Argus on multiple interfaces with NAT
Carter Bullard
carter at qosient.com
Tue Mar 19 08:20:21 EST 2002
Hey Christian,
I see how your running ra() to get the data, but how
is argus() configured? It appears to me that argus is
getting duplicate copies of the same packet. You may
have Argus configured to read packets from all the
interfaces (possibly using the "any" interface?).
This is not good, as it will get the same packet on the
way in and on the way out. Best to get the packet only
once.
How is argus configured to run? How many interfaces
have you got?
Carter
Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York 10022
carter at qosient.com
Phone +1 212 588-9133
Fax +1 212 588-9134
http://qosient.com
> -----Original Message-----
> From: Christian Martin [mailto:c.martin at jesus.cam.ac.uk]
> Sent: Tuesday, March 19, 2002 8:09 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: Argus on multiple interfaces with NAT
>
>
> Many thanks for your helpful reply. I hope you enjoyed your
> well-deserved vacation!
>
> > From your description, it appears that libpcap is getting
> > its data after iptables has had its way with the packets.
> > Is this correct? That doesn't seem like the right behavior.
>
> I know it sounds rather strange, but that seems to be exactly
> what is happening. Here's what happens when I download a 1MB
> file to a specific host through the NAT box:
>
> # ra -S localhost -P argus - host 192.168.1.1
> ra: Trying localhost port 561 Expecting Argus records
> ra: connected
> Start_Time Duration Flgs Type SrcAddr Sport Dir
> DstAddr Dport SrcPkt Dstpkt SrcBytes DstBytes State
> 02-03-19 11:29:02.266726 14.623536 tcp 192.168.1.1.1522 ->
> 1.2.3.4.80 0 727 0 1088205 FIN
>
> ... and when a 1MB file is uploaded through the NAT box:
>
> # ra -S localhost -P argus - host 1.2.3.4
> ra: Trying localhost port 561 Expecting Argus records
> ra: connected
> Start_Time Duration Flgs Type SrcAddr Sport
> Dir DstAddr
> Dport SrcPkt Dstpkt SrcBytes DstBytes State
> 02-03-19 11:32:11.790286 4.789581 tcp 1.2.3.4.1289 ->
> 192.168.1.1.80 735 0 48630 0 FIN
> 02-03-19 11:32:11.790545 4.779115 tcp 1.2.3.4.1289 ->
> 131.111.1.1.80 0 740 0 1097754 FIN
>
> (presumably the first packet is just the HTTP request)
>
> In each case the argus datastream is on the EXTERNAL
> interface only. 192.168.1.1 is the internal IP of the
> internal host, 1.2.3.4 is a remote host and 131.111.1.1 is
> the translated IP of the internal host (but is shared by many
> internal hosts).
>
> > It seems to me that the best situation would be for you
> > to selectively read packets from just your internal interfaces.
>
> That would seem to be the easiest way, but once again NAT
> confuses argus. Monitoring an upload on the INTERNAL
> interface, pre-translation information is available, but the
> upload data is duplicated after the headers are
> translated:
>
> # ra -S localhost -P argus2 - host 1.2.3.4
> ra: Trying localhost port 562 Expecting Argus records
> ra: connected
> Start_Time Duration Flgs Type SrcAddr Sport
> Dir DstAddr
> Dport SrcPkt Dstpkt SrcBytes DstBytes State
> 02-03-19 11:36:40.735940 4.630400 s tcp 1.2.3.4.1294 ->
> 192.168.1.1.80 1470 740 97260 1097756 FIN
> 02-03-19 11:36:40.736164 4.616529 tcp 1.2.3.4.1294 ->
> 131.111.1.1.80 0 740 0 1097756 FIN
>
> For downloads, however, it seems to mix up pre-NAT and
> post-NAT packets. The download of a 1MB file is logged as a
> download of a 2MB file (presumably because libpcap is seeing
> 1MB into the pre-NAT IP and 1MB into the post-NAT
> IP!):
>
> # ra -S localhost -P argus2 - host 192.168.1.1
> ra: Trying localhost port 562 Expecting Argus records
> ra: connected
> Start_Time Duration Flgs Type SrcAddr Sport Dir
> DstAddr Dport SrcPkt Dstpkt SrcBytes DstBytes State
> 02-03-19 11:40:57.211782 33.208012 dS tcp 192.168.1.1.1683 ->
> 1.2.3.4.80 378 1456 23087 2176482 FIN
>
> ... so I guess the solution is to get information on
> downloads (only) by running argus on the external interface,
> and information on uploads (only) by running argus on the
> internal interfaces through a filter as you suggest. Assuming
> this is the way forward, some more questions for you (sorry!):
>
> 1. We have a number of discrete networks using IPs in private
> address ranges, and a lot of packets flying around. Would a
> complex (say,
> 10-clause) filter expression cause a serious hit on argus performance?
>
> 2. Is there a way of determining within a filter expression
> whether a transaction is truly an upload (so log it on the
> internal interfaces) or a download (so ignore it on the
> internal interfaces)? Until now I've been checking whether
> the IP to which the arrow points is internal or external with
> a subsequent post-process.
>
> 3. Referring back to my original e-mail, and assuming that I
> need to monitor the external interface for downloads and the
> internal interfaces for uploads, presumably I'll need to run
> two argi. Presumably these should be configured with
> different ports for remote access, but can one ra (or
> whatever) collect data from who argi on two ports? What
> would be the most efficient way to collect the data remotely
> (I can't store it locally).
>
> Many thanks indeed for any help, which is most gratefully received.
>
> Christian
>
> --
> Christian Martin
> IT Department
> Jesus College, Cambridge
> e-mail: c.martin at jesus.cam.ac.uk
> telephone: 01223-(7)64101
>
>
>
More information about the argus
mailing list