The packet log collects very detailed information of network traffic, therefore it is by default switched off. You can click Start logging to turn on the packet log if you suspect malicious network activity. The logging is stopped automatically after the defined period has expired or if the maximum log file size is reached. Click Stop logging to stop the logging manually.
The packet logs are collected into 10 different files, so previous logs can be viewed while the new log is generated. The log format is binary and is compatible with the tcpdump format, it can be read either with the packet log viewer or with a common packet logging application.
The packet logger will log all types of network traffic, including the protocols needed by your LAN, like routing information, hardware address resolution etc. This traffic is normally not very useful in logs, and by default it is not shown in the built-in packet log viewer. If you want to see it, clear the Filter non IP out checkbox.
The action log collects data about the Internet Shield actions continuously. The action log is a normal text file with the maximum size of 10 MB, and it can be viewed with any text editing application that can read large files. The action log file can be cleared and removed anytime, so it is easy to start logging actions into a new file if the file size gets too big. The path to the logfile is seen on the Logging page.
Practical examples of how to read the action log:
11/16/02 15:48:01,success,general,daemon,Policy file has been reloaded.
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
---|---|---|---|---|---|---|---|---|---|
11/15/02
|
16:54:41
|
info
|
appl control
|
C:\WINNT\system32\services.exe
|
allow
|
send
|
17
|
10.128.128.14
|
137
|
The fields are:
1. Date
2. Time
3. Type
4. Internal Reason
|
5. Name of application
6. Application Control action
7. Network action
|
8. Protocol
9. Remote IP
10. Remote port
|
If the application has opened a LISTEN connection it is acting as an server and remote computers can connect to the port which the connection was opened for. The action log records these also these connections.
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
---|---|---|---|---|---|---|---|---|---|
11/15/02
|
16:48:00
|
info
|
appl control
|
unknown
|
allow
|
receive
|
17
|
10.128.129.146
|
138
|
The fields are:
1. Date
2. Time
3. Type
4. Internal Reason
|
5. Name of application
6. Application Control action
7. Network action
|
8. Protocol
9. Remote IP
10. Remote port
|
If an application wants to open a listening connection which you allow, the static firewall rules may prevent the connection. Therefore, a dynamic rule is used to allow this connection inbound, just for the time of connection, for this applications use only.
The fields are:
F-Secure Corporation www.F-Secure.com Product Support |