Cloning Traffic had having it processed by two different hosts - TEE

Cloning Traffic had having it processed by two different hosts - TEE

[Bjoern Weiland]

Hey list,

here's what I need to do:
Our central routers all export cisco netflow data. This data is being 
sent to HOST A where it is processed. Now for some researching, I also 
need this data on HOST B for another kind of processing. So what I want 
to do is to clone the traffic arriving at HOST A. One copy should be 
processed by HOST A as usual and the copy needs to be sent to HOST B. As 
we do not only want to passively monitor this traffic, but really work 
with it, the copied traffic also needs to be rewritten with HOST B's IP 
address in the netflow data's Headers.

No here's the question: How do I best do this? I read and tried to work 
with the tee target of patch-o-matic-ng's extra repository, but 
apparently it is not working any longer on recent kernels.
Also I do have massive problems getting xtables-addons to compile on my 
Debian (I actually tried more than one machine and different gcc's and 
kernels) and there seems to be no documentation or mailinglist. Has 
anyone tried xtables-addons at Debian? If yes, which gcc, kernel, 
xtables version?

Now I am wondering, if my undertaking is realizable and how it can be 
done most efficiently... I am open for any hints, maybe there are some 
other solutions as well...

  -best regards, bjoern

Re: Cloning Traffic had having it processed by two different hosts - TEE

[Jan Engelhardt]

On Wednesday 2008-04-23 14:24, Bjoern Weiland wrote:

> Hey list,
>
> here's what I need to do: Our central routers all export cisco
> netflow data. This data is being sent to HOST A where it is
> processed. Now for some researching, I also need this data on HOST
> B for another kind of processing. So what I want to do is to clone
> the traffic arriving at HOST A. One copy should be processed by
> HOST A as usual and the copy needs to be sent to HOST B. As we do
> not only want to passively monitor this traffic, but really work
> with it, the copied traffic also needs to be rewritten with HOST
> B's IP address in the netflow data's Headers.

Use the RAW(S|D)NAT target for rewriting the address. It is available
in the RAWNAT branch of the git repo.

The teed packet however does not cross iptables on the machine it is
teed due to ... limitations in ip_tables, not because there could 
possible be some infinite recursion, so you would need to RAWNAT on a 
different machine.

> No here's the question: How do I best do this? I read and tried to
> work with the tee target of patch-o-matic-ng's extra repository,
> but apparently it is not working any longer on recent kernels.

I don't see any tee target in pom (= dead horse) anyway.

> Also
> I do have massive problems getting xtables-addons to compile on my
> Debian (I actually tried more than one machine and different gcc's
> and kernels) and there seems to be no documentation or mailinglist.
> Has anyone tried xtables-addons at Debian? If yes, which gcc,
> kernel, xtables version?

Mh, I used 2.6.18.0 for compile testing; there is a patch in 2.6.18.5 
that changed ip_route_me_harder :-/
Will fix.

Re: Cloning Traffic had having it processed by two different hosts - TEE

[Bjoern Weiland]

>> here's what I need to do: Our central routers all export cisco
>> netflow data. This data is being sent to HOST A where it is
>> processed. Now for some researching, I also need this data on HOST
>> B for another kind of processing. So what I want to do is to clone
>> the traffic arriving at HOST A. One copy should be processed by
>> HOST A as usual and the copy needs to be sent to HOST B. As we do
>> not only want to passively monitor this traffic, but really work
>> with it, the copied traffic also needs to be rewritten with HOST
>> B's IP address in the netflow data's Headers.
> 
> Use the RAW(S|D)NAT target for rewriting the address. It is available
> in the RAWNAT branch of the git repo.

I finally got the TEE addon compiled under a 2.6.23.16 kernel, but
RAWNAT does not compile:

http://pastebin.com/m5d4d2040

I also had problems with other addons but I commented them out as I dont
need them anyway. In that pastebin, although it says it was
xtables-addons-1.5.4, it really is the latest addons snapshot from
http://dev.computergmbh.de/gitweb.cgi?p=xtables-addons;h=RAWNAT;a=shortlog

> The teed packet however does not cross iptables on the machine it is
> teed due to ... limitations in ip_tables, not because there could 
> possible be some infinite recursion, so you would need to RAWNAT on a 
> different machine.

Now as there is no documentation, I have to ask: How do I set it up?
I need to clone incoming packets, leaving one copy for a local process 
and forwarding the other copy to another host. I also need to rewrite IP 
Dst addresses of the copy to the other host.

This will clone all tcp packets destined to port 80, right?
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TEE --gateway 1.2.3.4

Now why does TEE need a gateway (can't it use the default gateway?) and 
how do I tell my machine to forward these just copied packets to host 
6.7.8.9? And how do I use RAWNAT to tamper with the Dst-IP address of 
the copied packets?

  -best regards, bjoern

PS: When I get this to run I will blog a tutorial on that copied 
routing. I think that is a good idea as there is absolutely no documentation

Re: Cloning Traffic had having it processed by two different hosts - TEE

[Grant Taylor]

On 04/23/08 07:24, Bjoern Weiland wrote:
> Now I am wondering, if my undertaking is realizable and how it can be 
> done most efficiently... I am open for any hints, maybe there are some 
> other solutions as well...

I'm not sure if it will work or not, but have you considered using the 
user space daemons to process the traffic?  I think you can use the 
NFQUEUE (?) target to redirect the packets as they are to user space 
which could then send one packet on as is and duplicate and modify the 
second packet before sending it on.



Grant. . . .