-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Rune,
- --On March 21, 2007 13:09:32 +0100 Rune Sydskjør <[EMAIL PROTECTED]> wrote:
| Hi,
|
| One of our customers wants to locate file-sharers which share files. Not
| those who just downloads. One method of doing that is to locate only the
| flows which are initialized from the outside to some given ports.
|
| I can see from the documentation of nfsen:
| "The ordering of the flags is not relevant. Flags not mentioned are
| treated as don't care. In order
| to get those flows with only the SYN flag set, use the syntax 'flags S
| and not flags AFRPU'."
|
| This gives us this filter which will result in *possible* flows
| containing bittorrent traffic initialized from the outside:
| proto tcp and dst net <dst-net-address> and dst port > 6000 and dst port
| < 7000 and flags S and not flags AFRPU
This will match flows to your network, having only the 'S' flag set, which means
the connection could not have been established.
|
| Yes, I'm aware that bittorrent also uses other ports, but let's not
| discuss that. I'm wondering if this is going to work? Wouldn't all
| successfull flows (a full tcp connection) include a SYN-flag? The whole
| flow includes every packet of the flow, and I guess this is based on an
| or-statement including all the packets in one flow? I.e. every flow
| whether it is initialized from the outside or not will include only a
| SYN-flag in one of the packets, and we can't decide whether one flow is
| initialized from the outside or not?
As you said, flags are 'or'ed, which means for a typical completed TCP
connection
you get two flows:
a -> b flags SAPF
b -> a flags SAPF
Which host the connection initiated can not be determined any more, unless you
have any additional information such as the nature of the protocol ( a webserver
usually never initiates a connection - usually :) or the setup policies, such as
blocking incoming traffic with firewalls, whatsoever ..
All you can say: Host a and b successfully initiated a connection, exchanged
traffic,
and properly closed the connection.
This is the easy one. Now you can have various additional flows, depending on
how long
the connection is alive, if the router just exported flows, whatsoever. In the
end you
need to aggregate the flows to reduce them to the two flows above.
- Peter
|
| Regards,
| Rune Sydskjør, UNINETT
|
| -------------------------------------------------------------------------
| Take Surveys. Earn Cash. Influence the Future of IT
| Join SourceForge.net's Techsay panel and you'll get the chance to share your
| opinions on IT & business topics through brief surveys-and earn cash
| http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iQCVAwUBRgIwdf5AbZRALNr/AQIzJAP/QBJg49J0vJaoOge/uMs1fDgvGErcIb0l
DIHpyHWzhikIB++eTmONT9w8H2k3V0i3NlP7pqNPG5n7L0MgqN8tXNTIFSGei64h
9Neknwq/s1Nz/4P8v7IvS+TpufwrRhRMpnoGGlwU1+MJmSClhChKzGDkfQ4Ibttg
GHwK2MQi9TE=
=xHhN
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
