From: Brian Dennis (bdennis@internetworkexpert.com)
Date: Tue May 03 2005 - 02:19:47 GMT-3
John,
By looking at the results from both options you should be able
to determine which one to use in a particular situation.
Here are the results from the "log" keyword:
May 2 22:10:22.143 PST: %SEC-6-IPACCESSLOGP: list 188 permitted tcp
66.215.129.110(61295) -> 65.219.63.90(80), 1 packet
Here are the results from the "log-input" keyword:
May 2 22:11:33.842 PST: %SEC-6-IPACCESSLOGP: list 188 permitted tcp
66.215.129.110(61296) (Ethernet1 00d0.0665.fc20) -> 65.219.63.90(80), 1
packet
As you can see the log-input option additionally includes the
layer two address of the device that forwarded the packet to the router.
Brian Dennis, CCIE #2210 (R&S/ISP-Dial/Security)
bdennis@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 775-745-6404 (Outside the US and Canada)
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
John Matus
Sent: Monday, May 02, 2005 4:46 PM
To: ccielab@groupstudy.com
Subject: tracing the source of an attack
if you are trying to trace the source of a dos attack or a smurf attack
by
logging all events associated is it preferable to use "log-input" as
opposed
to just "log"?
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:11:56 GMT-3