In message <20020119151332.GA1291@antioche.eu.org>, Manuel Bouyer writes:
>On Thu, Jan 17, 2002 at 10:12:51PM -0500, Steve Bellovin wrote:
>> I run ipfilter, for all the obvious reasons.  But ipmon sometimes shows 
>> me phantom packets -- packets that had to have been received a long 
>> time ago.  For example, right now I'm seeing things like this:
>
>Maybe ipmon was blocked on DNS, and is not processing ipf logs left in the
>buffer ?
>

Others have suggested that.  The problem is that the timing doesn't 
seem to support that.  For example, in this packet that I cited:

Jan 17 22:04:18 berkshire ipmon[136]: 18:46:53.398760              wi0 @0:35 b 18.80.3.173,timed -> 18.80.255.255,timed PR udp len 20 26624  IN 

the packet was received at 18:46:53, but the log message appeared at 
22:04:18.  But the machine was online with excellent connectivity until
about 20:15, when I suspended it -- and a 90 minute DNS lookup delay seems 
improbable.

Still, that's the best explanation anyone has offered, and Greg Woods 
says that his problems of that nature went away when he turned off -n 
to ipmon.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com