Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NTop: Misc

interface traffic direction

  

 
NTop misc RSS feed   Index | Next | Previous | View Threaded


mam at open

May 26, 2011, 12:47 AM

Post #1 of 9 (611 views)
Permalink
interface traffic direction
with nprobe, the direction of traffic on an interface cannot be inferred
if not on the basis of IP addresses and what networks are local and not.
Correct?
Thanks,
Maurizio
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 26, 2011, 2:22 AM

Post #2 of 9 (595 views)
Permalink
Re: interface traffic direction [In reply to]
Maurizio
you can also use MAC addresses in addition to IPs. If you have a better suggestion for doing that, I am here to listen

Luca

On May 26, 2011, at 9:47 AM, Maurizio Molina wrote:

> with nprobe, the direction of traffic on an interface cannot be inferred if not on the basis of IP addresses and what networks are local and not. Correct?
> Thanks,
> Maurizio
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

---
If you can not measure it, you can not improve it - Lord Kelvin

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


daa at open

May 26, 2011, 8:24 AM

Post #3 of 9 (562 views)
Permalink
Re: interface traffic direction [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ciao Luca

I have the following problem: when I include the %DIRECTION field in my
netflow V9 template, it will always be set to 0 (incoming). I've used
the -L and -r option.

Moreover, nprobe --help yields:
[ 61] %DIRECTION %flowDirection It indicates where a sample has been
taken (always 0)

but in the usermanual you specify:
[ 61] %DIRECTION [0=ingress][1=egress] flow


I have the following setup:
eth1 eth0
INTERNAL-----------|ROUTER|-------EXTERNAL
nprobe

and nprobe is listening to eth0.

As I have understood the -L option I can just specify the internal
network and set -r, then the traffic towards the local network is
flagged as incoming and the traffic from the local network is flagged as
outgoing. Does this mean that the field %DIRECTION is set to 0 / 1
according to that?

Another possibility would be to specify -u / -Q / -1 and matching the
direction with the MAC address. I'm still not sure if I got it right.

Can I specify -1 with the sender MACaddress of eth0 -1 XX:XX::XX@1 and
then the -u0 and -Q1? So that everything which is send by macaddress
XX:XX::XX will be flagged as outgoing and everything else as incoming?
May you please explain briefly how to do that if I haven't got it correct?

Thanks alot for your help.

Cheers,
Dani


On 05/26/2011 11:22 AM, Luca Deri wrote:
> Maurizio
> you can also use MAC addresses in addition to IPs. If you have a better suggestion for doing that, I am here to listen
>
> Luca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk3ecJUACgkQxIzmH53Qg6FblgD+N/Moj6/qKiJkX4OwJHmtTWbA
n7nnCmCxVran01XuqDcA/A/TinEgVfsQ11zkq2eS/rbssJNeaiTGjnC0vjTgVHXW
=9EzB
-----END PGP SIGNATURE-----
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


jnebrera at eneotecnologia

May 27, 2011, 1:05 AM

Post #4 of 9 (559 views)
Permalink
Re: interface traffic direction [In reply to]
Hi Daniel,

Im not sure on this, Luca should know much better, but I recall that
libpcap in Linux was unable to decide the direction of the traffic it
was sniffing, thus is going to be hard to tell the probe to do so.

Now, I dont know if this limitation is shared by pf_ring or not

On 26/05/11 17:24, Daniel Aschwanden wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ciao Luca
>
> I have the following problem: when I include the %DIRECTION field in my
> netflow V9 template, it will always be set to 0 (incoming). I've used
> the -L and -r option.
>
> Moreover, nprobe --help yields:
> [ 61] %DIRECTION %flowDirection It indicates where a sample has been
> taken (always 0)
>
> but in the usermanual you specify:
> [ 61] %DIRECTION [0=ingress][1=egress] flow
>
>
> I have the following setup:
> eth1 eth0
> INTERNAL-----------|ROUTER|-------EXTERNAL
> nprobe
>
> and nprobe is listening to eth0.
>
> As I have understood the -L option I can just specify the internal
> network and set -r, then the traffic towards the local network is
> flagged as incoming and the traffic from the local network is flagged as
> outgoing. Does this mean that the field %DIRECTION is set to 0 / 1
> according to that?
>
> Another possibility would be to specify -u / -Q / -1 and matching the
> direction with the MAC address. I'm still not sure if I got it right.
>
> Can I specify -1 with the sender MACaddress of eth0 -1 XX:XX::XX@1 and
> then the -u0 and -Q1? So that everything which is send by macaddress
> XX:XX::XX will be flagged as outgoing and everything else as incoming?
> May you please explain briefly how to do that if I haven't got it correct?
>
> Thanks alot for your help.
>
> Cheers,
> Dani
>
>
> On 05/26/2011 11:22 AM, Luca Deri wrote:
>> Maurizio
>> you can also use MAC addresses in addition to IPs. If you have a better suggestion for doing that, I am here to listen
>>
>> Luca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iF4EAREIAAYFAk3ecJUACgkQxIzmH53Qg6FblgD+N/Moj6/qKiJkX4OwJHmtTWbA
> n7nnCmCxVran01XuqDcA/A/TinEgVfsQ11zkq2eS/rbssJNeaiTGjnC0vjTgVHXW
> =9EzB
> -----END PGP SIGNATURE-----
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

--
Jaime Nebrera - jnebrera [at] eneotecnologia
Consultor TI - ENEO Tecnologia SL
C/ Manufactura 2, Edificio Euro, Oficina 3N
Mairena del Aljarafe - 41927 - Sevilla
Telf.- 955 60 11 60 / 619 04 55 18

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


daa at open

May 30, 2011, 12:28 AM

Post #5 of 9 (555 views)
Permalink
Re: interface traffic direction [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Jaime,

Thanks for your reply. You're perfectly right about that. nprobe is only
able to figure the direction out of what it gets from pcap.. which is
only packetlevel information (L2 and up), the interface information are
lost due to the portability reasons of pcap.

However, it should be possible to guess the direction either on Level 3
information (just specify which networks are "inside") or on Level 2
information (just specify which is the "local" MAC address of the TX
interface and flag all the traffic with this MAC address as src MAC as
outgoing). Unfortunately, the second method will only work if you run
nprobe on a in-line device (the traffic flows through) and not on a
"tap" device (the traffic is mirrored to the interface).

Nevertheless, I haven't figured it out how to achieve that with my
version of nprobe, since the direction field of my netflow template is
always set to 0 (incoming).

Thanks for any comments in advance.

Cheers,
Daniel



On 05/27/2011 10:05 AM, Jaime Nebrera wrote:
> Hi Daniel,
>
> Im not sure on this, Luca should know much better, but I recall that
> libpcap in Linux was unable to decide the direction of the traffic it
> was sniffing, thus is going to be hard to tell the probe to do so.
>
> Now, I dont know if this limitation is shared by pf_ring or not
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk3jRxwACgkQxIzmH53Qg6EpugD+NyAJbn40k2AjmofBMvVTSc9c
0HR315QHmGCQqn6XzyEA/0r/wVDCWo5QUqWDZtfpIgAd3Yzr4MQnow/McdRj76fT
=76A4
-----END PGP SIGNATURE-----
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 30, 2011, 1:27 AM

Post #6 of 9 (546 views)
Permalink
Re: interface traffic direction [In reply to]
Daniel
this is how to do it (nprobe -h)

Note on interface indexes and (router) MAC/IP addresses
---------------------------------------------------
Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows.
However using --if-networks it is possible to specify an interface identifier to which
a MAC address or IP network is bound. The syntax of --if-networks is:
<MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,).
Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
--if-networks @<fileaname> where <filename> is a file path containing the networks
specified using the above format.


