Montioring NAT with ethereal

vadiml · 05-15-2007, 12:47 PM

Hello
i've a linux box running ubunto 7.04 and configured as NAT firewall.
It works perfectly well.

My local lan is on eth1 and eth0 is hooked to adsl modem using pppoe...

I'm trying to debug a sip application which send SIP packets from lan to server on the NET.
I use wireshark(ethereal) and start montiroing on 'any' pseudo interface.
When my app send a SIP packet from localaddr:5060 to NETADDR:5060 i see it 3 times in wireshark.
1. as it arrives on eth1 source:5060 => globaladdr:5060
2. on ppp0 interface as mypublicip:5060 => NETADDR:5060
3. on eth0 encapsulated in in pppoe as mypublicip:5060 => NETADDR:5060

When i capture this packet on the server at NETADDR,
i see it as mypublicip:33789 => NETADDR:5060

Which is perfectly ok, because my NAT firewall translated source port 5060 to 33780.

My question is: How can i see the result of this translation in ethereal on my firewall box?
I do see the translation from localaddr to mypublicip but no the translation from port 5060 to 33789

Any ideas?
Thanks
Vadim

acid_kewpie · 05-15-2007, 12:59 PM

without wishing to doubt you, can you actually show us the output from wireshark? best to use tshark or tcpdump to get a nicer output to paste in here, but at the point where it gets your public ip, it will need a suitable port too... nothing else has the right to do that, or the need to do that. you could always tap the cable between the modem and eth0 i guess, just using a hub, and then loop back to sniff it on the client or something... that's naturally as physically far down the line as you'll be able to get.

vadiml · 05-15-2007, 02:03 PM

Here is the tshark capture:

tshark: Promiscuous mode not supported on the "any" device.
frame 2219 on eth1(LAN) 2220 on ppp0, 2221 on eth0 encapsulated in PPPoE

Capturing on Pseudo-device that captures on all interfaces
Frame 2219 (356 bytes on wire, 356 bytes captured)
Arrival Time: May 15, 2007 20:55:36.994382000
[Time delta from previous packet: 0.108268000 seconds]
[Time since reference or first frame: 26.910773000 seconds]
Frame Number: 2219
Packet Length: 356 bytes
Capture Length: 356 bytes
[Frame is marked: False]
[Protocols in frame: sll:ip:udp:sip]
Linux cooked capture
Packet type: Unicast to us (0)
Link-layer address type: 1
Link-layer address length: 6
Source: jim (00:11:d8:32:ca:b0)
Protocol: IP (0x0800)
Internet Protocol, Src: 192.168.10.15 (192.168.10.15), Dst: 62.219.102.53 (62.219.102.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x32b7 (12983)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x971a [correct]
[Good: True]
[Bad : False]
Source: 192.168.10.15 (192.168.10.15)
Destination: 62.219.102.53 (62.219.102.53)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5062 (5062)
Source port: sip (5060)
Destination port: 5062 (5062)
Length: 320
Checksum: 0x7fc0 [correct]
Session Initiation Protocol
Request-Line: REGISTER sip:62.219.102.53 SIP/2.0
Method: REGISTER
[Resent Packet: False]
Message Header
Via: SIP/2.0/UDP 192.168.10.15:5060;rport;branch=123456789
Transport: UDP
Sent-by Address: 192.168.10.15
Sent-by port: 5060
RPort: rport
Branch: 123456789
Route: <sip:62.219.102.53;lr>
From: nobody <sip:nobody@62.219.102.53>;tag=123456789
SIP Display info: nobody
SIP from address: sip:nobody@62.219.102.53
SIP tag: 123456789
To: <sip:nobody@62.219.102.53>
SIP to address: sip:nobody@62.219.102.53
Call-ID: 000001@ping
Contact: <sip:nobody@192.168.10.15>
Contact Binding: <sip:nobody@192.168.10.15>
URI: <sip:nobody@192.168.10.15>
SIP contact address: sip:nobody@192.168.10.15
CSeq: 2 REGISTER
Sequence Number: 2
Method: REGISTER
Content-Length: 0

Frame 2220 (356 bytes on wire, 356 bytes captured)
Arrival Time: May 15, 2007 20:55:36.994446000
[Time delta from previous packet: 0.000064000 seconds]
[Time since reference or first frame: 26.910837000 seconds]
Frame Number: 2220
Packet Length: 356 bytes
Capture Length: 356 bytes
[Frame is marked: False]
[Protocols in frame: sll:ip:udp:sip]
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 512
Link-layer address length: 0
Source: <MISSING>
Protocol: IP (0x0800)
Internet Protocol, Src: 217.128.124.171 (217.128.124.171), Dst: 62.219.102.53 (62.219.102.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x32b7 (12983)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: UDP (0x11)
Header checksum: 0x0ca6 [correct]
[Good: True]
[Bad : False]
Source: 217.128.124.171 (217.128.124.171)
Destination: 62.219.102.53 (62.219.102.53)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5062 (5062)
Source port: sip (5060)
Destination port: 5062 (5062)
Length: 320
Checksum: 0xf44b [correct]
Session Initiation Protocol
Request-Line: REGISTER sip:62.219.102.53 SIP/2.0
Method: REGISTER
[Resent Packet: False]
Message Header
Via: SIP/2.0/UDP 192.168.10.15:5060;rport;branch=123456789
Transport: UDP
Sent-by Address: 192.168.10.15
Sent-by port: 5060
RPort: rport
Branch: 123456789
Route: <sip:62.219.102.53;lr>
From: nobody <sip:nobody@62.219.102.53>;tag=123456789
SIP Display info: nobody
SIP from address: sip:nobody@62.219.102.53
SIP tag: 123456789
To: <sip:nobody@62.219.102.53>
SIP to address: sip:nobody@62.219.102.53
Call-ID: 000001@ping
Contact: <sip:nobody@192.168.10.15>
Contact Binding: <sip:nobody@192.168.10.15>
URI: <sip:nobody@192.168.10.15>
SIP contact address: sip:nobody@192.168.10.15
CSeq: 2 REGISTER
Sequence Number: 2
Method: REGISTER
Content-Length: 0

Frame 2221 (364 bytes on wire, 364 bytes captured)
Arrival Time: May 15, 2007 20:55:36.994456000
[Time delta from previous packet: 0.000010000 seconds]
[Time since reference or first frame: 26.910847000 seconds]
Frame Number: 2221
Packet Length: 364 bytes
Capture Length: 364 bytes
[Frame is marked: False]
[Protocols in frame: sll

ppoes

pp:ip:udp:sip]
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 1
Link-layer address length: 6
Source: D-Link_f0:52:2d (00:0f:3d:f0:52:2d)
Protocol: PPPoE Session (0x8864)
PPP-over-Ethernet Session
0001 .... = Version: 1
.... 0001 = Type: 1
Code: Session Data (0x00)
Session ID: 0x0eca
Payload Length: 342
Point-to-Point Protocol
Protocol: IP (0x0021)
Internet Protocol, Src: 217.128.124.171 (217.128.124.171), Dst: 62.219.102.53 (62.219.102.53)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 340
Identification: 0x32b7 (12983)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: UDP (0x11)
Header checksum: 0x0ca6 [correct]
[Good: True]
[Bad : False]
Source: 217.128.124.171 (217.128.124.171)
Destination: 62.219.102.53 (62.219.102.53)
User Datagram Protocol, Src Port: sip (5060), Dst Port: 5062 (5062)
Source port: sip (5060)
Destination port: 5062 (5062)
Length: 320
Checksum: 0xf44b [correct]
Session Initiation Protocol
Request-Line: REGISTER sip:62.219.102.53 SIP/2.0
Method: REGISTER
[Resent Packet: True]
[Suspected resend of frame: 2220]
Message Header
Via: SIP/2.0/UDP 192.168.10.15:5060;rport;branch=123456789
Transport: UDP
Sent-by Address: 192.168.10.15
Sent-by port: 5060
RPort: rport
Branch: 123456789
Route: <sip:62.219.102.53;lr>
From: nobody <sip:nobody@62.219.102.53>;tag=123456789
SIP Display info: nobody
SIP from address: sip:nobody@62.219.102.53
SIP tag: 123456789
To: <sip:nobody@62.219.102.53>
SIP to address: sip:nobody@62.219.102.53
Call-ID: 000001@ping
Contact: <sip:nobody@192.168.10.15>
Contact Binding: <sip:nobody@192.168.10.15>
URI: <sip:nobody@192.168.10.15>
SIP contact address: sip:nobody@192.168.10.15
CSeq: 2 REGISTER
Sequence Number: 2
Method: REGISTER
Content-Length: 0