Packet dumping or mirroring

Packet dumping or mirroring

[Michael Gale]

Hello,

	I have a question, well more of a idea ... let me know what you think. This is
not only a netfilter question but would require netfilter to work so ...

I use a program called Ntop to monitor network traffic ... I have it running all
the time and dump the data nightly to a mysql DB via a PHP script and then reset
the stats. 

This allows me to provide data on a day, week and month bases, anyways ... from
my understanding most programs like Ntop have a issue with keeping up with
traffic that is faster then 100MB HD.

So anything 10MB FD and slower is ok, but anything over that limit ntop can not
keep up with the flow so your monitoring stats do not reflect the actually
amount. 

Now I supposed I could switch programs and try IPFM or something but there out
sucks. 

So I have the following idea / solution involving iptables :)

Solution 1:
First you create a "tmpfs" .. for example in your NTOP home directory call it
tmp (/home/ntop/tmp). Now make this directory a RAM drive that gets mount
everytime we boot up, about 50MB (maybe).

or 

Solution 2:

Create a new deice, like a dummy network.

Now we create a module for iptables to send a copy of every packet on every
interface to the RAM drive or dummy device.

I think a RAM drive is better, so if we have a firewall box with two interfaces
we could have iptables send a copy of every packet in raw form to the RAM drive.
Each packet or group of packets could be labelled by interface plus time
timestamp plus transaction ID or checksum ? You could have different mod levels
like only dump packet headers or whole packets ?

This would insure that not network packets are lost and the monitor could keep
up.

We could not have our monitoring program (ntop for example) read the packets in
the RAM drive every <not sure> and provide reporting stats. This would also
allow us to save funny looking packets for investigating.

What do you think ... I do not believe there is a way to do this now :(

-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Packet dumping or mirroring

[William Stearns]

Good afternoon, Michael,

On Wed, 18 Feb 2004, Michael Gale wrote:

> So I have the following idea / solution involving iptables :)
> 
> Solution 1:
> First you create a "tmpfs" .. for example in your NTOP home directory call it
> tmp (/home/ntop/tmp). Now make this directory a RAM drive that gets mount
> everytime we boot up, about 50MB (maybe).
> 
> Now we create a module for iptables to send a copy of every packet on every
> interface to the RAM drive or dummy device.
> 
> What do you think ... I do not believe there is a way to do this now :(

	You seem to be describing ulogd:
http://www.stearns.org/doc/iptables-ulog.current.html
	(with pointers to other relevant sites).  You'd instruct ulogd to 
save its files to a ramdisk as opposed to a physical disk.
	Cheers,
	- Bill

---------------------------------------------------------------------------
	"Me spell chucker work grate.  Need grandma chicken."
	-- yakkoj@netscape.net
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------

Re: Packet dumping or mirroring

[William Stearns]

Good afternoon, Michael,

On Wed, 18 Feb 2004, William Stearns wrote:

> On Wed, 18 Feb 2004, Michael Gale wrote:
> 
> > First you create a "tmpfs" .. for example in your NTOP home directory call it
> > tmp (/home/ntop/tmp). Now make this directory a RAM drive that gets mount
> > everytime we boot up, about 50MB (maybe).
> > 
> > Now we create a module for iptables to send a copy of every packet on every
> > interface to the RAM drive or dummy device.
> > 
> > What do you think ... I do not believe there is a way to do this now :(
> 
> 	You seem to be describing ulogd:
> http://www.stearns.org/doc/iptables-ulog.current.html
> 	(with pointers to other relevant sites).  You'd instruct ulogd to 
> save its files to a ramdisk as opposed to a physical disk.

