RE: [LARTC] Not understanding network setup!!
Eliot, thx for the link..i'll check the program and see if I can use it. Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: Sunday, June 04, 2006 12:32 PM > To: Martin A. Brown > Cc: lartc@mailman.ds9a.nl; [EMAIL PROTECTED] > Subject: RE: [LARTC] Not understanding network setup!! > > Hi Martin, > > > How many times (or how quickly) do you need to do this? I have a > > somewhat simple-minded solution for you, but it doesn't scale, and > > may not actually solve you problem(s). > > I actually need this for as long as the machine communicates with other > PCs. > > > If you are looking at inbound traffic to one of your servers, that > > can be a bit trickier. > > I have to capture those three packets for each and every TCP stream that > is initiated. Also, I'm looking only for outbound communication, i.e > emanating from the PC on which I'm trying to catch the packets. So the ACK > packet will be generated on the PC itself. But the problem how do I > capture that particular ACK packet and not the other ACK packets during > data transfer phase, w/o keeping track of IP address/port no. pairs. The way I would do this is write a small userspace capturing tool that runs as a daemon all the time and watches the packets as they traverse the machine. I have written a small libpcap based program which does something similar. You are free to use whatever code you need from it as long as the code will not be included in anything that is resold: http://eliot.kayandee.net/traflog.php This program simply counts traffic on a per-MAC and per-IP basis. It also provides both MAC->IP and IP->MAC lookup tables. It should be fairly trivial (as in no more than a days worth of work) to modify it to suit your needs. Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details. ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Many thx for the info Martin..I'll look at it right away. Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Visham, : I have to capture those three packets for each and every TCP : stream that is initiated. Also, I'm looking only for outbound : communication, i.e emanating from the PC on which I'm trying to : catch the packets. So the ACK packet will be generated on the PC : itself. But the problem how do I capture that particular ACK : packet and not the other ACK packets during data transfer phase, : w/o keeping track of IP address/port no. pairs. It sounds like argus [0] may provide a better solution to your problem. You will get much more information than you'd get with tcpdump, but you'll get at least what you describe. -Martin [0] http://www.qosient.com/argus/ -- Martin A. Brown http://linux-ip.net/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Hi Martin, > How many times (or how quickly) do you need to do this? I have a > somewhat simple-minded solution for you, but it doesn't scale, and > may not actually solve you problem(s). I actually need this for as long as the machine communicates with other PCs. > If you are looking at inbound traffic to one of your servers, that > can be a bit trickier. I have to capture those three packets for each and every TCP stream that is initiated. Also, I'm looking only for outbound communication, i.e emanating from the PC on which I'm trying to catch the packets. So the ACK packet will be generated on the PC itself. But the problem how do I capture that particular ACK packet and not the other ACK packets during data transfer phase, w/o keeping track of IP address/port no. pairs. Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Visham, : By the way, do you know if there's a way to distinguish between : the ACK packet sent during the connection establishment phase of : a TCP connection and subsequent ACK packets sent during the data : transfer phase. : : I now that the ACK number sent during the connection : establishment will be equal to the 'sequence number for the SYN : in the SYN/ACK packet' + 1 : : Is there a way to distinguish between this 3rd packet and any : other ACK packet during data transfer w/o having to keep track of : sequence numbers? Are there other characteristics or options that : are set in the former and not in the latter? : : Basically I want to capture the three packets sent during the : connection establishment phase of TCP. How can I do that? How many times (or how quickly) do you need to do this? I have a somewhat simple-minded solution for you, but it doesn't scale, and may not actually solve you problem(s). If you have anything more than a few connections on which you wish to snoop (to see that they have successfully completed the handshake) my solution will not work for you. I have used this to capture the first three packets exchanged on a particular TCP connection: tcpdump -nni $INTERFACE -c 3 host $TARGET and port $DPORT and \ '( tcp[tcpflags] & tcp-syn = tcp-syn or tcp[tcpflags] & tcp-ack = tcp-ack )' If you are looking at inbound traffic to one of your servers, that can be a bit trickier. You could, however tcpdump the entire stream line-bufferered and write a filter (sed/perl) that prints out only lines showing SYN flag and lines containing 'ack 1 win'. 