What the two different LEN fields in Firewall log messages?

Michael234 · December 14, 2020, 10:08am

Firewall log messages contain two “LEN” fields. For example:

From firmware 8.1.0s027 build 4947

Dec 13 21:00:25 [4490504.390000]
Firewall: Allowed CONN=vlan MAC=xxxxx
SRC=10.44.22.143 DST=5.181.234.131
LEN=176 TOS=0x00 PREC=0x00 TTL=63 ID=38449 DF PROTO=UDP SPT=48628 DPT=9929 LEN=156 MARK=0x2

From Firmware: 8.1.1b02 build 4974

Dec 13 11:30:07 [1975858.915755]
Firewall: Denied CONN=lan MAC=xxxxxx
SRC=192.168.3.54 DST=192.168.60.127
LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=7313 PROTO=UDP SPT=16393 DPT=16393 LEN=80 MARK=0x3

What are these fields?
And … is the content of firewall log messages documented anywhere?
Thanks.

jmjones · December 14, 2020, 1:51pm

Just a guess, so I would wait for an expert to chime in – the first is the entire packet length, the second is the payload length. Again, just a shot in the dark guess.

MartinLangmaid · December 14, 2020, 2:55pm

The LEN fields are indeed length fields.

The first LEN field is the total length of the entire IPV4 packet that has been logged. Its a 16-bit field and defines the entire packet size in bytes, including header and data. The minimum size is 20 bytes (header without data) and the maximum is 65,535 bytes.

The second LEN field is for the UDP datagram. The RFC for UDP says that the “Length is the length in octets of this user datagram including this header and the data. (This means the minimum value of the length is eight.)”

Michael234 · December 16, 2020, 6:28pm

Thank you Martin. I had not realized that only UDP packets have the two LEN fields.