[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPTraffic and IPTables / IPTraffic and logging

Hello,

> 
> 1) I want to use the IPTraffic - logging possibities for generating 
>      reports for our "pay by byte" customers, and for having an
>      overview who of our customers creates how much traffic on
>      our line (we are hosting some web-sites). IPTraffic gives me
>      a log which looks something like this:
> 
> Wed Jan  8 13:47:58 2003; TCP; eth1; 680 bytes; from 62.208.64.173:http to 
> 213.20.240.167:60252; FIN sent; 6 packets, 3844 bytes
> Wed Jan  8 13:47:58 2003; TCP; eth1; 1045 bytes; from 62.208.64.173:http 
> to 213.20.240.167:60250; FIN sent; 7 packets, 5709 bytes
> Wed Jan  8 13:47:58 2003; TCP; eth1; 60 bytes; from 62.208.64.173:http to 
> 213.20.240.167:60252; first packet (SYN)
> Wed Jan  8 13:47:58 2003; TCP; eth1; 680 bytes; from 62.208.64.173:http to 
> 213.20.240.167:60252; FIN sent; 6 packets, 3844 bytes
> Wed Jan  8 13:47:90 2003; TCP; eth1; 1045 bytes; from 62.208.64.173:http 
> to 213.20.240.167:60250; FIN sent; 7 packets, 5709 bytes
> 
> Now my question:
> There are often serveral fields which show me byte-sizes, one is following 
> directly the interface-field (e.g. "680 bytes"), and one is
> at the end of the logging-line (e.g. "3844 bytes"). Could someone tell me 
> what this two field mean ? Which of those must be
> added to the traffic-sum for the customer with the IP 62.208.64.173 ??

The first byte figure is the size of the last packet received, while the 
second figure is the total number of bytes and packets for the connection 
so far.

Hmm, I've come to realize that the documentation is weak in this area.  
I'll adjust the chapter on logging to make this a bit clearer.

 > 
> 
> 
> 2) Our network is protected by a iptables firewall which does DNAT. Every 
> external ip of our network is natted 1:1 to the correspondig internal one.
>      But when I had a look at the IPTraffic log, I could see that there 
> where entries with the internal address as destignation as well as
>      enties with the external address as source. Often it seems as if the 
> one entry would be the response-package of the other entry.
> 
> Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 217.85.196.193:64466 to 
> 10.100.0.3:http; first packet (SYN)
> Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 217.85.196.193:64467 to 
> 10.100.0.3:http; first packet (SYN)
> Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 62.208.64.173:http to 
> 217.85.196.193:64466; first packet (SYN)
> Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 62.208.64.173:http to 
> 217.85.196.193:64467; first packet (SYN)
> 
> What I like to know is, how do IPTraffic and IPTables work together ? At 
> what point  of the IPTables - Chains does IPTraffic log the package ?

I cannot say for sure about 1:1 NAT, I've been only able to perform 
extensive testing on masqueraded addresses.  Basically iptraf knows 
nothing about translation of ip addresses.  It only processes the 
addresses from any packets it captures.  Judging from your logs, it seems 
DNAT is rewriting the packet and re-injecting it into the interface's 
queue, making it look like two packets but I can't be too sure.

Perhaps someone on the list has more information?  I haven't seen this 
with masqueraded machines.

Gerard