From owner-freebsd-net Tue Oct 22 11:21:43 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E3AF37B401 for ; Tue, 22 Oct 2002 11:21:41 -0700 (PDT) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id C5F4943E3B for ; Tue, 22 Oct 2002 11:21:40 -0700 (PDT) (envelope-from darcy@wavefire.com) Received: (qmail 10322 invoked from network); 22 Oct 2002 18:44:05 -0000 Received: from dbitech.wavefire.com (HELO dbitech) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 22 Oct 2002 18:44:05 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: "Marc G. Fournier" , freebsd-net@freebsd.org Subject: Re: determining "originator/source" of connection ... Date: Tue, 22 Oct 2002 11:21:22 -0700 User-Agent: KMail/1.4.3 References: <20021022143427.Y47756-100000@hub.org> In-Reply-To: <20021022143427.Y47756-100000@hub.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200210221121.22487.darcy@wavefire.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For this kind of thing I usualy use ntop with the cflow connector to outp= ut=20 the flow data as regular CISCO flowd stuff. This data can then be analyse= d=20 using tools like rdd and friends. On Tuesday 22 October 2002 10:47, Marc G. Fournier wrote: > I've got FreeBSD setup as a firewall to our campus network, and its doi= ng > a great job of it, but we want to be able log statistics on traffic goi= ng > in and out ... > > I have trafd running on the server, with it dumping its data to a > PostgreSQL database, but for every ~8min "segment", it is logging ~12 0= 00 > records ... so ~90k/hr, or 2.16 million per day ... > > Now, I'm figuring that if I could determine direction of flow (did we > originate the connection, or did someone off campus originate it), I co= uld > shrink that greatly, as right now I have stuff like: > > 216.158.133.242 80 131.162.158.24 3914 6 2356 4 > 216.158.133.242 80 131.162.158.24 3915 6 47767 34 > 216.158.133.242 80 131.162.158.24 3916 6 78962 56 > 216.158.133.242 80 131.162.158.24 3917 6 330141 224 > 216.158.133.242 80 131.162.158.24 3918 6 118862 89 > 216.158.133.242 80 131.162.158.24 3919 6 264139 185 > 216.158.133.242 80 131.162.158.24 3920 6 259543 179 > 216.158.133.242 80 131.162.158.24 3921 6 98014 73 > 216.158.133.242 80 131.162.158.24 3922 6 267772 186 > 216.158.133.242 80 131.162.158.24 3923 6 148879 109 > 216.158.133.242 80 131.162.158.24 3924 6 6406 8 > 216.158.133.242 80 131.162.158.24 3925 6 2486 5 > 216.158.133.242 80 131.162.158.24 3928 6 109584 75 > 216.158.133.242 80 131.162.158.24 3929 6 92435 62 > 216.158.133.242 80 131.162.158.24 3936 6 13059 9 > 216.158.133.242 80 131.162.158.24 3937 6 22641 17 > > where I don't care about the source port, only the dest port ... except= , > in the above, trafd is writing it as 'source port =3D=3D 80' and 'dest = port' > is arbitray ... > > while later in the results, I'll get something like: > > 130.94.4.7 40072 131.162.138.193 25 6 2976 10 > 130.94.4.7 58562 131.162.138.193 25 6 5249 16 > > which does make sense (ie. source port -> dest port) ... > > is there something that i can do with libpcap that will give me better > information then trafd does? is there a 'tag' in the IP headers that c= an > be used to determine the originator of the connection? > > thanks ... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message