[Simple-evcorr-users] Correlation of TCP events in virtual interfaces?

J Carvalho Fri, 07 Aug 2009 14:54:32 -0700

I'd like to watch the traffic on my virtual interfaces. Being the  
interface traffic never actually touches the physical device, I can't  
use pcap to grab it.
I'm using ipf/ipmon to look for tcp syn fin, ackfin, etc, and I'd like  
to correlate the events to a conversation, date/time-length, size.
Does this look to be an exercise in futility?
As always, your time and effort are appreciated.


Here's a sample of the traffic:
Jul 26 04:04:32 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:04:31.438987 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,45380 PR tcp len 20 55 -AFP OUT
Jul 26 04:04:32 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:04:31.439524 e1000g0 @-1:-1 L 10.50.13.2,45380 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:05:38 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:05:38.633830 e1000g0 @-1:-1 L 10.50.13.2,47483 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN
Jul 26 04:05:38 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:05:38.634451 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,47483 PR tcp len 20 56 -AFP OUT
Jul 26 04:05:38 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:05:38.634821 e1000g0 @-1:-1 L 10.50.13.2,47483 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:05:45 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:05:44.895973 e1000g0 @-1:-1 L 10.50.12.32,50883 ->  
10.50.13.2,10051 PR tcp len 20 52 -S OUT
Jul 26 04:05:45 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:05:44.963024 e1000g0 @-1:-1 L 10.50.13.2,10051 ->  
10.50.12.32,50883 PR tcp len 20 40 -AF IN
Jul 26 04:05:45 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:05:44.963269 e1000g0 @-1:-1 L 10.50.12.32,50883 ->  
10.50.13.2,10051 PR tcp len 20 40 -AF OUT
Jul 26 04:06:02 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:02.063144 e1000g0 @-1:-1 L 10.50.13.2,58202 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN
Jul 26 04:06:02 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:02.063842 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,58202 PR tcp len 20 56 -AFP OUT
Jul 26 04:06:02 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:02.064188 e1000g0 @-1:-1 L 10.50.13.2,58202 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:06:03 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:03.061537 e1000g0 @-1:-1 L 10.50.13.2,37959 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN
Jul 26 04:06:03 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:03.062272 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,37959 PR tcp len 20 56 -AFP OUT
Jul 26 04:06:03 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:03.062657 e1000g0 @-1:-1 L 10.50.13.2,37959 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:06:11 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:11.203158 e1000g0 @-1:-1 L 10.50.13.2,39879 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN
Jul 26 04:06:11 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:11.203897 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,39879 PR tcp len 20 49 -AFP OUT
Jul 26 04:06:11 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:11.204233 e1000g0 @-1:-1 L 10.50.13.2,39879 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:06:15 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:14.410797 e1000g0 @-1:-1 L 10.50.13.2,60762 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN
Jul 26 04:06:15 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:14.411390 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,60762 PR tcp len 20 56 -AFP OUT
Jul 26 04:06:15 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:14.411781 e1000g0 @-1:-1 L 10.50.13.2,60762 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:06:35 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:34.792477 e1000g0 @-1:-1 L 10.50.13.2,33611 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN
Jul 26 04:06:35 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:34.796056 e1000g0 @-1:-1 L 10.50.12.32,10050 ->  
10.50.13.2,33611 PR tcp len 20 64 -AFP OUT
Jul 26 04:06:35 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:34.796465 e1000g0 @-1:-1 L 10.50.13.2,33611 ->  
10.50.12.32,10050 PR tcp len 20 40 -AF IN
Jul 26 04:06:35 10.50.12.32 ipmon[137]: [local2.info] [ID 702911  
local2.info] 04:06:34.912206 e1000g0 @-1:-1 L 10.50.13.2,59290 ->  
10.50.12.32,10050 PR tcp len 20 52 -S IN

--dio


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

[Simple-evcorr-users] Correlation of TCP events in virtual interfaces?

Reply via email to