De-aggragating multiple MAC addresses in flows
Phillip Deneault via Argus-info
argus-info at lists.andrew.cmu.edu
Thu Dec 31 14:03:34 EST 2015
I've been experimenting with using argus to debug firewall traffic
patterns. In my scenario, I have passive taps on either side of the
firewall which have both sets of traffic aggregated into the same physical
sniffing port. That port has argus listening to it with MAC address data
turned on (-m) and is generating flows to a file. Both src and dst IPs lie
in VLANs the firewall is moving files between.
When ra is reading back the records, it puts a 'M' in the flgs field, which
is correct, because both sides of the firewall would be passing the same
traffic (ideally) and so the same IP layer, would have different MAC
addresses (one packet from the src to the firewall, and the same packet
from the firewall to the dst).
Is it possible to de-aggragate the MAC addresses so that I can be sure that
I can see packets from both sides of the firewall? Or is that data lost
when Argus processes the packets and generates the flow record?
This scenario is a little odd, I admit. I need two fields for each flow to
determine the correct 'position' and 'direction' of each packet. The src
VLAN tells me what side of the firewall the packet is on and the src and
dst MAC addresses tell me the direction its headed. The IP layer tells me
only the _intended_ direction of each packet (which is useful, because
that's how the firewall rules are built, but that's not my problem right
I'm hoping that in de-aggragating the MAC addresses, it also would also
correctly populate the src VLAN ids at the same time and I would get the
flow 'resolution' I need to perform the debugging. Otherwise... its back
to packet-level processing! :-/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the argus