On Sun, Apr 09, 2006 at 01:49:28PM +0100, Gaby vanhegan wrote:
> Hi,
>
> I'm trying to setup a system to account for the traffic that flows
> through the firewall by service (http, smtp, etc). I have had some
> success playing with tcpdump and pf logging but I can't quite work
> out what's going on. I have pf logging the traffic that I want to
> account for so /var/log/pflog is filling up nicely. Taking a few
> sample lines from the output of:
>
> # tcpdump -n -r /var/log/pflog
>
> 13:35:07.985465 220.135.151.10.1254 > 195.224.72.148.25: S
> 108231586:108231586(0) win 65535 <mss 1300,nop,nop,sackOK> (DF)
> 13:35:08.384197 195.224.72.148.59258 > 195.224.72.2.53: 28701+[|domain]
> 13:35:15.747376 24.198.33.0.3395 > 195.224.72.148.25: S
> 531328580:531328580(0) win 64240 <mss 1460,nop,wscale
> 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
> 13:35:18.025285 80.62.253.137.4452 > 195.224.72.148.80: S
> 3580612744:3580612744(0) win 65535 <mss 1452,nop,nop,sackOK> (DF)
> 13:35:28.544158 131.165.205.101.1886 > 195.224.72.148.80: S
> 2587435678:2587435678(0) win 16384 <mss 1460> (DF)
> 13:35:29.585572 66.154.102.108.53139 > 195.224.72.148.80: S
> 1452108063:1452108063(0) win 5840 <mss 1460,sackOK,timestamp
> 142976852 0,nop,wscale 0> (DF)
> 13:35:38.090762 82.153.166.67.1436 > 195.224.72.148.80: S
> 1406992321:1406992321(0) win 65535 <mss 1452,nop,nop,sackOK> (DF)
>
> I can't actually work out which field in these lines is the size of
> the data payload for each packet. The first line, looks like an SMTP
> connection, the last four look like HTTP connections (incoming).
> I've read the pflog documentation, and the tcpdump documentation but
> perhaps I've missed something. If I want to get packet sizes, I need
> to run tcpdump on the live interface (not the pflog file) with the -e
> flag, which, as the manual suggests:
>
> Link Level Headers
> If the -e option is given, the link level header is printed
> out. On Eth-
> ernets, the source and destination addresses, protocol, and
> packet length
> are printed.
>
> Which gives me packet length. However, this is for all traffic, and
> I'm only interested in traffic that makes it through pf, or traffic
> that I specifically want to log via pf. I have looked at tools like
> symon/symux (which I'll be using for the data logging), I don't want
> to run ntop and iplog hasn't been touched for years. The mailing
> archive suggested IPAudit, but I'd rather use native tools if I can.
>
> Does I have to listen to the interface directly (tcpdump -n ip) or
> can I get the packet size information from the pflog file?
The current configuration will not work - looks like a pf(4)
configuration which passes packets according to state. You only log
packets creating state (for TCP, typically SYN packets), and those are
not a very good indication of used bandwidth.
Not using states will help, though I do believe you are likely required
to add a couple of switches to tcpdump (-vvv will do, IIRC, but is
overkill). However, not using states will cause all traffic passing your
network to be logged to disk. Unless you have a very large, very fast
array of disks and the proper tools to sort through gigabytes of data,
this simply isn't going to work.
A quick Google suggests that NetFlow-based tools might do what you want.
See the ports tree.
Joachim
