LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-16-2006, 03:55 PM   #1
dales79
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Rep: Reputation: 0
detect ip address of packets


Hi

I need to detect the ip address of all outgoing and incoming packets on the outside of my LINUX firewall. Can someone advise me on the best way of doing this?

Thanks in advance

Sam
 
Old 01-16-2006, 05:44 PM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141

Rep: Reputation: 168Reputation: 168
Are you using iptables? The following will log packets in and out of your PC.

Code:
iptables -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT: "
iptables -t filter -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "OUTPUT: "
If you have more than one network card, you should filter for the card that is connected to the internet. If the internet interface was eth1:

Code:
iptables -t filter -A INPUT -i eth1 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "INPUT: "
iptables -t filter -A OUTPUT -o eth1 -m limit --limit 3/minute --limit-burst 3 -j LOG --log-prefix "OUTPUT: "
The above will log packets to /var/log/syslog or /var/log/messages depending on your system. There will be a LOT of data so you should prepare scripts to parse the log (or use something like logwatch)

Last edited by gilead; 01-16-2006 at 05:46 PM.
 
Old 01-16-2006, 05:45 PM   #3
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
iptables -I INPUT -i eth1 -j LOG
iptables -I OUTPUT -o eth1 -j LOG

If this doesn't answer your question, perhaps you could be a little more detailed in what you require, what you have tried, and what your goal is.
 
Old 01-16-2006, 05:49 PM   #4
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

sure enough you've got several ways to do so...
iptables can log the packets to the console or logfile
tcpdump can output them on the console or to a regular file
i think the winner of the game may be snort, which can output that to lots of format, from binary mode (pretty quick) to database (handy for further processing).

the real question is, what do you want to do with this info... if you write the source and destination IP of every single packet that goes through your firewall, you will have to deal with a _HUGE_ amount of (redundant) info.
Even before talking of processing this info, just writing it to disk will use some ressources and may quickly take lots of disk space if you're not carefull in how you store it and delete it once it's out of date.

You must also be aware that writing to disk is slow, so if you have a too many packets going through, writing all the info may not be possible... as an exemple, you can run tcpdump and generate lots of traffic... you'll see that once stopped, tcpdump tells you how many packets it has captured, how many packets went through and how many were discarded (dropped).

I think you'd better explain what you want to achieve with this info, people might give you better advice.

Anyway, don't misunderstand my post that's definitly doable, the thing is you've got to do it the proper way for what you're after!
 
Old 01-17-2006, 03:35 AM   #5
dales79
LQ Newbie
 
Registered: Jan 2006
Posts: 11

Original Poster
Rep: Reputation: 0
Hi

Thanks for all your posts and your time in replying to me.

I have found ethereal software, which seems to beable to do what I am looking for. -

Basically I have to setup PAT and want to be able to check that the packets on the outside of the firewall have the same ip address as the firewalls external interface. Also I need to ensure that computers on the inside of the firewall can simultaneously make connections to the outside world, and that the ip address of these connections is the same, but with different port numbers.

So I am hoping I can use ethereal to do all of this.

If you disagree, or you have a better way, please do let me know as the stuff you posted was very helpful, especially to a newbie like me!

Thanks for your time again

Sam
 
Old 01-17-2006, 07:29 AM   #6
baldy3105
Member
 
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 891

Rep: Reputation: 184Reputation: 184
Sounds like ethereal is the best tool for the job you are trying to do right now. For long term stats gathering I like ntop which you might like to have a look at here
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - How to allow all packets from a certain address exitsfunnel Linux - Networking 3 09-06-2005 11:35 PM
logging incoming packets ip address b123coder Linux - Networking 1 11-18-2004 03:17 PM
packets being dropped by server from specific ip address alex_fittyfives Linux - Networking 1 08-04-2004 09:14 AM
How to detect the address bit from a protocol. vedion Linux - Software 0 04-30-2004 06:35 AM
userspace program for forwarding packets after amendment of the destination address becky_starr Linux - Software 0 01-12-2004 07:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration