Oct  6 15:52:15 netmax kernel: Packet log: input DENY eth1 PROTO=6 192.168.0.1:2978 10.0.0.1:139 L=60 S=0x00 I=58438 F=0x4000 T=64 SYN (#3)

This logging is done by syslog and places our firewall messages in the kernel.log because we are using kernel firewalling (using IPCHAINS).

Each "field" is seperated by a space or a colon and provides the following information:

1. Month in Mmm format (Oct)
2. Date of month (6)
3. Time in the 24 hour HH:MM:SS format (15:52:15)
4. Hostname of the machine the message occured in (netmax)
5. The system that the message is regarding (kernel;)
6. Description of what the message is regarding (Packet Log:)
7. Category of firewall rule involved (input)
8. Action of firewall rule involved (DENY)
9. Adapter that the firewall rule is on (eth1)
10. Internet Protocol involved (PROTO=6)
11. Source address and port of packet (192.168.0.1:2978)
12. Destination address and port of packet (10.0.0.1:139)
13. Length of packet (L=60)
14. Type of service (S=0x00)
15. Packet ID (I=58438)
16. Fragment Flags (F=0x4000)
17. Time to live of packet (T=64)
18. TCP flags (SYN)

Basically what this message tells us is that someone attempted to establish (SYN) a TCP (PROTO=6) connection to port 139 at 10.0.0.1 from port 2978 on 192.168.0.1. Since we know that Windows File Sharing (CIFS) uses TCP port 139, we can determine that this "person" at 192.168.0.1 was attempting to connect to any Windows shares that we had available on 10.0.0.1.

Here's a list for determining the Internet Protocol with the PROTO number:

Decimal    Keyword     Protocol                         References
-------    -------     --------                         ----------
     0                 Reserved                              [JBP]
     1     ICMP        Internet Control Message       [RFC792,JBP]
     2     IGMP        Internet Group Management     [RFC1112,JBP]
     3     GGP         Gateway-to-Gateway              [RFC823,MB]
     4     IP          IP in IP (encasulation)               [JBP]
     5     ST          Stream                 [RFC1190,IEN119,JWF]
     6     TCP         Transmission Control           [RFC793,JBP]
     7     UCL         UCL                                    [PK]
     8     EGP         Exterior Gateway Protocol     [RFC888,DLM1]
     9     IGP         any private interior gateway          [JBP]
    10     BBN-RCC-MON BBN RCC Monitoring                    [SGC]
    11     NVP-II      Network Voice Protocol         [RFC741,SC3]
    12     PUP         PUP                             [PUP,XEROX]
    13     ARGUS       ARGUS                                [RWS4]
    14     EMCON       EMCON                                 [BN7]
    15     XNET        Cross Net Debugger            [IEN158,JFH2]
    16     CHAOS       Chaos                                 [NC3]
    17     UDP         User Datagram                  [RFC768,JBP]
    18     MUX         Multiplexing                    [IEN90,JBP]
    19     DCN-MEAS    DCN Measurement Subsystems           [DLM1]
    20     HMP         Host Monitoring                [RFC869,RH6]
    21     PRM         Packet Radio Measurement              [ZSU]
    22     XNS-IDP     XEROX NS IDP               [ETHERNET,XEROX]
    23     TRUNK-1     Trunk-1                              [BWB6]
    24     TRUNK-2     Trunk-2                              [BWB6]
    25     LEAF-1      Leaf-1                               [BWB6]
    26     LEAF-2      Leaf-2                               [BWB6]
    27     RDP         Reliable Data Protocol         [RFC908,RH6]
    28     IRTP        Internet Reliable Transaction  [RFC938,TXM]
    29     ISO-TP4     ISO Transport Protocol Class 4 [RFC905,RC77]
    30     NETBLT      Bulk Data Transfer Protocol    [RFC969,DDC1]
    31     MFE-NSP     MFE Network Services Protocol  [MFENET,BCH2]
    32     MERIT-INP   MERIT Internodal Protocol             [HWB]
    33     SEP         Sequential Exchange Protocol        [JC120]
    34     3PC         Third Party Connect Protocol         [SAF3]
    35     IDPR        Inter-Domain Policy Routing Protocol [MXS1]

Sources: RFC-1700