How do I interpret the fields in Honeyds packet log?
The -l option in Honeyd creates a flow log for all connections and packet seen by Honeyd. Example, entries look like this: 2004-01-07-14:36:58.7132 tcp(6) – 252.214.169.203 2064 192.168.27.180 21: 48 S [MacOS 8.0-8.6 OTTCP] 2004-01-07-15:26:40.0209 tcp(6) – 244.233.22.102 61891 172.162.8.180 21: 60 S [FreeBSD 5.0-5.1 ] 2004-01-07-16:48:30.1212 tcp(6) S 192.168.21.135 33395 172.162.8.91 80 [Linux 2.6 ] 2004-01-07-16:48:41.4929 tcp(6) S 10.173.240.67 22110 192.168.14.178 81 [Windows XP SP1] • The first field contains the time that the event happened in sub-second resolution. • The second field lists the protocol, for example tcp, udp, or icmp. • The third field may either be S which indicates the start of a new connection, E the end of a connection or – if a packet does not belong to any connection. For E, Honeyd logs the amount of data received and sent at the end of the line. • The next four fields represent the connection four tuple:
