Analyzing packets on gateway

A

Anti_Evil

Hello everybody,

We're about to launch a new server in our network which will play the role of a network gateway. We've to configure the server to actually analyze incoming requests and then run set of custom workflows based on user requests.

For "packet analyzing" part, I think of two possible ways:
1- To run tcpdump(1) and point it on the interface that I need ( using ... -i <iface> )
2- Set up pf(4) to log the allow/block messages on pflog(4) device and just read the information in there.

So, which way do you choose?

PS: My primary concern here is the performance. The network interface is 10G and lots of subscriber in the network.

Thanks,
 
  • Thanks
Reactions: Oko
More specific information about "analyze incoming request" would be helpful. What do you care about? A layer 3 metric such as who the packet is destined for? A layer 4 metric such as the port it's going to? Or a layer 7 metric such as a specific application layer protocol. Performance is going to be a factor at 10G and a clear idea of the intent would be helpful.

Option 1: bpf(4) is efficient but I don't know what kind of overhead that will entail at 10G.
Option 2: The fastest performance is going to come with the fewest rules to evaluate. This option will entail overhead the more specific you want to get. You'll still have overhead to handle either using pflogd(8) and writing packets to disk for post processing (at 10G no less) or the overhead not writing to disk and analyzing live using bpf(4) on the pflog(4) interface.

If you haven't already found http://bsdrp.net/ you may want to review some of their performance work for ideas.
 
  • Thanks
Reactions: Oko
Anti_Evil said:
Hello everybody,

We're about to launch a new server in our network which will play the role of a network gateway. We've to configure the server to actually analyze incoming requests and then run set of custom workflows based on user requests.

For "packet analyzing" part, I think of two possible ways:
1- To run tcpdump(1) and point it on the interface that I need ( using ... -i <iface> )
2- Set up pf(4) to log the allow/block messages on pflog(4) device and just read the information in there.

So, which way do you choose?

PS: My primary concern here is the performance. The network interface is 10G and lots of subscriber in the network.

Thanks,
Click to expand...

Sounds like you could benefit from reading the chapter 9 of

https://www.nostarch.com/pf3


Are you familiar with using Cisco like Netflow tools pflow and net-mgmt/nfsen. Also sysutils/pftop and sysutils/pfstat.
Also as much as I dislike PfSense you could benefit from installing it and checking out the monitoring tools. They have a kitchen sink of things. Finally for integration with SNMP always great source Joel Knight's blog (he is one of OpenBSD developers of course)

https://www.packetmischief.ca/openbsd-snmp-mibs/
 
You must log in or register to reply here.
Back
Top