Re: determining "originator/source" of connection ...

Tue, 22 Oct 2002 10:54:48 -0700 

For this kind of thing I usualy use ntop with the cflow connector to output 
the flow data as regular CISCO flowd stuff. This data can then be analysed 
using tools like rdd and friends.


On Tuesday 22 October 2002 10:47, Marc G. Fournier wrote:
> I've got FreeBSD setup as a firewall to our campus network, and its doing
> a great job of it, but we want to be able log statistics on traffic going
> in and out ...
>
> I have trafd running on the server, with it dumping its data to a
> PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
> records ... so ~90k/hr, or 2.16 million per day ...
>
> Now, I'm figuring that if I could determine direction of flow (did we
> originate the connection, or did someone off campus originate it), I could
> shrink that greatly, as right now I have stuff like:
>
> 216.158.133.242    80  131.162.158.24  3914     6      2356     4
> 216.158.133.242    80  131.162.158.24  3915     6     47767    34
> 216.158.133.242    80  131.162.158.24  3916     6     78962    56
> 216.158.133.242    80  131.162.158.24  3917     6    330141   224
> 216.158.133.242    80  131.162.158.24  3918     6    118862    89
> 216.158.133.242    80  131.162.158.24  3919     6    264139   185
> 216.158.133.242    80  131.162.158.24  3920     6    259543   179
> 216.158.133.242    80  131.162.158.24  3921     6     98014    73
> 216.158.133.242    80  131.162.158.24  3922     6    267772   186
> 216.158.133.242    80  131.162.158.24  3923     6    148879   109
> 216.158.133.242    80  131.162.158.24  3924     6      6406     8
> 216.158.133.242    80  131.162.158.24  3925     6      2486     5
> 216.158.133.242    80  131.162.158.24  3928     6    109584    75
> 216.158.133.242    80  131.162.158.24  3929     6     92435    62
> 216.158.133.242    80  131.162.158.24  3936     6     13059     9
> 216.158.133.242    80  131.162.158.24  3937     6     22641    17
>
> where I don't care about the source port, only the dest port ... except,
> in the above, trafd is writing it as 'source port == 80' and 'dest port'
> is arbitray ...
>
> while later in the results, I'll get something like:
>
>      130.94.4.7 40072 131.162.138.193    25     6      2976    10
>      130.94.4.7 58562 131.162.138.193    25     6      5249    16
>
> which does make sense (ie. source port -> dest port) ...
>
> is there something that i can do with libpcap that will give me better
> information then trafd does?  is there a 'tag' in the IP headers that can
> be used to determine the originator of the connection?
>
> thanks ...
>
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message

-- 
Darcy Buskermolen
Wavefire Technologies Corp.
ph: 250.717.0200
fx:  250.763.1759
http://www.wavefire.com

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to