Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-16-2006, 03:55 PM
|
#1
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Rep:
|
detect ip address of packets
Hi
I need to detect the ip address of all outgoing and incoming packets on the outside of my LINUX firewall. Can someone advise me on the best way of doing this?
Thanks in advance
Sam
|
|
|
01-16-2006, 05:44 PM
|
#2
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
Are you using iptables? The following will log packets in and out of your PC.
Code:
iptables -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT: "
iptables -t filter -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "OUTPUT: "
If you have more than one network card, you should filter for the card that is connected to the internet. If the internet interface was eth1:
Code:
iptables -t filter -A INPUT -i eth1 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT: "
iptables -t filter -A OUTPUT -o eth1 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "OUTPUT: "
The above will log packets to /var/log/syslog or /var/log/messages depending on your system. There will be a LOT of data so you should prepare scripts to parse the log (or use something like logwatch)
Last edited by gilead; 01-16-2006 at 05:46 PM.
|
|
|
01-16-2006, 05:45 PM
|
#3
|
Senior Member
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024
Rep:
|
iptables -I INPUT -i eth1 -j LOG
iptables -I OUTPUT -o eth1 -j LOG
If this doesn't answer your question, perhaps you could be a little more detailed in what you require, what you have tried, and what your goal is.
|
|
|
01-16-2006, 05:49 PM
|
#4
|
Member
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384
Rep:
|
Hi,
sure enough you've got several ways to do so...
iptables can log the packets to the console or logfile
tcpdump can output them on the console or to a regular file
i think the winner of the game may be snort, which can output that to lots of format, from binary mode (pretty quick) to database (handy for further processing).
the real question is, what do you want to do with this info... if you write the source and destination IP of every single packet that goes through your firewall, you will have to deal with a _HUGE_ amount of (redundant) info.
Even before talking of processing this info, just writing it to disk will use some ressources and may quickly take lots of disk space if you're not carefull in how you store it and delete it once it's out of date.
You must also be aware that writing to disk is slow, so if you have a too many packets going through, writing all the info may not be possible... as an exemple, you can run tcpdump and generate lots of traffic... you'll see that once stopped, tcpdump tells you how many packets it has captured, how many packets went through and how many were discarded (dropped).
I think you'd better explain what you want to achieve with this info, people might give you better advice.
Anyway, don't misunderstand my post that's definitly doable, the thing is you've got to do it the proper way for what you're after!
|
|
|
01-17-2006, 03:35 AM
|
#5
|
LQ Newbie
Registered: Jan 2006
Posts: 11
Original Poster
Rep:
|
Hi
Thanks for all your posts and your time in replying to me.
I have found ethereal software, which seems to beable to do what I am looking for. -
Basically I have to setup PAT and want to be able to check that the packets on the outside of the firewall have the same ip address as the firewalls external interface. Also I need to ensure that computers on the inside of the firewall can simultaneously make connections to the outside world, and that the ip address of these connections is the same, but with different port numbers.
So I am hoping I can use ethereal to do all of this.
If you disagree, or you have a better way, please do let me know as the stuff you posted was very helpful, especially to a newbie like me!
Thanks for your time again
Sam
|
|
|
01-17-2006, 07:29 AM
|
#6
|
Member
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 891
Rep:
|
Sounds like ethereal is the best tool for the job you are trying to do right now. For long term stats gathering I like ntop which you might like to have a look at here
|
|
|
All times are GMT -5. The time now is 12:05 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|