10:16:11.232505 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: S 2114067570:2114067570(0) win 5840 10:16:11.257184 IP aa.bb.cc.130.25 > xx.yy.zz.44.7284: S 1756590593:1756590593(0) ack 2114067571 win 5792 10:16:11.257242 IP xx.yy.zz.44.7284 > aa.bb.cc.130.25: . ack 1 win 1460 Good luck, -Martin -- Martin A. Brown http://linux-ip.net/ ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Dear Eliot, Many thx for all the efforts you're making to help me out..I've been battling with this for over two weeks now :( I had a few questions to ask you: 1) Does bonding support per-packet loadbalancing like teql does? 2) Is it compulsory to assign eth1 & eth2 ip addresses in teql setups like in the howto or can simply use them w/o ip addrs as in the bonding setup example you gave? 3) In the setup you propose with the transparent firewall, I don't think it'll work because since different networks are involved, only a router can forward packets between different networks. The bridge can only perform packet switching on one network. It can actually extend a particular network but it cannot join two different networks. That, I believe, is the work of a router. Please correct if you feel I'm wrong. 4) Do you believe it is possible to implement teql for the topology I'm working on, i.e using firewalls with ip addrs? I tried it many times but no success. The main problem was that I didn't know to what network to have the teql0 device on PC_B & PC_C point to? In the example in the LARTC HOWTO, the teql0 on Router A pointed to the teql0 device on the Router B. However, in the topology I'm trying to set up, I didn't know to which device to point to because of the intermediate networks that we have (for FW1 & FW2). Do you think I should use a multipath route on PC_B & PC_C, some thing like this: ip route add default scope global nexthop via 192.168.10.11 dev eth1 weight 1 nexthop via 192.168.40.11 dev eth2 weight 1 I tried it but no success. The teql0 device won't balanve traffic between the devices..don't know if I made a mistake in the formulation of the command!! Can you suggest me anything..I have enough PCs to test things that you might suggest me. Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Dear Eliot, thx for the explanations..i'll try the transparent firewall setup and tell you how it goes. However, I would like to know how you would have set routing for a topology like the one below using bonding, where S1, S2 and S3 are servers (Layer 3 devices), and not firewalls. __ _ | | | | | eth1|---|eth0 S1 | | | |_| PC_A--| | | |_ |eth0 PC_B eth2|---|eth0 S2 | | | |_| | | | |_ | eth3|---|eth0 S3 | |__| |_| Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Understood..many thx for all the help.. By the way, do you know if there's a way to distinguish between the ACK packet sent during the connection establishment phase of a TCP connection and subsequent ACK packets sent during the data transfer phase. I now that the ACK number sent during the connection establishment will be equal to the 'sequence number for the SYN in the SYN/ACK packet' + 1 Is there a way to distinguish between this 3rd packet and any other ACK packet during data transfer w/o having to keep track of sequence numbers? Are there other characteristics or options that are set in the former and not in the latter? Basically I want to capture the three packets sent during the connection establishment phase of TCP. How can I do that? Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
Hi to all, > I very much doubt the above was quoted on the LARTC HOWTO. Please point us to where you saw this. It is completely wrong. > This is where I got it from: http://www.lartc.org/lartc.html#LARTC.LOADSHARE - (Chapter 10. Load sharing over multiple interfaces). I actually implemented the setup blindly without understandig it and it worked..When I tried to change the topology of the network and the ip addresses, then I got problems. This is what I'm trying to do: __ _ _ | | | | | | | eth1|---|eth0 FW1 eth1|---|eth1 | | | |_| | | PC_A--|eth0 PC_B | |PC_C eth0|--PC_D | |_| | | eth2|---|eth0 FW2 eth1|---|eth2 | |__| |_| |_| The configurations on the respective PCs are: PC_A: eth0 = 192.168.0.10/24 #ip route add default via 192.168.0.1 PC_B: eth0 = 192.168.0.1/24 eth1 = 192.168.10.10/24 eth2 = 192.168.40.10/24 FW1: eth0 = 192.168.10.11/24 eth1 = 192.168.20.11/24 FW2: eth0 = 192.168.40.11/24 eth1 = 192.168.50.11/24 PC_C: eth0 = 192.168.30.1/24 eth1 = 192.168.20.10/24 eth2 = 192.168.50.10/24 PC_D: eth0 = 192.168.30.10/24 #ip route add default via 192.168.30.1 I'm trying to load balance the traffic from PC_A to PC_D over the two PCs FW1 and FW2, using teql. I tried to follow the steps in the LARTC HOWTO but it's not working. Actually I'm having problems setting up the routing on these PCs with regard to teql. I simply don't know how to do it. I have enabled ip forwarding (ip_forward) and disabled reverse path filtering (rp_filter) on PC_B, PC_C, FW1 & FW2 for all NICs. B & C have 2.6.16 kernels with kernel options like advanced routing (CONFIG_IP_ADVANCED_ROUTER) and multipath route support selected. When I ping from PC_A to PC_D, I'm getting "Destination host Unreachable" msg. What am I doing wrong? I know you guys are really good at this kind of stuff..pls help me out. Warm regards, Visham ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
RE: [LARTC] Not understanding network setup!!
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 01, 2006 2:58 PM To: lartc@mailman.ds9a.nl Subject: [LARTC] Not understanding network setup!! > Hi to all, > > +---+ eth1 +---+ > | |==| | > 'network 1' | A | | B | 'network 2' > | |==| | > +---+ eth2 +---+ > > A and B are routers > > # tc qdisc add dev eth1 root teql0 > # tc qdisc add dev eth2 root teql0 > # ip link set dev teql0 up > > On router A: > > # ip addr add dev eth1 10.0.0.0/31 > # ip addr add dev eth2 10.0.0.2/31 > # ip addr add dev teql0 10.0.0.4/31 > > On router B: > > # ip addr add dev eth1 10.0.0.1/31 > # ip addr add dev eth2 10.0.0.3/31 > # ip addr add dev teql0 10.0.0.5/31 > > > The above has been quoted from LARTC HOWTO. I would like to know the > following things: > > 1) Are the 10.0.0.0/31, 10.0.0.2/31, 10.0.0.3/31...different networks? Are > the devices eth1, eth2 and teql0 on each router part of 3 different > networks? I very much doubt the above was quoted on the LARTC HOWTO. Please point us to where you saw this. It is completely wrong. First, 10.0.0.0/31 would be a network address. Second, a 31 bit subnet is meaningless. It only offers two addresses, the network address at 10.0.0.0 and the broadcast address at 10.0.0.1. That leaves no available addresses for host addresses. You probably mean /30 instead of /31. If you were using a /30, then you would run: ip addr add 10.0.0.1/30 dev eth1 ip addr add 10.0.0.5/30 dev eth2 ip addr add 10.0.0.9/30 dev teql0 The .1, .5, and .9 would be the first available addresses in their respective subnets. On router B, you would run: ip addr add 10.0.0.2/30 dev eth1 ip addr add 10.0.0.6/30 dev eth2 ip addr add 10.0.0.10/30 dev teql0 The .2, .6, and .10 addresses would be the second and final available host addresses on their respective subnets. And yes, each device sits on a different network when configured like this. The teql0 device simply lets you load balance across the two eth devices. > 2) What is the reason for doing the "/31" thing? CAn't we use network > addresses such as 192.168.0.0/24, 192.168.10.0/24 and so on for the > devices eth1, eth2 and teql0? You could use the 192.168.0.0/24 type addresses just as easily. The only difference is in how many addresses are available for hosts on the network block. By using a /30, you allow 2 host addresses and only 2 host addresses. Using the /24 network, you allow 254 host addresses. That seems rather wasteful when all you need is 2, doesn't it? Eliot Gable Certified Wireless Network Administrator (CWNA) Certified Wireless Security Professional (CWSP) Cisco Certified Network Associate (CCNA) CompTIA Security+ Certified CompTIA Network+ Certified Network and System Engineer Great Lakes Internet, Inc. 112 North Howard Croswell, MI 48422 (810) 679-3395 (877) 558-8324 Now offering Broadband Wireless Internet access in Croswell, Lexington, Brown City, Yale, Worth Township, and Sandusky. Call for details.http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
