Montioring NAT with ethereal
Hello
i've a linux box running ubunto 7.04 and configured as NAT firewall. It works perfectly well. My local lan is on eth1 and eth0 is hooked to adsl modem using pppoe... I'm trying to debug a sip application which send SIP packets from lan to server on the NET. I use wireshark(ethereal) and start montiroing on 'any' pseudo interface. When my app send a SIP packet from localaddr:5060 to NETADDR:5060 i see it 3 times in wireshark. 1. as it arrives on eth1 source:5060 => globaladdr:5060 2. on ppp0 interface as mypublicip:5060 => NETADDR:5060 3. on eth0 encapsulated in in pppoe as mypublicip:5060 => NETADDR:5060 When i capture this packet on the server at NETADDR, i see it as mypublicip:33789 => NETADDR:5060 Which is perfectly ok, because my NAT firewall translated source port 5060 to 33780. My question is: How can i see the result of this translation in ethereal on my firewall box? I do see the translation from localaddr to mypublicip but no the translation from port 5060 to 33789 Any ideas? Thanks Vadim |
without wishing to doubt you, can you actually show us the output from wireshark? best to use tshark or tcpdump to get a nicer output to paste in here, but at the point where it gets your public ip, it will need a suitable port too... nothing else has the right to do that, or the need to do that. you could always tap the cable between the modem and eth0 i guess, just using a hub, and then loop back to sniff it on the client or something... that's naturally as physically far down the line as you'll be able to get.
|
Here is the tshark capture:
tshark: Promiscuous mode not supported on the "any" device. frame 2219 on eth1(LAN) 2220 on ppp0, 2221 on eth0 encapsulated in PPPoE Capturing on Pseudo-device that captures on all interfaces Frame 2219 (356 bytes on wire, 356 bytes captured) Arrival Time: May 15, 2007 20:55:36.994382000 [Time delta from previous packet: 0.108268000 seconds] [Time since reference or first frame: 26.910773000 seconds] Frame Number: 2219 Packet Length: 356 bytes Capture Length: 356 bytes [Frame is marked: False] [Protocols in frame: sll:ip:udp:sip] Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 1 Link-layer address length: 6 Source: jim (00:11:d8:32:ca:b0) Protocol: IP (0x0800) Internet Protocol, Src: 192.168.10.15 (192.168.10.15), Dst: 62.219.102.53 (62.219.102.53) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 340 Identification: 0x32b7 (12983) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: UDP (0x11) Header checksum: 0x971a [correct] [Good: True] [Bad : False] Source: 192.168.10.15 (192.168.10.15) Destination: 62.219.102.53 (62.219.102.53) User Datagram Protocol, Src Port: sip (5060), Dst Port: 5062 (5062) Source port: sip (5060) Destination port: 5062 (5062) Length: 320 Checksum: 0x7fc0 [correct] Session Initiation Protocol Request-Line: REGISTER sip:62.219.102.53 SIP/2.0 Method: REGISTER [Resent Packet: False] Message Header Via: SIP/2.0/UDP 192.168.10.15:5060;rport;branch=123456789 Transport: UDP Sent-by Address: 192.168.10.15 Sent-by port: 5060 RPort: rport Branch: 123456789 Route: <sip:62.219.102.53;lr> From: nobody <sip:nobody@62.219.102.53>;tag=123456789 SIP Display info: nobody SIP from address: sip:nobody@62.219.102.53 SIP tag: 123456789 To: <sip:nobody@62.219.102.53> SIP to address: sip:nobody@62.219.102.53 Call-ID: 000001@ping Contact: <sip:nobody@192.168.10.15> Contact Binding: <sip:nobody@192.168.10.15> URI: <sip:nobody@192.168.10.15> SIP contact address: sip:nobody@192.168.10.15 CSeq: 2 REGISTER Sequence Number: 2 Method: REGISTER Content-Length: 0 Frame 2220 (356 bytes on wire, 356 bytes captured) Arrival Time: May 15, 2007 20:55:36.994446000 [Time delta from previous packet: 0.000064000 seconds] [Time since reference or first frame: 26.910837000 seconds] Frame