Akamai WAF

Monah Baki monahbaki at gmail.com
Thu Oct 18 09:08:54 EDT 2018 

Hi Eric,

I bumped the ARGUS_CAPTURE_DATA_LEN value to 2048, so running ratop -S
localhost:561 -s trans stime saddr:40 sport sco daddr dport dco suser
duser:2048, I can't see the rest of the duser column, gets chopped off,
probably displays 50 characters only (small monitor). Is there a way to
overcome this?

Thanks
Monah

On Thu, Oct 18, 2018 at 8:47 AM Eric Kinzie <eric at qosient.com> wrote:

> On October 17, 2018 12:47:43 PM EDT, Monah Baki <monahbaki at gmail.com>
> wrote:
> >Hi all,
> >
> >We are using akamai WAF services to protect our webserver. Currently
> >running the latest argus/client on the webserver. When running ratop,
> >the
> >SrcAddr shows only the akamai IP
> >(a23-212-3-119.deploy.static.akamaitechn*)
> >hitting our webserver.
> >Akamai confirmed True-Client-IP is enabled and we should be able to see
> >the
> >real IP in the request header. Can I get this info when using ratop?
> >
> >
> >Trans          StartTime                                  SrcAddr
> >Sport
> >sCo            DstAddr  Dport dCo                          srcUdata
> >                                            dstUdata
> >   14    12:42:39.209029 a23-212-3-119.deploy.static.akamaitechn*.49057
> > US       www.ntis.gov.https   ZZ
> >s[50]=............s~V-...Tl....x..`...<.#.4^.+..a ..+...
> >d[50]=....Y...U..[.f...=...|.I....:.t..?..:Yc...& O.-G].
> >    2    12:45:50.752456 a23-212-53-84.deploy.static.akamaitechn*.61219
> > US       www.ntis.gov.https   ZZ
> >s[50]=...........g.....E{.K.:S.4..4.e.F_..^.A."Rx o#Rr&3
> >d[50]=....Q...M..[.g>.....*..... ....G.as.V..y..d o#Rr&3
> >
> >
> >Thanks
> >Monah
>
> Since this value is in the http headers and, in this case, https is used
> you will not be able to see the address in the Argus user buffers.  For
> non-encrypted http, set the ARGUS_CAPTURE_DATA_LEN to something large
> enough to get all of the http headers and then the duser column in ratop
> should show what you want.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20181018/9bb9ba18/attachment.html>

More information about the argus mailing list