Post 380.66_6 update Log entry

[JimH]

After installing the recent 380.66_6 update for my RT-AC310, I started seeing the following entries in my syslogs:

WLEN=60 TOS=0x00 PREC=0x20 TTL=54 ID=32135 DF PROTO=TCP SPT=15056 DPT=22 SEQ=3885796295 ACK=0 INDOW=4380 RES=0x00 SYN URGP=0 OPT (020405140402080A04D8F6410000000001030308)

I've never seent the numeric values following the OPT flag. Seen these entries on both accepted and dropped entries. Appreciate any assistance.

Jim H.

 

[Adamm]

After installing the recent 380.66_6 update for my RT-AC310, I started seeing the following entries in my syslogs:

WLEN=60 TOS=0x00 PREC=0x20 TTL=54 ID=32135 DF PROTO=TCP SPT=15056 DPT=22 SEQ=3885796295 ACK=0 INDOW=4380 RES=0x00 SYN URGP=0 OPT (020405140402080A04D8F6410000000001030308)

I've never seent the numeric values following the OPT flag. Seen these entries on both accepted and dropped entries. Appreciate any assistance.

Jim H.

That's from the tcp options flag which has been there for years (some packets it just doesn't show for), here's a post about making it "human readable".

https://serverfault.com/questions/453759/iptables-how-to-read-this-opt-string

0204057D010303010101080A3E521D4D0000000004020000
From a sans.org study guide,
the first 2 bytes (0x0204) 04--is-length 02 means MSS flag
the next 2 bytes (0x057D) are the value for maximum size segment (MSS)
the next byte (0x01) is a no-op
the next 2 bytes (0x0303) indicate a windows scaling is enabled

the 3 bytes ("010101") are no-ops (AKA padding)
the 2 next bytes ("080a") flag a time stamp value
the 4 next bytes (("0x3E521D4D00000000") are date time 5 * 2 bytes
the 4 next bytes ("0402") sAck Ok

The master document: ftp://ftp.ietf.org/iana/tcp-parameters/tcp-parameters.xml
Others: http://tools.ietf.org/html/draft-ietf-tcpm-tcp-security-03
http://www.ietf.org/mail-archive/web/tcpm/current/msg03199.html