Session Records
When the ssadm
logdump program is run with the loglvl sess filter expression, it outputs the data about sessions in the log files.
Sessions can be either TCP sessions (connections), UDP sessions (request/response pairs), or IP sessions (traffic of a particular IP type between a pair of hosts).
These session data track the state saved in the state tables in the firewall. Session data are enabled by setting the log type to "session" for encryption and pass rules.
The format of the log entries is as follows:
TCP session:
ID id SRC srcaddr:srcport DST dstaddr:dstport FWD fwdpackets:fwdbytes REV revpackets:revbytes TIME starttime:stoptime STATE finalstate
UDP session:
ID id SRC srcaddr:srcport DST dstaddr:dstport FWD fwdpackets:fwdbytes REV revpackets:revbytes TIME starttime:stoptime
IP session:
ID id SRC srcaddr DST dstaddr PROTO proto FWD fwdpackets:fwdbytes REV revpackets:revbytes TIME starttime:stoptime
where:
Table B-7 S
ession Record
Arguments
|
Argument
|
Description
|
|
id
|
ID for the session. If two sessions have the same ID, then they are somehow associated with each other. For example, an FTP control and data session, or a RealAudio(TM) control and audio session.
|
|
srcaddr
|
IP source address of the session either as a name or address.
|
|
srcport
|
Source port of the session.
|
|
dstaddr
|
IP destination address of the session either as a name or address.
|
|
dstport
|
Destination port of the session.
|
|
proto
|
IP protocol for IP sessions; for example, 6 = TCP.
|
|
fwdpackets
|
Number of packets sent in the forward direction. That is, packets from the source address to the destination address.
|
|
fwdbytes
|
Number of bytes sent in the forward direction. That is, packets from the source address to the destination address.
|
|
revpackets
|
Number of packets sent in the reverse direction. That is, packets from the destination address to the source address.
|
|
revbytes
|
Number of bytes sent in the reserve direction. That is, packets from the destination address to the source address.
|
|
starttime
|
Start time of the session in seconds since midnight GMT Jan 1, 1998.
|
|
stoptime
|
Stop time for the session in seconds since midnight GMT, Jan 1, 1998. You can calculate total session elapsed time by subtracting starttime from stoptime.
|
|
finalstate
|
Binary value representing the final state of TCP connections. The following values are possible:
-
A connection was not established because no response to
SYN packet was received from the server.
-
A connection was not established because no response to the
-
SYN/ACK packet was received from the client. A large number of these sessions could indicate a SYN attack.
-
A connection timed out due to lack of traffic.
-
A connection closed successfully or was reset.
|
