476: UDP, length 19
C: *
C: 086234 rule 0/0(match): block in on tun0: 87.105.169.93.4069 >
165.145.242.86.47476: tcp 0
C: *
C: 907381 rule 0/0(match): block in on tun0: 87.105.169.93.4069 >
165.145.242.86.47476: tcp 0
C: *
C: 3. 046921 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 126141 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 720
C: *
C: 850160 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
C: 126141 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 720
C: *
C: 850160 rule 0/0(match): block in on rl0: 192.168.x.x.28960 >
63.146.124.40.20710: UDP, length 20
C: *
analog: Warning L: Large number of corrupt lines in logfile
/root/fwanalog.out/fwanalog.all.log: turn debugging on or try different
LOGFORMAT
(For help on all errors and warnings, see docs/errors.html)
Current logfile format:
%S %j %u [%d/%M/%Y:%h:%n:%j] "%j%w%r%wHTTP%j" %c %b "%j" "%j" %t %v\n
It looks like the log file format is not correct but I have no idea
how to correct it?
Can somone shed some light on my quandry?
Thanks
RickJ
Received on Mon Sep 11 21:17:43 2006