IPF Trying to capture packet body

D

dr_grid

I am running IPF on a 13.5-RELEASE system. My rule set has been in use for years and seems to work fine.
Lately I have noticed inbound packets from 10.0.0.0/8 which I find interesting. I would like to get to the bottom of
this so I installed the following rule:

block in log body quick on igb1 inet from 10.0.0.0/8 to any

When I examine ipfilter.log, I do see hits from this rule. What I don't see is any logging of the "body", which should give
me at least some of the packet body. The man page states "Up to 128 bytes of a packet's body can also be
logged with the body keyword." (Section 5, ipf man page )

Any suggestions? Do I misunderstand the man page, or am I otherwise missing something. I would like to figure this out
as I should NOT be getting any packets from 10.0.0.0/8 on my ISP interface. Thanks!
 
Thank you gentlemen. I suppose I was trying to understand why I wasn't getting the result I
expected from the IPF rule, but of course, tcpdump is my friend and will tell all. Head-slap.
Thanks again.
 
fernandel said:
Just for curiosity, did ipmon -b help you, please?
Click to expand...
Thanks for the question. I presently run ipmon -Ds, and was not aware of the -b option.
I will restart the system shortly and I expect that will solve the lack of body logging -- if not I will report here.
As others suggested, I do run a tcpdump in the background, and it is helping me track down the
issue.
Thank you for pointing this out to me. I always learn something when I visit the forum.
 
You must log in or register to reply here.
Back
Top