Packets

I get packets. I block packets. I log blocked packets. It's hard to sift through them all.

So I wrote a little korn script to do it for me.

Looking back a few days as of 2004-10-11, I have blocked attempts to access these ports the most: 2745 (1160 times), 5554 (1014 times), 9898 (671 times), 80 (538 times), and 1025 (482 times).

There are more numbers, but it's too much to type. Instead, here is the raw output

# ./seepf.sh dest_port | uniq -c | sort -rn              
1160 2745
1015 5554
 672 9898
 540 80
 482 1025
 468 1433
 447 4899
 268 3127
 208 901
 204 6129
 105 1023
  76 21
  62 113
  60 9876
  56 3128
  55 8080
  51 3410
  46 22
  44 17300
  38 57439
  36 1978
  34 8000
  34 25
  29 6588
  29 30022
  29 10001
  28 4000
  28 23
  25 5000
  24 65506
  21 4777
  21 443

It tends to get boring after this. But it's surprising that common ports like 80, 22, 25, and 21 received so little attention.

Here is the script so you can use it too.

#!/bin/ksh

getdump() {
  ( zcat /var/log/pflog.0.gz | tcpdump -tttnr - "tcp" ;
    zcat /var/log/pflog.1.gz | tcpdump -tttnr - "tcp" ;
    zcat /var/log/pflog.2.gz | tcpdump -tttnr - "tcp" ;
    zcat /var/log/pflog.3.gz | tcpdump -tttnr - "tcp" ;
                               tcpdump -tttnr /var/log/pflog "tcp" ) |
  awk '{print $4, substr($6,0,length($6)-1)}' |
  sed -e 's/\./ /g' |
  awk '{print $1, $2, $3, $4, $5, $10}'
}

if [[ $1 == "source_ip" ]] ; then
  getdump | awk '{print $1"."$2"."$3"."$4}' | sort -n
fi

if [[ $1 == "source_port" ]] ; then
  getdump | awk '{print $5}' | sort -n
fi

if [[ $1 == "dest_port" ]] ; then
  getdump | awk '{print $6}' | sort -n
fi

It only looks at the last few pflog files, so adjust it to fit your needs.