explanation of the syslog LEN and WINDOW entries

explanation of the syslog LEN and WINDOW entries

[Jeff Jensen]

Is there an explanation of the LEN and WINDOW fields in an
iptables/netfilter syslog entry?

In the first example I have a LEN=60 and a WINDOW=5840. Can I use
these entries to calculate bandwidth usage?

In the second example I have a LEN=60 and a LEN=56. Can I use these
entries to calculate bandwidth usage?


Example: IN=eth1 OUT=eth0 SRC=******* DST=******* LEN=60 TOS=0x00
PREC=0x00 TTL=62 ID=11625 DF PROTO=TCP SPT=4741 DPT=1901 WINDOW=5840
RES=0x00 SYN URGP=0

Example: IN=eth1 OUT=eth0 SRC=******* DST=******* LEN=76 TOS=0x10
PREC=0x00 TTL=62 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56

Thanks, Jeff

Re: explanation of the syslog LEN and WINDOW entries

[Jeff Jensen]

Thanks Richard, So there is no parameter (or combination of
parameters) in the syslog entry stating actual packet size?

Hmmmm????

The boss wants to know how much bandwidth is used by the different
app's we allow. I have some unique app's that run on unique port(s)
and rules that log all packets. I set the --log-prefix= to something
unique to that app and every day sort it out into individual files. I
was hoping to aggregate all the entries to a total bandwidth out and
it.



On Wed, Oct 28, 2009 at 8:20 AM, Richard Horton
<richard.horton@solstans.co.uk> wrote:
>
>
> 2009/10/28 Jeff Jensen <jjensen@unyalli.com>:
>> Is there an explanation of the LEN and WINDOW fields in an
>> iptables/netfilter syslog entry?
>>
> First example: LEN is the length of the TCP datagram
>
> The Window field applies to TCP packets and is the receive window size  -
> the amount of data the receiver will process before having to send an ack
> message.
>
> Second example I believe LEN 1 is the length of the IP datagram, LEN 2 is
> the lenght of the UDP payload.
>
> I would be wary of using this to estimate bandwith useage.
>
>
> --
> Richard Horton
> Users are like a virus: Each causing a thousand tiny crises until the host
> finally dies.
> http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest
> Cats
> http://www.pbase.com/arimus - My online photogallery
>
>

Re: explanation of the syslog LEN and WINDOW entries

[Jeff Jensen]

So for TCP do I add all the LEN fields only?

If I have a thousand log entries and all the LEN fields are 60 did I
use 60,000 bit's?

Or is it Bytes?

In UDP do I add both LEN fields?



On Wed, Oct 28, 2009 at 9:11 AM, Richard Horton
<richard.horton@solstans.co.uk> wrote:
>
>
> 2009/10/28 Jeff Jensen <jjensen@unyalli.com>
>>
>> Thanks Richard, So there is no parameter (or combination of
>> parameters) in the syslog entry stating actual packet size?
>>
>> Hmmmm????
>>
>> The boss wants to know how much bandwidth is used by the different
>> app's we allow. I have some unique app's that run on unique port(s)
>> and rules that log all packets. I set the --log-prefix= to something
>> unique to that app and every day sort it out into individual files. I
>> was hoping to aggregate all the entries to a total bandwidth out and
>> it.
>
>
> For estimating individual application usage they'll be fine, was thinking
> more along not using the len fields for estimating total consumed bandwidth
> (as IP tables only deals with ip traffic and so will miss other forms of
> traffic, ipx, appletalk, arp etc)
>
>

Re: explanation of the syslog LEN and WINDOW entries

[John Haxby]

On 28/10/09 14:56, Jeff Jensen wrote:
> The boss wants to know how much bandwidth is used by the different
> app's we allow. I have some unique app's that run on unique port(s)
> and rules that log all packets. I set the --log-prefix= to something
> unique to that app and every day sort it out into individual files. I
> was hoping to aggregate all the entries to a total bandwidth out and
> it.
>    

I do this slightly differently.   I collect information on a per-IP 
address basis (this is all traffic flowing through a router) and within 
each table I have rows that match a particular port/protocol and then 
just -j RETURN.

Every hour I run "iptables -vxnL <table> -Z" for each table and then 
merge the counters into a database.  I have another process that 
periodically looks at the database and produces pretty graphs of the 
per-machine, per-protocol usage.  (Well, actually, I haven't done 
per-protocol yet, but I have the information needed.)

There's an accounting extension in xtables which would do the job 
better, but I haven't attempted to persuade the xtables on CentOS 5 :-)

jch

Re: explanation of the syslog LEN and WINDOW entries

[Jeff Jensen]

Thank You John, was not thinking this direction at all. After reading
many articles found by google on this search criteria let me ask
another question please.

Currently I don't use user created chains. Don't like em makes the
script hard to follow. If I re-train my entire thought process to use
user created chains could I get per protocol stats? For instance if I
had an FTP chain could I get an hourly total used by FTP? This would
be a total of control channel, active data channel, and passive data
channel.




On Wed, Oct 28, 2009 at 9:35 AM, John Haxby <john.haxby@oracle.com> wrote:
>
> On 28/10/09 14:56, Jeff Jensen wrote:
>>
>> The boss wants to know how much bandwidth is used by the different
>> app's we allow. I have some unique app's that run on unique port(s)
>> and rules that log all packets. I set the --log-prefix= to something
>> unique to that app and every day sort it out into individual files. I
>> was hoping to aggregate all the entries to a total bandwidth out and
>> it.
>>
>
> I do this slightly differently.   I collect information on a per-IP address basis (this is all traffic flowing through a router) and within each table I have rows that match a particular port/protocol and then just -j RETURN.
>
> Every hour I run "iptables -vxnL <table> -Z" for each table and then merge the counters into a database.  I have another process that periodically looks at the database and produces pretty graphs of the per-machine, per-protocol usage.  (Well, actually, I haven't done per-protocol yet, but I have the information needed.)
>
> There's an accounting extension in xtables which would do the job better, but I haven't attempted to persuade the xtables on CentOS 5 :-)
>
> jch