Internet Protocol version 6 (IPv6) Internet Connection Firewall log file overview
The IPv6 Internet Connection Firewall (ICF) log allows advanced users to choose which information to log. With ICF logging you can:
Log dropped packets. This will log all dropped packets that originate from either the computer or the network.
Log dropped packets collects information about each attempt by traffic to travel across the firewall that is detected, and denied by IPv6 ICF. For example, if your Internet control message protocol (ICMP) settings are not set to allow incoming echo requests, such as those sent out by the Ping and Tracert commands, and an echo request is received, the echo request is dropped, and an entry is created in the log.
Log successful connections. This will log all successful connections that originate from either the computer or the network.
Log successful connections collects information about each successful connection that travels across the firewall. For example, when you successfully connect to a Web site using Internet Explorer over IPv6, an entry is created in the log.
When an entry is created, it uses the appropriate IPv6 address. IPv6 traffic is also logged to a different log file than the IPv4 ICF log file. The name of the IPv6 log file is pfirewall-v6.log.
The IPv6 ICF log has two sections:
The header provides information about the version of the security log and the fields that are available for data entry. The header information is presented as a static list.
The body is the compiled data that is entered as a result of traffic attempting to cross the firewall. The fields in the security log are entered from left to right across the page. The body of the security log is a dynamic list—new data entries are entered at the bottom of the log. One or both of the logging options must be selected in order for data to be entered into the security log.
The following tables define the information that is kept in the security log:
Header information
Body data
Item |
Description |
Example |
---|---|---|
#Version: |
Displays which edition of the Internet Connection Firewall security log is installed. |
1.0 |
#Software: |
Provides the name of the security log. |
Microsoft IPv6 Internet Connection Firewall |
#Time: |
Indicates that all of the timestamps in the log are in local time. |
Local |
#Fields: |
Displays a static list of fields that are available for security log entries, if data is available. |
date, time, action, protocol, src-ip, dst-ip, src-port, dst-port, size, tcpflags, tcpsyn, tcpack, tcpwin, icmptype, icmpcode, and info |
Fields |
Description |
Example |
---|---|---|
date |
Specifies the year, month, and day that the recorded transaction occurred. Dates are recorded in the format: YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day. |
2001-01-27 |
time |
Specifies the hour, minute, and seconds at which the recorded transaction occurred. Times are recorded in the format: HH:MM:SS, where HH is the hour in 24-hour format, MM is minutes, and SS is seconds. |
21:36:59 |
action |
Specifies which operation was observed by the firewall. The options available to the firewall are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. An INFO-EVENTS-LOST action indicates the number of events that happened but were not placed in the log. |
OPEN |
protocol |
Specifies which protocol was used for the communication. A protocol entry can also be a number for packets that are not TCP, UDP, or ICMP. |
TCP |
src-ip |
Specifies the source IP address (the IP address of the computer attempting to establish communications). |
2001:0DB8:0:2F3B:2AA:FF:FE28:9C5A |
dst-ip |
Specifies the destination IP address (the IP address of the destination of a communication attempt). |
2001:0DB8:0:2F3B:2AA:FF:FE28:9C5A |
src-port |
Specifies the source port number of the sending computer. A src-port entry is recorded in the form of a whole number, ranging from 1 to 65,535. Only TCP and UDP will return a valid src-port entry. All other protocols are invalid for src-port, and will result in an entry of -. |
4039 |
dst-port |
Specifies the port of the destination computer. A dst-port entry is recorded in the form of a whole number, ranging from 1 to 65,535. Only TCP and UDP will return a valid dst-port entry. All other protocols are invalid for dst-port, and will result in an entry of -. |
53 |
size |
Specifies the packet size in bytes. |
60 |
tcpflags |
Specifies the TCP control flags found in the TCP header of an IP packet:
Flags are written as uppercase letters. The entry information for tcpflags is provided for users with an in-depth knowledge of Transmission Control Protocol (TCP). |
AFP |
tcpsyn |
Specifies the TCP sequence number in the packet. The entry information for tcpsyn is provided for users with an in-depth knowledge of TCP. |
1315819770 |
tcpack |
Specifies the TCP acknowledgement number in the packet. The entry information for tcpack is provided for users with an in-depth knowledge of TCP. |
0 |
tcpwin |
Specifies the TCP window size in bytes in the packet. The entry information for tcpack is provided for users with an in-depth knowledge of TCP. |
64240 |
icmptype |
Specifies a number that represents the Type field of the ICMP message. |
128 |
icmpcode |
Specifies a number that represents the Code field of the ICMP message. |
0 |
info |
Specifies an information entry that depends on the type of action that occurred. For example, an INFO-EVENTS-LOST action will cause an entry of the number of events that happened, but were not placed in the log from the time of the last occurrence of this event type. |
23 |
The character (-) is used for fields where no information is available for an entry.
Note
IPv6 Internet Connection Firewall is only provided with the Advanced Networking Pack for Windows XP, a free download for computers running Windows XP with Service Pack 1. For computers running Windows XP with Service Pack 2, IPv6 Internet Connection Firewall has been replaced with the new Windows Firewall. For more information about Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2.