iptable log analysis - LEN property appears twice

It's iptables' somewhat awkward way of saying the IP header is

20 bytes. The first line represents an IP packet of 504 bytes containing an UDP packet of 484 bytes. The second is an IP packet of 78 bytes containing an UDP packet of 58 bytes.

Hello Eirik,

Thanks for the reply and the helpful answer. Did you have any reference for me? I have search google for this topic but did not get useful results.

Thanks in advance.

504 - 484 = 20 Hmmm, I'll bet this was windoze messenger spam. The source IP address is _probably_ faked. 78 - 58 = 20 Windoze name request "would you like to share viruses?"

LENgth of IP packet = LENgth of UDP/TCP packet plus header length. See

0768 User Datagram Protocol. J. Postel. August 1980. (Format: TXT=5896 bytes) (Also STD0006) (Status: STANDARD) 0791 Internet Protocol. J. Postel. September 1981. (Format: TXT=97779 bytes) (Obsoletes RFC0760) (Updated by RFC1349) (Also STD0005) (Status: STANDARD) 0792 Internet Control Message Protocol. J. Postel. September 1981. (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950) (Also STD0005) (Status: STANDARD) 0793 Transmission Control Protocol. J. Postel. September 1981. (Format: TXT=172710 bytes) (Updated by RFC3168) (Also STD0007) (Status: STANDARD)

These RFCs can be found in many places - use your favorite search engine. Briefly, see figure 4 of RFC0791. These packets consist of a 20 byte IPv4 header (Version, Header length, Type of Service, Total LENgth, an Identification [serial number] word, flags and fragment offset, Time To Live, Protocol number, header checksum, source and destination IP address which is a total of 20 bytes [there can be additional options in increments of 4 from zero to 40 additional bytes for a maximum IP header of 60 bytes) followed by a UDP/TCP/ICMP pack, which itself consists of 4 to 60 bytes of protocol headers (ICMP = 4, UDP = 8, TCP = 20 to 60) followed by the actual data.

Old guy