Argus on multiple interfaces with NAT

Carter Bullard carter at qosient.com
Tue Mar 19 08:20:21 EST 2002 

Hey Christian,
   I see how your running ra() to get the data, but how
is argus() configured?  It appears to me that argus is
getting duplicate copies of the same packet.  You may
have Argus configured to read packets from all the
interfaces (possibly using the "any" interface?).
This is not good, as it will get the same packet on the
way in and on the way out.  Best to get the packet only
once.

   How is argus configured to run?  How many interfaces
have you got?

Carter

Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 18K
New York, New York  10022

carter at qosient.com
Phone +1 212 588-9133
Fax   +1 212 588-9134
http://qosient.com

> -----Original Message-----
> From: Christian Martin [mailto:c.martin at jesus.cam.ac.uk] 
> Sent: Tuesday, March 19, 2002 8:09 AM
> To: carter at qosient.com
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: RE: Argus on multiple interfaces with NAT
> 
> 
> Many thanks for your helpful reply.  I hope you enjoyed your 
> well-deserved vacation!
> 
> > From your description, it appears that libpcap is getting
> > its data after iptables has had its way with the packets.
> > Is this correct?  That doesn't seem like the right behavior.
> 
> I know it sounds rather strange, but that seems to be exactly 
> what is happening.  Here's what happens when I download a 1MB 
> file to a specific host through the NAT box:
> 
> # ra -S localhost -P argus - host 192.168.1.1
> ra: Trying localhost port 561 Expecting Argus records
> ra: connected
>        Start_Time          Duration  Flgs  Type SrcAddr    Sport  Dir
> DstAddr Dport  SrcPkt  Dstpkt  SrcBytes  DstBytes  State
> 02-03-19 11:29:02.266726   14.623536       tcp  192.168.1.1.1522  ->
> 1.2.3.4.80     0       727     0         1088205   FIN
> 
> ... and when a 1MB file is uploaded through the NAT box:
> 
> # ra -S localhost -P argus - host 1.2.3.4
> ra: Trying localhost port 561 Expecting Argus records
> ra: connected
>        Start_Time          Duration  Flgs  Type SrcAddr Sport 
>  Dir  DstAddr
> Dport  SrcPkt  Dstpkt  SrcBytes  DstBytes  State
> 02-03-19 11:32:11.790286   4.789581        tcp  1.2.3.4.1289   ->
> 192.168.1.1.80  735     0       48630     0         FIN
> 02-03-19 11:32:11.790545   4.779115        tcp  1.2.3.4.1289   ->
> 131.111.1.1.80  0       740     0         1097754   FIN
> 
> (presumably the first packet is just the HTTP request)
> 
> In each case the argus datastream is on the EXTERNAL 
> interface only. 192.168.1.1 is the internal IP of the 
> internal host, 1.2.3.4 is a remote host and 131.111.1.1 is 
> the translated IP of the internal host (but is shared by many 
> internal hosts).
> 
> > It seems to me that the best situation would be for you
> > to selectively read packets from just your internal interfaces.
> 
> That would seem to be the easiest way, but once again NAT 
> confuses argus. Monitoring an upload on the INTERNAL 
> interface, pre-translation information is available, but the 
> upload data is duplicated after the headers are
> translated:
> 
> # ra -S localhost -P argus2 - host 1.2.3.4
> ra: Trying localhost port 562 Expecting Argus records
> ra: connected
>        Start_Time          Duration  Flgs  Type SrcAddr Sport 
>  Dir  DstAddr
> Dport  SrcPkt  Dstpkt  SrcBytes  DstBytes  State
> 02-03-19 11:36:40.735940   4.630400  s     tcp  1.2.3.4.1294   ->
> 192.168.1.1.80  1470    740     97260     1097756   FIN
> 02-03-19 11:36:40.736164   4.616529        tcp  1.2.3.4.1294   ->
> 131.111.1.1.80  0       740     0         1097756   FIN
> 
> For downloads, however, it seems to mix up pre-NAT and 
> post-NAT packets. The download of a 1MB file is logged as a 
> download of a 2MB file (presumably because libpcap is seeing 
> 1MB into the pre-NAT IP and 1MB into the post-NAT
> IP!):
> 
> # ra -S localhost -P argus2 - host 192.168.1.1
> ra: Trying localhost port 562 Expecting Argus records
> ra: connected
>        Start_Time          Duration  Flgs  Type SrcAddr    Sport  Dir
> DstAddr Dport  SrcPkt  Dstpkt  SrcBytes  DstBytes  State
> 02-03-19 11:40:57.211782   33.208012 dS    tcp  192.168.1.1.1683  ->
> 1.2.3.4.80     378     1456    23087     2176482   FIN
> 
> ... so I guess the solution is to get information on 
> downloads (only) by running argus on the external interface, 
> and information on uploads (only) by running argus on the 
> internal interfaces through a filter as you suggest. Assuming 
> this is the way forward, some more questions for you (sorry!):
> 
> 1. We have a number of discrete networks using IPs in private 
> address ranges, and a lot of packets flying around.  Would a 
> complex (say,
> 10-clause) filter expression cause a serious hit on argus performance?
> 
> 2. Is there a way of determining within a filter expression 
> whether a transaction is truly an upload (so log it on the 
> internal interfaces) or a download (so ignore it on the 
> internal interfaces)?  Until now I've been checking whether 
> the IP to which the arrow points is internal or external with 
> a subsequent post-process.
> 
> 3. Referring back to my original e-mail, and assuming that I 
> need to monitor the external interface for downloads and the 
> internal interfaces for uploads, presumably I'll need to run 
> two argi.  Presumably these should be configured with 
> different ports for remote access, but can one ra (or
> whatever) collect data from who argi on two ports?  What 
> would be the most efficient way to collect the data remotely 
> (I can't store it locally).
> 
> Many thanks indeed for any help, which is most gratefully received.
> 
> Christian
> 
> --
> Christian Martin
> IT Department
> Jesus College, Cambridge
> e-mail: c.martin at jesus.cam.ac.uk
> telephone: 01223-(7)64101
> 
> 
>

More information about the argus mailing list