To have a look at the inner workings of psad as it monitors iptables log messages, run psad in a highly verbose mode with the
[iptablesfw]# psad --debug
This instructs psad to not become a daemon; it can then display information on
STDERR as it runs. This information includes everything from MAC addresses to passive OS fingerprinting information. Here's a sample of this output:
❶ Jul 11 16:21:31 iptablesfw kernel: DROP IN=eth0 OUT= MAC=00:13:d3:38:b6:e4: 00:90:1a:a0:1c:ec:08:00 SRC=12.17.
XLEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=38577 DF PROTO=TCP SPT=38970 DPT=12754 WINDOW=53760 RES=0x00 SYN URGP=0 OPT (020405B4010303030101080A000000000000000001010402) [+] src mac addr: 00:90:1a:a0:1c:ec [+] dst ...