Author image Ed Blanchfield


fwlog - extract connection data from firewall logs


  use fwlog
  $result = fwlog::Auto( line of firewall logs...);
  $result = fwlog::Protocol(protocol number);
  $result = fwlog::Service(port number/protocol number);


fwlog::Auto extracts the following data from firewall logs.

        - Action
        - Source
        - Destination
        - Protocol
        - Port

Data is returned seperated by vertical bars "|". For example "drop|||tcp|25".

fwlog::Protocol resolves IP Protocol numbers to names using your /etc/protocols file

fwlog::Services resolves service numbers to names using your /etc/services file and IP protocol number

Note: to use fwlog::Service for ICMP types and codes as per RFC-792 add the following to your /etc/services

  # fwlog services
  ping-request            (type-8,code-0)/icmp                    
  ping-reply              (type-0,code-0)/icmp                    
  network-unreachable     (type-3,code-0)/icmp                    
  host-unreachable        (type-3,code-1)/icmp                    
  protocol-unreachable    (type-3,code-2)/icmp                    
  port-unreachable        (type-3,code-3)/icmp                    
  frag-needed-but-DF-set  (type-3,code-4)/icmp                    
  src-route-failed        (type-3,code-5)/icmp                    
  source-quench           (type-4,code-0)/icmp                    
  parameter-problem       (type-12,code-0)/icmp                   
  ttl-excd-in-tran        (type-11,code-0)/icmp                   
  frag-reass-time-excd    (type-11,code-1)/icmp                   
  redir-net               (type-5,code-0)/icmp                    
  redir-host              (type-5,code-1)/icmp                    
  redir-ToS-and-net       (type-5,code-2)/icmp                    
  redir-ToS-and-host      (type-5,code-3)/icmp                    
  timestamp-request       (type-13,code-0)/icmp                   
  timestamp-reply         (type-14,code-0)/icmp                   
  info-request            (type-15,code-0)/icmp                   
  info-reply              (type-16,code-0)/icmp                   


        - Checkpoint Firewall-1
                - accept
                - drop
                - reject

        - NetScreen
                - Permit
                - Deny

        - CISCO Pix (IOS v6.1 and v6.2 and maybe others)
                - PIX-6-302013
                - PIX-5-304001
                - PIX-6-106015
                - PIX-3-305005
                - PIX-3-106011

        - Smoothwall (v0.9)
                - only chain logged is by Smoothwall is a hyphen "-". 

        - IPCHAINS
                - drops
                - rejects
                - redirects
                - custom chains

        - IPTABLES (using fwbuilder)
                - drops
                - accepts

        - ipf
                - pass
                - block

        - pfSense
                - pass
                - block


  use fwlog;

  while (<>) {
        my $data  = &fwlog::Auto($_);
        if ($data eq undef) {
        } else {

  print "\n\nConnections:\n";
  foreach my $event (sort {$events{$b} <=> $events{$a}} keys %events) {
        print "\t$events{$event}: $event\n";

  print "\n\nLines not processed as connection data:\n";
  foreach my $unknown (sort {$unknownLines{$b} <=> $unknownLines{$a}} keys %unknownLines) {
        print "\t$unknownLines{$unknown}: $unknown\n";
  use fwlog;
  my $protocol =  &fwlog::Protocol("6");
  print "$protocol\n";
  use fwlog;
  my $protocol =  &fwlog::Protocol("6");
  my $service  =  &fwlog::Service("25/$protocol");
  print "$protocol, $service\n";
  my $protocol =  &fwlog::Protocol("1");
  my $service  =  &fwlog::Service("(type-13,code-0)/$protocol");
  print "$protocol, $service\n";


Ed Blanchfield <Ed@E-Things.Org>


This program is Copyright 2000 by Ed Blanchfield.

This program is free software; you can redistribute it and/or modify it under the terms of the Perl Artistic License or the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

If you do not have a copy of the GNU General Public License write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

2 POD Errors

The following errors were encountered while parsing the POD:

Around line 653:

'=item' outside of any '=over'

Around line 697:

You forgot a '=back' before '=head1'