Syslog message error with 6 octets IP address

Unanswered Question
Aug 13th, 2007

Hi all,

Getting syslog message with six octets ip address instead of four. The first four octets are the correct IP address, not sure where the last two came from.

Wondering if anyone has seen this type before. Cisco ISR 3825 with Version 12.4(9)T4 Router and Version 12.2(25) switch module

Initially, I thought that IPv6 was enabled.

Aug 9 14:18:52 [10.5.1.9.22.20] 199: *Aug 9 14:20:24.435: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down

Aug 9 14:19:13 [10.5.1.9.22.20] 203: *Aug 9 14:20:44.439: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Mon, 08/13/2007 - 08:55

Ah, yes, the famous six octets. This comes up every so often. The last two octets are actually the encoded source UDP port the device used to send the message. Since a port is a 16-bit short, it cannot live in a single 8-bit octet. So, the sixth octet is the low-order bits in the 16-bit value (20 in this case). The fifth octet represents the high-order bits (22 in this case):

22 << 8 + 20 = 5652

Said another way:

(22 * 256) + 20 = 5652

Therefore, the device used the source UDP port 5652 when sending this message.

eudechime Mon, 08/13/2007 - 09:18

Thanks for your prompt response.

Is there away to disable or configure this so that normal 4 octet can be send to NMS server?

Actually, the last two octet is 224.204.

Which would be 10.5.1.9.224.204. Based on your calculation, this would change.

Joe Clarke Mon, 08/13/2007 - 09:24

No, this is a fact of Solaris syslog. The devices have nothing to do with this format.

Actions

This Discussion