Log packet formatting
Log packet formatting in the debug and filter logs allows further customization of the output to make the logs easier for you to read. This article explains these customization options and how to use them.
- In the administration interface, go to Logs > Debug/Filter.
- In the context menu, click Format of logged packets.
- Type an expression.
- Click OK.
Creating expressions
Format of logged packets is defined by special expressions (a template). You can edit this template to get transparent and relevant information.
Default template
The default template for packet logging follows this pattern:
%DIRECTION%, %IF%, proto:%PROTO%, len:%PKTLEN%, %SRC% - %DST%, %PAYLOAD%
Expressions introduced with % are variables. Other
characters and symbols represent static text as printed in the log.
Variables
The following variables can be used in packet logging templates:
%DIRECTION%— traffic direction in respect of the particular network interface of the firewall (incoming / outgoing)%IF%— interface name%PROTO%— protocol type (TCPTransmission Control Protocol - ensures packet transmission., UDPUser Datagram Protocol - ensures packet transmission., etc.)%PKTLEN%— packet size%SRC%— source IP addressAn identifier assigned to devices connected to a TCP/IP network. and port (depending on the protocol attributeRaw)%DST%— destination IP address and port (depending on the protocol attributeRaw)%SRCMAC%— source MAC addressMedia Access Control Address - A unique identifier that specifies a device in a network.%DSTMAC%— destination MAC address%PAYLOAD%— size of the data part of the packet with details provided (depending on the protocol and attributeRaw)%PAYLOADLEN%— size of the data part of the packet%DSCP%— DSCP value in the IP header
If you wanted to track the direction on an interface, the source and destination and size of the packet:
%DIRECTION% %IF%, %SRC% >> %DST%, length %PKTLEN%
Which would result in the following:
[08/Sep/2012 11:47:39] PERMIT "Firewall traffic" packet from WANWide area network - A network that connects computers and other devices in a large area., 192.168.52.2:53 >> 192.168.52.128:1035, length 96 [08/Sep/2012 11:47:39] PERMIT "Firewall traffic" packet to WAN, 192.168.52.128:1035 >> 192.168.52.2:53, length 63
If you wanted to also show the protocol that was being used the following would display this:
%DIRECTION% %IF% %PROTO% (%SRC% >> %DST%)
Which would result in the following:
[08/Sep/2012 16:12:33] PERMIT "Firewall traffic" packet to WAN UDP (192.168.52.128:1121 >> 192.168.52.2:53) [08/Sep/2012 16:12:33] PERMIT "Firewall traffic" packet from WAN UDP (192.168.52.2:53 >> 192.168.52.128:1121)
NOTE
After this change has been applied the logs will update with the new view. This change is not retroactive and will not alter the previous format of your log data. This change will be applied to both the Filter and Debug log at the same time, it is not possible to set different customizations for each log.