Date: Tue, 22 Oct 2002 11:21:22 -0700 From: Darcy Buskermolen <darcy@wavefire.com> To: "Marc G. Fournier" <scrappy@hub.org>, freebsd-net@freebsd.org Subject: Re: determining "originator/source" of connection ... Message-ID: <200210221121.22487.darcy@wavefire.com> In-Reply-To: <20021022143427.Y47756-100000@hub.org> References: <20021022143427.Y47756-100000@hub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
For this kind of thing I usualy use ntop with the cflow connector to outp= ut=20 the flow data as regular CISCO flowd stuff. This data can then be analyse= d=20 using tools like rdd and friends. On Tuesday 22 October 2002 10:47, Marc G. Fournier wrote: > I've got FreeBSD setup as a firewall to our campus network, and its doi= ng > a great job of it, but we want to be able log statistics on traffic goi= ng > in and out ... > > I have trafd running on the server, with it dumping its data to a > PostgreSQL database, but for every ~8min "segment", it is logging ~12 0= 00 > records ... so ~90k/hr, or 2.16 million per day ... > > Now, I'm figuring that if I could determine direction of flow (did we > originate the connection, or did someone off campus originate it), I co= uld > shrink that greatly, as right now I have stuff like: > > 216.158.133.242 80 131.162.158.24 3914 6 2356 4 > 216.158.133.242 80 131.162.158.24 3915 6 47767 34 > 216.158.133.242 80 131.162.158.24 3916 6 78962 56 > 216.158.133.242 80 131.162.158.24 3917 6 330141 224 > 216.158.133.242 80 131.162.158.24 3918 6 118862 89 > 216.158.133.242 80 131.162.158.24 3919 6 264139 185 > 216.158.133.242 80 131.162.158.24 3920 6 259543 179 > 216.158.133.242 80 131.162.158.24 3921 6 98014 73 > 216.158.133.242 80 131.162.158.24 3922 6 267772 186 > 216.158.133.242 80 131.162.158.24 3923 6 148879 109 > 216.158.133.242 80 131.162.158.24 3924 6 6406 8 > 216.158.133.242 80 131.162.158.24 3925 6 2486 5 > 216.158.133.242 80 131.162.158.24 3928 6 109584 75 > 216.158.133.242 80 131.162.158.24 3929 6 92435 62 > 216.158.133.242 80 131.162.158.24 3936 6 13059 9 > 216.158.133.242 80 131.162.158.24 3937 6 22641 17 > > where I don't care about the source port, only the dest port ... except= , > in the above, trafd is writing it as 'source port =3D=3D 80' and 'dest = port' > is arbitray ... > > while later in the results, I'll get something like: > > 130.94.4.7 40072 131.162.138.193 25 6 2976 10 > 130.94.4.7 58562 131.162.138.193 25 6 5249 16 > > which does make sense (ie. source port -> dest port) ... > > is there something that i can do with libpcap that will give me better > information then trafd does? is there a 'tag' in the IP headers that c= an > be used to determine the originator of the connection? > > thanks ... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message --=20 Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200210221121.22487.darcy>