Re: [Nfsen-discuss] Filter TOS with NFSEN

Tue, 28 Oct 2014 08:12:53 -0700 

Adding some info again. 

So: I get raw data from a span port from port eth3.. and here I see packets 
market with EF/46/0xb8

[root@xxxxxxx ~]#  tcpdump -i eth3 -vvv -n ip and ip[1]=0xb8

tcpdump: WARNING: eth3: no IPv4 address assigned
tcpdump: listening on eth3, link-type EN10MB (Ethernet), capture size 65535 
bytes
16:01:51.868344 IP (tos 0xb8, ttl 45, id 41287, offset 0, flags [none], proto 
UDP (17), length 98)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52637: [udp sum ok] UDP, length 70
16:01:51.889260 IP (tos 0xb8, ttl 45, id 41288, offset 0, flags [none], proto 
UDP (17), length 84)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52637: [udp sum ok] UDP, length 56
16:01:51.891505 IP (tos 0xb8, ttl 45, id 52538, offset 0, flags [none], proto 
UDP (17), length 84)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52629: [udp sum ok] UDP, length 56
16:01:51.918761 IP (tos 0xb8, ttl 45, id 41289, offset 0, flags [none], proto 
UDP (17), length 74)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52637: [udp sum ok] UDP, length 46
16:01:52.018803 IP (tos 0xb8, ttl 45, id 64823, offset 0, flags [none], proto 
UDP (17), length 96)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52621: [udp sum ok] UDP, length 68
16:01:52.019751 IP (tos 0xb8, ttl 45, id 52539, offset 0, flags [none], proto 
UDP (17), length 96)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52629: [udp sum ok] UDP, length 68
16:01:52.021654 IP (tos 0xb8, ttl 45, id 41290, offset 0, flags [none], proto 
UDP (17), length 96)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52637: [udp sum ok] UDP, length 68
16:01:52.073017 IP (tos 0xb8, ttl 45, id 64824, offset 0, flags [none], proto 
UDP (17), length 84)
    74.xxx.xxx.xxx.99999 > 10.10.14.21.52621: [udp sum ok] UDP, length 56
16:01:52.182993 IP (tos 0xb8, ttl 117, id 2867, offset 0, flags [DF], proto TCP 
(6), length 509)
    157.56.193.38.https > 10.10.14.21.54656: Flags [P.], cksum 0xcbd5 
(correct), seq 2920921318:2920921787, ack 4198288936, win 65520, length 469

At the same time on the same, this server creates flows from raw data and send 
it to NFSEN. 

The process and syntax involved are:

nprobe -n 10.0.4.199:2055 -u 0 -Q 1 -T %IPV4_SRC_ADDR %IPV4_DST_ADDR 
%IPV4_NEXT_HOP %INPUT_SNMP %OUTPUT_SNMP %IN_PKTS %IN_BYTES %FIRST_SWITCHED 
%LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %TCP_FLAGS %PROTOCOL %SRC_TOS %SRC_AS 
%DST_AS %IPV4_SRC_MASK %IPV4_DST_MASK --zmq tcp://*:5556 -i eth3

any idea why Tos is not maintained on the transfer from nprobe to nfsen? (only 
CS6 is maintained). 

Thanks

Oliver Lagni



-----Original Message-----
From: Oliver Lagni 
Sent: martedì 28 ottobre 2014 15:21
To: 'nfsen-discuss@lists.sourceforge.net'
Subject: RE: Filter TOS with NFSEN

Hi all.. 

About this issue I've just discovered this:

On the nprobe server I see with tcpdump packets with TOS on it... I see CS6 
(TOS 192) for OSPF for example or HSRP. So I see packet with QoS identifier on 
it. 
Same I see on NFSEN (another server). 

So if in NFSEN I go and query a window time traffic with TOS I see most of 
flows are CS6/192. 
If I filter for a specific ip address that I'm sure 100% it is tagget with 
EF/184 I see TOS 0. 
I'm sure that EF/184 is there since if I check the packets with TCPDUMP on 
nprobe I see it. 
So it looks like nprobe doesn't trust that value and override it. 

Is it possible? 

Thanks. 




-----Original Message-----
From: Oliver Lagni
Sent: mercoledì 15 ottobre 2014 14:54
To: 'nfsen-discuss@lists.sourceforge.net'
Subject: Filter TOS with NFSEN

Hi guys, 

anyone else on this? 

Original issue is: 

I can't graph any tos value on NFSEN, despite I see it when I capture traffic 
on the segment I'm monitoring. 
Only TOS 0 works . 

