Date: Mon, 05 Jan 2004 10:00:20 +0200 From: bsd@perimeter.co.za To: "FreeBSD Question List" <freebsd-questions@freebsd.org> Subject: IPF: Apparent packet duplication logged by IPF Message-ID: <courier.3FF91994.00007784@perimeter.co.za>
next in thread | raw e-mail | index | archive | help
Hi all. I am having a strange situation with IPF. I am trying to log all passed packets (the log is passed to a third-party stats program for graphical analysis). The problem is that I see many packets apparently being duplicated in the ipmon.log. The packet enters the firewall from the internal interface OK, but it appears to be transmitted out to the internet twice. Conversely, there are often multiple inbound packets from the internet which become just one on the internal interface. See these two examples (beware of line-wrap): 1) Internet to LAN 09:30:00.508378 2x ed1 @0:21 P 196.35.72.139,443 -> 192.168.0.180,1277 PR tcp len 20 296 -AP K-S IN 09:30:00.509446 hdlc5 @0:21 P 196.35.72.139,443 -> 192.168.0.180,1277 PR tcp len 20 296 -AP K-S OUT 2) LAN to internet (168.209.221.66 is my NAT address) 09:30:00.616102 hdlc5 @0:21 P 192.168.0.180,1277 -> 196.35.72.139,443 PR tcp len 20 40 -A K-S IN 09:30:00.616188 ed1 @0:21 P 168.209.221.66,1277 -> 196.35.72.139,443 PR tcp len 20 40 -A K-S OUT 09:30:00.616275 ed1 @0:21 P 168.209.221.66,1277 -> 196.35.72.139,443 PR tcp len 20 40 -A K-S OUT I don't believe the packets are ACTUALLY being resent twice, because the stats I have under MRTG indicate matching traffic volumes on the corresponding interfaces. I suspect the issue has something to do with how IPF and IPMON log the packets. But I'm not sure. Any help in understanding/fixing this would be greatly appreciated. Regards, Patrick O'Reilly.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?courier.3FF91994.00007784>