	BTW, ntop will gladly read from pcap files (the "-f" parameter;  
see http://www.stearns.org/doc/pcap-apps.html ).
	Cheers,
	- Bill

---------------------------------------------------------------------------
        Santa Clara, CA (Reuters): Sources close to the spiritual leader
of the Linux movement report that Linus Torvalds has entered his 23rd
day of fasting.  The move is apparently not for religious reasons. 
"I've spent so much time looking at vomit-producing code, that Tove
refuses to feed me any more, and gives me Karate chops whenever I even
threaten to blow chunks.  Our carpet cleaning bill exceeds our mortgage. 
Hell, the ISDN subsystem alone turned our favourite Persian rug into a
monstrosity that college students won't even pick up off the street
corner.  With Jeff Dike's memory management code coming up, I thought
I'd best be prepared."
        -- WLS
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
--------------------------------------------------------------------------

Re: Packet dumping or mirroring

[Antony Stone]

On Wednesday 18 February 2004 8:54 pm, Michael Gale wrote:

> with traffic that is faster then 100MB HD.
>
> So anything 10MB FD and slower is ok, but anything over that limit ntop can

> Solution 1:
> First you create a "tmpfs" .. for example in your NTOP home directory call
> it tmp (/home/ntop/tmp). Now make this directory a RAM drive that gets
> mount everytime we boot up, about 50MB (maybe).

If your problem is not being able to keep up with >10Mbps FD or 100Mbps HD, 
then 50Mbytes is going to fill up pretty quickly...

1. If you capture full packets, assume network is running at 50Mbps on 
average; that's 6.25Mbytes per second - your ramdisk fills up in 8 seconds.

2. If you just capture headers, assume network is again running at 50Mbps, 
with 1500 byte packets one way and empty packets (headers only) the other, 
also assume headers are 48 bytes.   50Mbps / (1548 x 8) = 4038 packets / sec.   
4038 x 48 = 190kbytes / sec.   Your ramdisk now lasts for 258 seconds (or a 
bit more than 4 minutes).

Of course, if your network traffic is not running at 50Mbps then your ramdisk 
will last longer, but then ntop would have been able to keep up on its own 
anyway....

Regards,

Antony.

-- 
If builders made buildings the way programmers write programs, then the first 
woodpecker to come along would destroy civilisation.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Packet dumping or mirroring

[Michael Gale]

Hello,

	My mistake ... according to the documentation it is libcap that can not keep
up. 

Michael.


On Wed, 18 Feb 2004 21:53:40 +0000
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Wednesday 18 February 2004 8:54 pm, Michael Gale wrote:
> 
> > with traffic that is faster then 100MB HD.
> >
> > So anything 10MB FD and slower is ok, but anything over that limit ntop can
> 
> > Solution 1:
> > First you create a "tmpfs" .. for example in your NTOP home directory call
> > it tmp (/home/ntop/tmp). Now make this directory a RAM drive that gets
> > mount everytime we boot up, about 50MB (maybe).
> 
> If your problem is not being able to keep up with >10Mbps FD or 100Mbps HD, 
> then 50Mbytes is going to fill up pretty quickly...
> 
> 1. If you capture full packets, assume network is running at 50Mbps on 
> average; that's 6.25Mbytes per second - your ramdisk fills up in 8 seconds.
> 
> 2. If you just capture headers, assume network is again running at 50Mbps, 
> with 1500 byte packets one way and empty packets (headers only) the other, 
> also assume headers are 48 bytes.   50Mbps / (1548 x 8) = 4038 packets / sec. 
>  
> 4038 x 48 = 190kbytes / sec.   Your ramdisk now lasts for 258 seconds (or a 
> bit more than 4 minutes).
> 
> Of course, if your network traffic is not running at 50Mbps then your ramdisk 
> will last longer, but then ntop would have been able to keep up on its own 
> anyway....
> 
> Regards,
> 
> Antony.
> 
> -- 
> If builders made buildings the way programmers write programs, then the first 
> woodpecker to come along would destroy civilisation.
> 
>                                                      Please reply to the list;
>                                                            please don't CC me.
> 
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: Packet dumping or mirroring

[P]

Michael Gale wrote:
> Hello,
> 
> 	My mistake ... according to the documentation it is libcap that can not keep
> up. 

There is a more efficient libpcap here: http://public.lanl.gov/cpw/

Pádraig.