Luca
On May 30, 2011, at 9:28 AM, Daniel Aschwanden wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi Jaime,
>
> Thanks for your reply. You're perfectly right about that. nprobe is only
> able to figure the direction out of what it gets from pcap.. which is
> only packetlevel information (L2 and up), the interface information are
> lost due to the portability reasons of pcap.
>
> However, it should be possible to guess the direction either on Level 3
> information (just specify which networks are "inside") or on Level 2
> information (just specify which is the "local" MAC address of the TX
> interface and flag all the traffic with this MAC address as src MAC as
> outgoing). Unfortunately, the second method will only work if you run
> nprobe on a in-line device (the traffic flows through) and not on a
> "tap" device (the traffic is mirrored to the interface).
>
> Nevertheless, I haven't figured it out how to achieve that with my
> version of nprobe, since the direction field of my netflow template is
> always set to 0 (incoming).
>
> Thanks for any comments in advance.
>
> Cheers,
> Daniel
>
>
>
> On 05/27/2011 10:05 AM, Jaime Nebrera wrote:
>> Hi Daniel,
>>
>> Im not sure on this, Luca should know much better, but I recall that
>> libpcap in Linux was unable to decide the direction of the traffic it
>> was sniffing, thus is going to be hard to tell the probe to do so.
>>
>> Now, I dont know if this limitation is shared by pf_ring or not
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iF4EAREIAAYFAk3jRxwACgkQxIzmH53Qg6EpugD+NyAJbn40k2AjmofBMvVTSc9c
> 0HR315QHmGCQqn6XzyEA/0r/wVDCWo5QUqWDZtfpIgAd3Yzr4MQnow/McdRj76fT
> =76A4
> -----END PGP SIGNATURE-----
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

---
If you can not measure it, you can not improve it - Lord Kelvin

_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


daa at open

May 31, 2011, 2:19 AM

Post #7 of 9 (540 views)
Permalink
Re: interface traffic direction [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ciao Luca

Thanks.
The interfaces are tagged correctly, however the direction field
template field id 61 is not set correctly (always to zero (inbound))

nprobe -h:
[ 61] %DIRECTION %flowDirection It
indicates where a sample has been taken (always 0)

Normally, this field have to be set to 1 if it is egress traffic and to
0 if it is inbound traffic. So if this help output is correct, I've no
chance of getting the direction field set correctly, whatever I tag my
interfaces, right?

when I specify --if-network AA:BB:CC:DD:EE:FF@3 does this mean that all
packets with AA:BB:CC:DD:EE:FF as SRC MACaddr are assigned with
interface ident 3?

If this is correct, and AA:BB:CC:DD:EE:FF is my WAN device MAC, then I
should be able to specify the traffic direction by:

nprobe --if-network AA:BB:CC:DD:EE:FF@3 -Q3 -u0 ...

Thanks a lot for your help!

Cheers,
Dani

On 05/30/2011 10:27 AM, Luca Deri wrote:
> Daniel
> this is how to do it (nprobe -h)
>
> Note on interface indexes and (router) MAC/IP addresses
> ---------------------------------------------------
> Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows.
> However using --if-networks it is possible to specify an interface identifier to which
> a MAC address or IP network is bound. The syntax of --if-networks is:
> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,).
> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
> --if-networks @<fileaname> where <filename> is a file path containing the networks
> specified using the above format.
>
>
> Luca
> On May 30, 2011, at 9:28 AM, Daniel Aschwanden wrote:
>
> Hi Jaime,
>
> Thanks for your reply. You're perfectly right about that. nprobe is only
> able to figure the direction out of what it gets from pcap.. which is
> only packetlevel information (L2 and up), the interface information are
> lost due to the portability reasons of pcap.
>
> However, it should be possible to guess the direction either on Level 3
> information (just specify which networks are "inside") or on Level 2
> information (just specify which is the "local" MAC address of the TX
> interface and flag all the traffic with this MAC address as src MAC as
> outgoing). Unfortunately, the second method will only work if you run
> nprobe on a in-line device (the traffic flows through) and not on a
> "tap" device (the traffic is mirrored to the interface).
>
> Nevertheless, I haven't figured it out how to achieve that with my
> version of nprobe, since the direction field of my netflow template is
> always set to 0 (incoming).
>
> Thanks for any comments in advance.
>
> Cheers,
> Daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk3kspYACgkQxIzmH53Qg6GvtgD8CS6sEKutjeDzPNKAYqbh9qIL
AOIV1MOZAWlxUackuRIBAK8u1+juCJpQCh2wNcreovqLjTzD4CCwKBfvoIDYoccr
=RZ+I
-----END PGP SIGNATURE-----
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


