Packet Logging

The packet log collects very detailed information of network traffic, therefore it is by default switched off. You can click Start logging to turn on the packet log if you suspect malicious network activity. The logging is stopped automatically after the defined period has expired or if the maximum log file size is reached. Click Stop logging to stop the logging manually.

The packet logs are collected into 10 different files, so previous logs can be viewed while the new log is generated. The log format is binary and is compatible with the tcpdump format, it can be read either with the packet log viewer or with a common packet logging application.

The packet logger will log all types of network traffic, including the protocols needed by your LAN, like routing information, hardware address resolution etc. This traffic is normally not very useful in logs, and by default it is not shown in the built-in packet log viewer. If you want to see it, clear the Filter non IP out checkbox.

Action Log

The action log collects data about the Internet Shield actions continuously. The action log is a normal text file with the maximum size of 10 MB, and it can be viewed with any text editing application that can read large files. The action log file can be cleared and removed anytime, so it is easy to start logging actions into a new file if the file size gets too big. The path to the logfile is seen on the Logging page.

Practical examples of how to read the action log:

Change of firewall policy, e.g. a security level change:

11/16/02 15:48:01,success,general,daemon,Policy file has been reloaded.

Opening a local connection, inbound or outbound:
1
2
3
4
5
6
7
8
9
10
11/15/02
16:54:41
info
appl control
C:\WINNT\system32\services.exe
allow
send
17
10.128.128.14
137

The fields are:

1. Date
2. Time
3. Type
4. Internal Reason
5. Name of application
6. Application Control action
7. Network action
8. Protocol
9. Remote IP
10. Remote port

Receiving connection

If the application has opened a LISTEN connection it is acting as an server and remote computers can connect to the port which the connection was opened for. The action log records these also these connections.

1
2
3
4
5
6
7
8
9
10
11/15/02
16:48:00
info
appl control
unknown
allow
receive
17
10.128.129.146
138

The fields are:

1. Date
2. Time
3. Type
4. Internal Reason
5. Name of application
6. Application Control action
7. Network action
8. Protocol
9. Remote IP
10. Remote port

Dynamic rule entry

If an application wants to open a listening connection which you allow, the static firewall rules may prevent the connection. Therefore, a dynamic rule is used to allow this connection inbound, just for the time of connection, for this applications use only.

1
2
3
4
5
6
7
8
9
10
11
12
11/15/02
16:47:59
info
dynamic rule
added
0.0.0.0
255.255.255.0
0
65535
371
371
allow
11/15/02
16:48:23
info
dynamic rule
removed
0.0.0.0
255.255.255.0
0
65535
371
371
allow

The fields are:

1. Date
2. Time
3. Alert type
4. Rule type
5. Action taken
6. Remote IP address range minimum
7. Remote IP address range maximum
8. Remote port range from
9. Remote port range to
10. Local port range from
11. Local port range to
12. Rule action (allow/deny)


F-Secure Corporation
www.F-Secure.com
Product Support