Chapter 9. Logging

the field is empty, any port will match. See appendix G, Lists of ports, ICMP and protocols, for more information on port numbers.

If you want to study all traffic except the one to or from a specific port or group of ports, enter the port number(s) here and mark the "not this port" box.

The selection can be modified by the control boxes under the fields A and B:

A src

Packets from the port number in field A matches. Field B is

 

ignored.

A dst

Packets to the port number in field A matches. Field B is ignored.

A any

Packets to or from the port number in field A matches. Field B is

 

ignored.

A to B

Packets from A to B matches.

B to A

Packets from B to A matches.

Between A&B

Packets from A to B, or from B to A, matches.

not this combination

Packets that do not match the given combination of A and B are

 

shown in the log.

If you, for example, want to search for all packets to a web server, but not packets on the "normal" client and server ports in your environment, fill in the form like this:

ICMP

ICMP packets contain a type field and a code field. When searching for ICMP packets, you can select all packets or only those matching certain criteria.

In the type and code fields, you can enter a single number (e. g., 5), a range of numbers (e. g., 5-10), a list of numbers and ranges, separated by commas (e. g., 5, 10-20) or nothing at all. If the field is empty, any type or code will match. See appendix G, Lists of ports, ICMP and protocols, for more information on ICMP types and codes.

If you want to study all traffic except the one of a certain type/code, enter the type/code number(s) here and mark the "not" box.

ESP

ESP is an authentication/encryption protocol. Select this if you want to search for encrypted packets.

140