Thanks


-----Original Message-----
From: nfsen-discuss-requ...@lists.sourceforge.net 
[mailto:nfsen-discuss-requ...@lists.sourceforge.net]
Sent: martedì 7 ottobre 2014 14:32
To: nfsen-discuss@lists.sourceforge.net
Subject: Nfsen-discuss Digest, Vol 100, Issue 2

Send Nfsen-discuss mailing list submissions to
        nfsen-discuss@lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
or, via email, send a message with subject or body 'help' to
        nfsen-discuss-requ...@lists.sourceforge.net

You can reach the person managing the list at
        nfsen-discuss-ow...@lists.sourceforge.net

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of Nfsen-discuss digest..."


Today's Topics:

   1. Re: Filter TOS with NFSEN (Giles Coochey)
   2. Re: Filter TOS with NFSEN (Giles Coochey)


----------------------------------------------------------------------

Message: 1
Date: Tue, 07 Oct 2014 13:29:28 +0100
From: Giles Coochey <gi...@coochey.net>
Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN
To: nfsen-discuss@lists.sourceforge.net
Message-ID: <5433dca8.6050...@coochey.net>
Content-Type: text/plain; charset="windows-1252"

On 07/10/2014 13:14, Oliver Lagni wrote:
>
> Hello all,
>
> I?m setting the DSCP on some traffic going out and getting in on my 
> firewall.
>
> With NFSEN I collect traffic from both segments, LAN and WAN Firewall 
> sides.
>
> On my firewall I set DSCP to 101110 for real-time traffic and I 
> clearly see it on Nprobe server on both segments, as soon as I filter 
> with TCPDump:
>
> tcpdump -i eth2 -vvv -n ip and ip[1]=0xb8
>
> 0xb8 is 184 in HEX.. and I see this on eth2 (WAN) and eth3 (LAN):
>
> 14:21:23.236494 IP (*tos 0xb8*, ttl 126, id 4388, offset 0, flags 
> [DF], proto TCP (6), length 450)
>
>     217.xx.xx.xx.47460 > 64.xx.xx.xx.https: Flags [P.], cksum 0x5af4 
> (correct), seq 949:1359, ack 84, win 256, length 410
>
> But as soon as I filter on NFSEN with syntax Tos 184 or tos 0xb8 I 
> don?t see anything.
>
> Is there any reason? Can someone help me a bit on this?
>
>
I am not sure, but I think the tos value you filter with is the 3 most 
significant bits, so a value between 0-7

0 = 000xxxxxx
1 = 001xxxxxx
2 = 010xxxxxx
3 = 011xxxxxx
4 = 100xxxxxx
5 = 101xxxxxx
6 = 110xxxxxx
7 = 111xxxxxx

So "tos 1" filter matches your priority packets?

--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6454 bytes
Desc: S/MIME Cryptographic Signature

------------------------------

Message: 2
Date: Tue, 07 Oct 2014 13:31:55 +0100
From: Giles Coochey <gi...@coochey.net>
Subject: Re: [Nfsen-discuss] Filter TOS with NFSEN
To: nfsen-discuss@lists.sourceforge.net
Message-ID: <5433dd3b.8090...@coochey.net>
Content-Type: text/plain; charset="windows-1252"

On 07/10/2014 13:29, Giles Coochey wrote:
> On 07/10/2014 13:14, Oliver Lagni wrote:
>>
>> On my firewall I set DSCP to 101110 for real-time traffic and I 
>> clearly see it on Nprobe server on both segments, as soon as I filter 
>> with TCPDump:
>>
>>
> I am not sure, but I think the tos value you filter with is the 3 most 
> significant bits, so a value between 0-7
>
> 0 = 000xxxxxx
> 1 = 001xxxxxx
> 2 = 010xxxxxx
> 3 = 011xxxxxx
> 4 = 100xxxxxx
> 5 = 101xxxxxx
> 6 = 110xxxxxx
> 7 = 111xxxxxx
>
> So "tos 1" filter matches your priority packets?

Argh... binary, 0xb8 should be "tos 5"

> --
> Regards,
>
> Giles Coochey, CCNP, CCNA, CCNAS
> NetSecSpec Ltd
> +44 (0) 8444 780677
> +44 (0) 7584 634135
> http://www.coochey.net
> http://www.netsecspec.co.uk
> gi...@coochey.net


--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7584 634135
http://www.coochey.net
http://www.netsecspec.co.uk
gi...@coochey.net

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6454 bytes
Desc: S/MIME Cryptographic Signature

------------------------------

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 
3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready 
for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 
Requirement 10 and 11.5 with EventLog Analyzer 
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

------------------------------

_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss


End of Nfsen-discuss Digest, Vol 100, Issue 2
*********************************************

------------------------------------------------------------------------------
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss

Reply via email to