deri at ntop

May 31, 2011, 10:59 AM

Post #8 of 9 (533 views)
Permalink
Re: interface traffic direction [In reply to]
Hi Daniel

On May 31, 2011, at 11:19 AM, Daniel Aschwanden wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Ciao Luca
>
> Thanks.
> The interfaces are tagged correctly, however the direction field
> template field id 61 is not set correctly (always to zero (inbound))
>
> nprobe -h:
> [ 61] %DIRECTION %flowDirection It
> indicates where a sample has been taken (always 0)
>
> Normally, this field have to be set to 1 if it is egress traffic and to
> 0 if it is inbound traffic. So if this help output is correct, I've no
> chance of getting the direction field set correctly, whatever I tag my
> interfaces, right?
>

The direction is 0 because nprobe has no clue about it. This is what collectors expect in this case (I mean a sniffer-based probe)


> when I specify --if-network AA:BB:CC:DD:EE:FF@3 does this mean that all
> packets with AA:BB:CC:DD:EE:FF as SRC MACaddr are assigned with
> interface ident 3?
>
> If this is correct, and AA:BB:CC:DD:EE:FF is my WAN device MAC, then I
> should be able to specify the traffic direction by:
>
> nprobe --if-network AA:BB:CC:DD:EE:FF@3 -Q3 -u0 ...
>
Correct

Luca

> Thanks a lot for your help!
>
> Cheers,
> Dani
>
> On 05/30/2011 10:27 AM, Luca Deri wrote:
>> Daniel
>> this is how to do it (nprobe -h)
>>
>> Note on interface indexes and (router) MAC/IP addresses
>> ---------------------------------------------------
>> Flags -u and -Q are used to specify the SNMP interface identifiers for emitted flows.
>> However using --if-networks it is possible to specify an interface identifier to which
>> a MAC address or IP network is bound. The syntax of --if-networks is:
>> <MAC|IP/mask>@<interfaceId> where multiple entries can be separated by a comma (,).
>> Example: --if-networks "AA:BB:CC:DD:EE:FF@3,192.168.0.0/24@2" or
>> --if-networks @<fileaname> where <filename> is a file path containing the networks
>> specified using the above format.
>>
>>
>> Luca
>> On May 30, 2011, at 9:28 AM, Daniel Aschwanden wrote:
>>
>> Hi Jaime,
>>
>> Thanks for your reply. You're perfectly right about that. nprobe is only
>> able to figure the direction out of what it gets from pcap.. which is
>> only packetlevel information (L2 and up), the interface information are
>> lost due to the portability reasons of pcap.
>>
>> However, it should be possible to guess the direction either on Level 3
>> information (just specify which networks are "inside") or on Level 2
>> information (just specify which is the "local" MAC address of the TX
>> interface and flag all the traffic with this MAC address as src MAC as
>> outgoing). Unfortunately, the second method will only work if you run
>> nprobe on a in-line device (the traffic flows through) and not on a
>> "tap" device (the traffic is mirrored to the interface).
>>
>> Nevertheless, I haven't figured it out how to achieve that with my
>> version of nprobe, since the direction field of my netflow template is
>> always set to 0 (incoming).
>>
>> Thanks for any comments in advance.
>>
>> Cheers,
>> Daniel
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iF4EAREIAAYFAk3kspYACgkQxIzmH53Qg6GvtgD8CS6sEKutjeDzPNKAYqbh9qIL
> AOIV1MOZAWlxUackuRIBAK8u1+juCJpQCh2wNcreovqLjTzD4CCwKBfvoIDYoccr
> =RZ+I
> -----END PGP SIGNATURE-----
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc [at] listgateway
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

