[TriLUG] IPTables appends 08:00 to MAC address field?
Jon Carnes
jonc at nc.rr.com
Mon Dec 15 11:27:39 EST 2003
I know the kernel builds a connection table, could this be a short-hand
for the entry in that table?
On Mon, 2003-12-15 at 11:04, Jeff Bollinger wrote:
> Look at the log entry from IPTables below:
>
>
> Dec 15 10:40:23 blackout kernel: ***SSH connection:IN=eth0 OUT=
> MAC=00:0d:61:C5:76:b1:00:04:75:a0:d1:db:08:00 SRC=x.x.x.x DST=x.x.x.x
> LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=15253 DF PROTO=TCP SPT=9453 DPT=22
> WINDOW=5840 RES=0x00 SYN URGP=0
>
> The MAC address field seems to be divided into
>
> source: 00:0d:61:C5:76:b1
> dest: 00:04:75:a0:d1:db
>
> and an 08:00 on the end (2048 in decimal). What do these extra two
> bytes signify? I notice this on almost all hosts that are
> filtering/logging with IPtables, but I couldn't concoct the appropriate
> Google query to get the answer. :)
>
> Thanks,
> Jeff
More information about the TriLUG
mailing list