Akamai WAF

[Eric Kinzie]

On October 17, 2018 12:47:43 PM EDT, Monah Baki <monahbaki at gmail.com> wrote:
>Hi all,
>
>We are using akamai WAF services to protect our webserver. Currently
>running the latest argus/client on the webserver. When running ratop,
>the
>SrcAddr shows only the akamai IP
>(a23-212-3-119.deploy.static.akamaitechn*)
>hitting our webserver.
>Akamai confirmed True-Client-IP is enabled and we should be able to see
>the
>real IP in the request header. Can I get this info when using ratop?
>
>
>Trans          StartTime                                  SrcAddr 
>Sport
>sCo            DstAddr  Dport dCo                          srcUdata
>                                            dstUdata
>   14    12:42:39.209029 a23-212-3-119.deploy.static.akamaitechn*.49057
> US       www.ntis.gov.https   ZZ
>s[50]=............s~V-...Tl....x..`...<.#.4^.+..a ..+...
>d[50]=....Y...U..[.f...=...|.I....:.t..?..:Yc...& O.-G].
>    2    12:45:50.752456 a23-212-53-84.deploy.static.akamaitechn*.61219
> US       www.ntis.gov.https   ZZ
>s[50]=...........g.....E{.K.:S.4..4.e.F_..^.A."Rx o#Rr&3
>d[50]=....Q...M..[.g>.....*..... ....G.as.V..y..d o#Rr&3
>
>
>Thanks
>Monah

Since this value is in the http headers and, in this case, https is used you will not be able to see the address in the Argus user buffers.  For non-encrypted http, set the ARGUS_CAPTURE_DATA_LEN to something large enough to get all of the http headers and then the duser column in ratop should show what you want.