Number: 2220 Packet Length: 356 bytes Capture Length: 356 bytes [Frame is marked: False] [Protocols in frame: sll:ip:udp:sip] Linux cooked capture Packet type: Sent by us (4) Link-layer address type: 512 Link-layer address length: 0 Source: <MISSING> Protocol: IP (0x0800) Internet Protocol, Src: 217.128.124.171 (217.128.124.171), Dst: 62.219.102.53 (62.219.102.53) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 340 Identification: 0x32b7 (12983) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 127 Protocol: UDP (0x11) Header checksum: 0x0ca6 [correct] [Good: True] [Bad : False] Source: 217.128.124.171 (217.128.124.171) Destination: 62.219.102.53 (62.219.102.53) User Datagram Protocol, Src Port: sip (5060), Dst Port: 5062 (5062) Source port: sip (5060) Destination port: 5062 (5062) Length: 320 Checksum: 0xf44b [correct] Session Initiation Protocol Request-Line: REGISTER sip:62.219.102.53 SIP/2.0 Method: REGISTER [Resent Packet: False] Message Header Via: SIP/2.0/UDP 192.168.10.15:5060;rport;branch=123456789 Transport: UDP Sent-by Address: 192.168.10.15 Sent-by port: 5060 RPort: rport Branch: 123456789 Route: <sip:62.219.102.53;lr> From: nobody <sip:nobody@62.219.102.53>;tag=123456789 SIP Display info: nobody SIP from address: sip:nobody@62.219.102.53 SIP tag: 123456789 To: <sip:nobody@62.219.102.53> SIP to address: sip:nobody@62.219.102.53 Call-ID: 000001@ping Contact: <sip:nobody@192.168.10.15> Contact Binding: <sip:nobody@192.168.10.15> URI: <sip:nobody@192.168.10.15> SIP contact address: sip:nobody@192.168.10.15 CSeq: 2 REGISTER Sequence Number: 2 Method: REGISTER Content-Length: 0 Frame 2221 (364 bytes on wire, 364 bytes captured) Arrival Time: May 15, 2007 20:55:36.994456000 [Time delta from previous packet: 0.000010000 seconds] [Time since reference or first frame: 26.910847000 seconds] Frame Number: 2221 Packet Length: 364 bytes Capture Length: 364 bytes [Frame is marked: False] [Protocols in frame: sll:pppoes:ppp:ip:udp:sip] Linux cooked capture Packet type: Sent by us (4) Link-layer address type: 1 Link-layer address length: 6 Source: D-Link_f0:52:2d (00:0f:3d:f0:52:2d) Protocol: PPPoE Session (0x8864) PPP-over-Ethernet Session 0001 .... = Version: 1 .... 0001 = Type: 1 Code: Session Data (0x00) Session ID: 0x0eca Payload Length: 342 Point-to-Point Protocol Protocol: IP (0x0021) Internet Protocol, Src: 217.128.124.171 (217.128.124.171), Dst: 62.219.102.53 (62.219.102.53) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 340 Identification: 0x32b7 (12983) Flags: 0x00 0... = Reserved bit: Not set .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 127 Protocol: UDP (0x11) Header checksum: 0x0ca6 [correct] [Good: True] [Bad : False] Source: 217.128.124.171 (217.128.124.171) Destination: 62.219.102.53 (62.219.102.53) User Datagram Protocol, Src Port: sip (5060), Dst Port: 5062 (5062) Source port: sip (5060) Destination port: 5062 (5062) Length: 320 Checksum: 0xf44b [correct] Session Initiation Protocol Request-Line: REGISTER sip:62.219.102.53 SIP/2.0 Method: REGISTER [Resent Packet: True] [Suspected resend of frame: 2220] Message Header Via: SIP/2.0/UDP 192.168.10.15:5060;rport;branch=123456789 Transport: UDP Sent-by Address: 192.168.10.15 Sent-by port: 5060 RPort: rport Branch: 123456789 Route: <sip:62.219.102.53;lr> From: nobody <sip:nobody@62.219.102.53>;tag=123456789 SIP Display info: nobody SIP from address: sip:nobody@62.219.102.53 SIP tag: 123456789 To: <sip:nobody@62.219.102.53> SIP to address: sip:nobody@62.219.102.53 Call-ID: 000001@ping Contact: <sip:nobody@192.168.10.15> Contact Binding: <sip:nobody@192.168.10.15> URI: <sip:nobody@192.168.10.15> SIP contact address: sip:nobody@192.168.10.15 CSeq: 2 REGISTER Sequence Number: 2 Method: REGISTER Content-Length: 0 |
All times are GMT -5. The time now is 12:42 AM. |