From owner-freebsd-net  Tue Oct 22 11:32:52 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8C3D837B401
	for <freebsd-net@FreeBSD.ORG>; Tue, 22 Oct 2002 11:32:50 -0700 (PDT)
Received: from carp.icir.org (carp.icir.org [192.150.187.71])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0212A43E42
	for <freebsd-net@FreeBSD.ORG>; Tue, 22 Oct 2002 11:32:50 -0700 (PDT)
	(envelope-from rizzo@carp.icir.org)
Received: from carp.icir.org (localhost [127.0.0.1])
	by carp.icir.org (8.12.3/8.12.3) with ESMTP id g9MIWnpJ034065;
	Tue, 22 Oct 2002 11:32:49 -0700 (PDT)
	(envelope-from rizzo@carp.icir.org)
Received: (from rizzo@localhost)
	by carp.icir.org (8.12.3/8.12.3/Submit) id g9MIWnIw034064;
	Tue, 22 Oct 2002 11:32:49 -0700 (PDT)
	(envelope-from rizzo)
Date: Tue, 22 Oct 2002 11:32:49 -0700
From: Luigi Rizzo <rizzo@icir.org>
To: "Marc G. Fournier" <scrappy@hub.org>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: determining "originator/source" of connection ...
Message-ID: <20021022113249.C33933@carp.icir.org>
References: <20021022143427.Y47756-100000@hub.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20021022143427.Y47756-100000@hub.org>; from scrappy@hub.org on Tue, Oct 22, 2002 at 02:47:36PM -0300
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

let me understand, you basically want something that puts flow statistics
in the bucket identified by the <dst-ip,dst-port> of the first SYN
packet you see (the assumption being that connections are
initiated by clients towards a well known port, which appears
as dst-port in the first syn packet ?

Or if you are just happy to aggregate by IP, one solution i often
use is the following (based on dummynet's dynamic pipes):

        # do not expire pipes even if they have no pending traffic
        sysctl net.inet.ip.dummynet.expire=0

        # create separate pipes for src and dst masks
        ipfw pipe 20 config mask src-ip 0xffffffff buckets 256
        ipfw pipe 21 config mask dst-ip 0xffffffff buckets 256

	ipfw add pipe 20 ip from $my_subnet to any
	ipfw add pipe 21 ip from any to $my subnet

cheers
luigi
 

On Tue, Oct 22, 2002 at 02:47:36PM -0300, Marc G. Fournier wrote:
> 
> I've got FreeBSD setup as a firewall to our campus network, and its doing
> a great job of it, but we want to be able log statistics on traffic going
> in and out ...
> 
> I have trafd running on the server, with it dumping its data to a
> PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
> records ... so ~90k/hr, or 2.16 million per day ...
> 
> Now, I'm figuring that if I could determine direction of flow (did we
> originate the connection, or did someone off campus originate it), I could
> shrink that greatly, as right now I have stuff like:
> 
> 216.158.133.242    80  131.162.158.24  3914     6      2356     4
> 216.158.133.242    80  131.162.158.24  3915     6     47767    34
> 216.158.133.242    80  131.162.158.24  3916     6     78962    56
> 216.158.133.242    80  131.162.158.24  3917     6    330141   224
> 216.158.133.242    80  131.162.158.24  3918     6    118862    89
> 216.158.133.242    80  131.162.158.24  3919     6    264139   185
> 216.158.133.242    80  131.162.158.24  3920     6    259543   179
> 216.158.133.242    80  131.162.158.24  3921     6     98014    73
> 216.158.133.242    80  131.162.158.24  3922     6    267772   186
> 216.158.133.242    80  131.162.158.24  3923     6    148879   109
> 216.158.133.242    80  131.162.158.24  3924     6      6406     8
> 216.158.133.242    80  131.162.158.24  3925     6      2486     5
> 216.158.133.242    80  131.162.158.24  3928     6    109584    75
> 216.158.133.242    80  131.162.158.24  3929     6     92435    62
> 216.158.133.242    80  131.162.158.24  3936     6     13059     9
> 216.158.133.242    80  131.162.158.24  3937     6     22641    17
> 
> where I don't care about the source port, only the dest port ... except,
> in the above, trafd is writing it as 'source port == 80' and 'dest port'
> is arbitray ...
> 
> while later in the results, I'll get something like:
> 
>      130.94.4.7 40072 131.162.138.193    25     6      2976    10
>      130.94.4.7 58562 131.162.138.193    25     6      5249    16
> 
> which does make sense (ie. source port -> dest port) ...
> 
> is there something that i can do with libpcap that will give me better
> information then trafd does?  is there a 'tag' in the IP headers that can
> be used to determine the originator of the connection?
> 
> thanks ...
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message