---
Bildung ist kein Verbrechen




_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc


daa at open

Jun 7, 2011, 7:40 AM

Post #9 of 9 (514 views)
Permalink
Re: interface traffic direction [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ciao Luca

I'm still a bit confused about that interface tagging:

in the config file I have:
- --if-networks="00:50:56:00:02:C8@2"
- -Q=0
- -u=0

so it should assign in/out interface 0->0 to all traffic except that one
comming from SRC MAC 00:50:56:00:02:C8 (this should be set to 2->0/0->2).

But on the debugging output of nprobe I get:

07/Jun/2011 16:20:24 [engine.c:1314] New Flow: [tcp] 10.0.3.2:49086 ->
10.0.1.2:22 [00:50:56:00:02:D8 -> 00:50:56:00:02:C8][vlan 0][tos
16][ifIdx: 0 -> 0]
07/Jun/2011 16:20:24 [engine.c:1314] New Flow: [tcp] 10.0.1.2:22 ->
10.0.3.2:49086 [00:50:56:00:02:C8 -> 00:50:56:00:02:D8][vlan 0][tos
0][ifIdx: 0 -> 0]

In my eyes the interfaces of flows above should have been tagged,
according to the configuration file.

On the other hand, if specify an IP address instead of a MAC address:
- --if-networks="10.0.1.0/24@2"
- -Q=0
- -u=0

then I get it correct:

07/Jun/2011 16:01:28 [engine.c:1314] New Flow: [tcp] 10.0.3.2:53513 ->
10.0.1.2:22 [00:50:56:00:02:D8 -> 00:50:56:00:02:C8][vlan 0][tos
16][ifIdx: 0 -> 2]
07/Jun/2011 16:01:28 [engine.c:1314] New Flow: [tcp] 10.0.1.2:22 ->
10.0.3.2:53513 [00:50:56:00:02:C8 -> 00:50:56:00:02:D8][vlan 0][tos
0][ifIdx: 2 -> 0]


Thanks in advance for your help.

Cheers,
Dani

On 05/31/2011 07:59 PM, Luca Deri wrote:
> when I specify --if-network AA:BB:CC:DD:EE:FF@3 does this mean that all
> packets with AA:BB:CC:DD:EE:FF as SRC MACaddr are assigned with
> interface ident 3?
>
> If this is correct, and AA:BB:CC:DD:EE:FF is my WAN device MAC, then I
> should be able to specify the traffic direction by:
>
> nprobe --if-network AA:BB:CC:DD:EE:FF@3 -Q3 -u0 ...
>
>> Correct


- --
daniel aschwanden
junior engineer

open systems ag
raeffelstrasse 29
ch-8045 zurich
t: +41 44 455 74 96
f: +41 44 455 74 01
daa [at] open

http://www.open.ch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk3uOFYACgkQxIzmH53Qg6E/CAD+NpmlkyO/o9XlJsvTTbISrLJp
BHhKeOG+S8QDjC2ajgEA/j28KDXDpqlyVJ7SCpTs8Z2417G1I6ASru6nMWNt1saR
=/3hB
-----END PGP SIGNATURE-----
_______________________________________________
Ntop-misc mailing list
Ntop-misc [at] listgateway
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

NTop misc RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.