From owner-freebsd-net  Tue Oct 22 11:48:19 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D084737B401
	for <freebsd-net@FreeBSD.ORG>; Tue, 22 Oct 2002 11:48:16 -0700 (PDT)
Received: from hub.org (hub.org [64.49.215.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1BCEA43E3B
	for <freebsd-net@FreeBSD.ORG>; Tue, 22 Oct 2002 11:48:16 -0700 (PDT)
	(envelope-from scrappy@hub.org)
Received: from hub.org (hub.org [64.49.215.141])
	by hub.org (Postfix) with ESMTP
	id 804558A1F05; Tue, 22 Oct 2002 15:48:13 -0300 (ADT)
Date: Tue, 22 Oct 2002 15:48:13 -0300 (ADT)
From: "Marc G. Fournier" <scrappy@hub.org>
To: Luigi Rizzo <rizzo@icir.org>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: determining "originator/source" of connection ...
In-Reply-To: <20021022113249.C33933@carp.icir.org>
Message-ID: <20021022154730.K25737-100000@hub.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Tue, 22 Oct 2002, Luigi Rizzo wrote:

> let me understand, you basically want something that puts flow statistics
> in the bucket identified by the <dst-ip,dst-port> of the first SYN
> packet you see (the assumption being that connections are
> initiated by clients towards a well known port, which appears
> as dst-port in the first syn packet ?
>
> Or if you are just happy to aggregate by IP, one solution i often
> use is the following (based on dummynet's dynamic pipes):
>
>         # do not expire pipes even if they have no pending traffic
>         sysctl net.inet.ip.dummynet.expire=0
>
>         # create separate pipes for src and dst masks
>         ipfw pipe 20 config mask src-ip 0xffffffff buckets 256
>         ipfw pipe 21 config mask dst-ip 0xffffffff buckets 256
>
> 	ipfw add pipe 20 ip from $my_subnet to any
> 	ipfw add pipe 21 ip from any to $my subnet

I don't believe I could do this with ipfw ... $my_subnet == 131.162.0.0 :(
I fear the machin would strat to smoke, no? :(


>
> cheers
> luigi
>
>
> On Tue, Oct 22, 2002 at 02:47:36PM -0300, Marc G. Fournier wrote:
> >
> > I've got FreeBSD setup as a firewall to our campus network, and its doing
> > a great job of it, but we want to be able log statistics on traffic going
> > in and out ...
> >
> > I have trafd running on the server, with it dumping its data to a
> > PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
> > records ... so ~90k/hr, or 2.16 million per day ...
> >
> > Now, I'm figuring that if I could determine direction of flow (did we
> > originate the connection, or did someone off campus originate it), I could
> > shrink that greatly, as right now I have stuff like:
> >
> > 216.158.133.242    80  131.162.158.24  3914     6      2356     4
> > 216.158.133.242    80  131.162.158.24  3915     6     47767    34
> > 216.158.133.242    80  131.162.158.24  3916     6     78962    56
> > 216.158.133.242    80  131.162.158.24  3917     6    330141   224
> > 216.158.133.242    80  131.162.158.24  3918     6    118862    89
> > 216.158.133.242    80  131.162.158.24  3919     6    264139   185
> > 216.158.133.242    80  131.162.158.24  3920     6    259543   179
> > 216.158.133.242    80  131.162.158.24  3921     6     98014    73
> > 216.158.133.242    80  131.162.158.24  3922     6    267772   186
> > 216.158.133.242    80  131.162.158.24  3923     6    148879   109
> > 216.158.133.242    80  131.162.158.24  3924     6      6406     8
> > 216.158.133.242    80  131.162.158.24  3925     6      2486     5
> > 216.158.133.242    80  131.162.158.24  3928     6    109584    75
> > 216.158.133.242    80  131.162.158.24  3929     6     92435    62
> > 216.158.133.242    80  131.162.158.24  3936     6     13059     9
> > 216.158.133.242    80  131.162.158.24  3937     6     22641    17
> >
> > where I don't care about the source port, only the dest port ... except,
> > in the above, trafd is writing it as 'source port == 80' and 'dest port'
> > is arbitray ...
> >
> > while later in the results, I'll get something like:
> >
> >      130.94.4.7 40072 131.162.138.193    25     6      2976    10
> >      130.94.4.7 58562 131.162.138.193    25     6      5249    16
> >
> > which does make sense (ie. source port -> dest port) ...
> >
> > is there something that i can do with libpcap that will give me better
> > information then trafd does?  is there a 'tag' in the IP headers that can
> > be used to determine the originator of the connection?
> >
> > thanks ...
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-net" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message