[NFLOG] How to determine the connection a packet belongs to?

Linux Netfilter discussions
 help / color / mirror / Atom feed

* [NFLOG] How to determine the connection a packet belongs to?
@ 2011-06-06 14:26 Clemens Eisserer
  2011-06-06 23:39 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 5+ messages in thread
From: Clemens Eisserer @ 2011-06-06 14:26 UTC (permalink / raw)
  To: netfilter

Hi,

We are using ulog2/nflog for logging packets and connections, which
works quite well.

However we haven't found a reliable way to determine which packets
belong to which connection.
There seem to be two distinct IDs for both packets (nflog) as well as
connection IDs issued by conntrack,
is there some correlation between the two IDs?

Or is there any other (maybe even better) way to determine which
logged packet belongs to which connection?

Thank you in advance, Clemens

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [NFLOG] How to determine the connection a packet belongs to?
  2011-06-06 14:26 [NFLOG] How to determine the connection a packet belongs to? Clemens Eisserer
@ 2011-06-06 23:39 ` Pablo Neira Ayuso
  2011-06-07 10:40   ` Clemens Eisserer
  0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2011-06-06 23:39 UTC (permalink / raw)
  To: Clemens Eisserer; +Cc: netfilter

On 06/06/11 16:26, Clemens Eisserer wrote:
> Hi,
> 
> We are using ulog2/nflog for logging packets and connections, which
> works quite well.
> 
> However we haven't found a reliable way to determine which packets
> belong to which connection.
> There seem to be two distinct IDs for both packets (nflog) as well as
> connection IDs issued by conntrack,
> is there some correlation between the two IDs?

No.

> Or is there any other (maybe even better) way to determine which
> logged packet belongs to which connection?

You can build the tuple from the packet in user-space to look up the
conntrack via libnetfilter_conntrack.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [NFLOG] How to determine the connection a packet belongs to?
  2011-06-06 23:39 ` Pablo Neira Ayuso
@ 2011-06-07 10:40   ` Clemens Eisserer
  2011-06-07 11:59     ` Jan Engelhardt
  2011-06-07 12:25     ` Srinivasa T N
  0 siblings, 2 replies; 5+ messages in thread
From: Clemens Eisserer @ 2011-06-07 10:40 UTC (permalink / raw)
  To: netfilter

Hi,

> You can build the tuple from the packet in user-space to look up the
> conntrack via libnetfilter_conntrack.

How can I do that?

Assuming there are two open connections:
IP1:80       <----> IP2:39678
IP1:39678 <-----> IP2:80

How can I know which packet belongs to which connection?

Thanks, Clemens

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [NFLOG] How to determine the connection a packet belongs to?
  2011-06-07 10:40   ` Clemens Eisserer
@ 2011-06-07 11:59     ` Jan Engelhardt
  2011-06-07 12:25     ` Srinivasa T N
  1 sibling, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2011-06-07 11:59 UTC (permalink / raw)
  To: Clemens Eisserer; +Cc: netfilter

On Tuesday 2011-06-07 12:40, Clemens Eisserer wrote:

>Hi,
>
>> You can build the tuple from the packet in user-space to look up the
>> conntrack via libnetfilter_conntrack.
>
>How can I do that?
>
>Assuming there are two open connections:
>IP1:80       <----> IP2:39678
>IP1:39678 <-----> IP2:80
>
>How can I know which packet belongs to which connection?

Because packets contain IP1, 80, IP2 and 39678.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [NFLOG] How to determine the connection a packet belongs to?
  2011-06-07 10:40   ` Clemens Eisserer
  2011-06-07 11:59     ` Jan Engelhardt
@ 2011-06-07 12:25     ` Srinivasa T N
  1 sibling, 0 replies; 5+ messages in thread
From: Srinivasa T N @ 2011-06-07 12:25 UTC (permalink / raw)
  To: Clemens Eisserer; +Cc: netfilter

On 06/07/2011 04:10 PM, Clemens Eisserer wrote:
> Hi,
>
>> You can build the tuple from the packet in user-space to look up the
>> conntrack via libnetfilter_conntrack.
>
> How can I do that?
>
> Assuming there are two open connections:
> IP1:80<---->  IP2:39678
> IP1:39678<----->  IP2:80
>
> How can I know which packet belongs to which connection?
>
> Thanks, Clemens
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
Am not an expert, but can't you match the src and dst address/port in 
each packet?

Regards,
Seenu.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2011-06-07 12:25 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-06 14:26 [NFLOG] How to determine the connection a packet belongs to? Clemens Eisserer
2011-06-06 23:39 ` Pablo Neira Ayuso
2011-06-07 10:40   ` Clemens Eisserer
2011-06-07 11:59     ` Jan Engelhardt
2011-06-07 12:25     ` Srinivasa T N

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox