Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Oct 2002 14:47:36 -0300 (ADT)
From:      "Marc G. Fournier" <scrappy@hub.org>
To:        freebsd-net@freebsd.org
Subject:   determining "originator/source" of connection ...
Message-ID:  <20021022143427.Y47756-100000@hub.org>
next in thread | raw e-mail | index | archive | help 

I've got FreeBSD setup as a firewall to our campus network, and its doing
a great job of it, but we want to be able log statistics on traffic going
in and out ...

I have trafd running on the server, with it dumping its data to a
PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
records ... so ~90k/hr, or 2.16 million per day ...

Now, I'm figuring that if I could determine direction of flow (did we
originate the connection, or did someone off campus originate it), I could
shrink that greatly, as right now I have stuff like:

216.158.133.242    80  131.162.158.24  3914     6      2356     4
216.158.133.242    80  131.162.158.24  3915     6     47767    34
216.158.133.242    80  131.162.158.24  3916     6     78962    56
216.158.133.242    80  131.162.158.24  3917     6    330141   224
216.158.133.242    80  131.162.158.24  3918     6    118862    89
216.158.133.242    80  131.162.158.24  3919     6    264139   185
216.158.133.242    80  131.162.158.24  3920     6    259543   179
216.158.133.242    80  131.162.158.24  3921     6     98014    73
216.158.133.242    80  131.162.158.24  3922     6    267772   186
216.158.133.242    80  131.162.158.24  3923     6    148879   109
216.158.133.242    80  131.162.158.24  3924     6      6406     8
216.158.133.242    80  131.162.158.24  3925     6      2486     5
216.158.133.242    80  131.162.158.24  3928     6    109584    75
216.158.133.242    80  131.162.158.24  3929     6     92435    62
216.158.133.242    80  131.162.158.24  3936     6     13059     9
216.158.133.242    80  131.162.158.24  3937     6     22641    17

where I don't care about the source port, only the dest port ... except,
in the above, trafd is writing it as 'source port == 80' and 'dest port'
is arbitray ...

while later in the results, I'll get something like:

     130.94.4.7 40072 131.162.138.193    25     6      2976    10
     130.94.4.7 58562 131.162.138.193    25     6      5249    16

which does make sense (ie. source port -> dest port) ...

is there something that i can do with libpcap that will give me better
information then trafd does?  is there a 'tag' in the IP headers that can
be used to determine the originator of the connection?

thanks ...



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021022143427.Y47756-100000>