Interface Monitoring - Roundtable

13 Oct 2004


      Just a follow up to the question I had during the meeting regarding 
monitoring traffic. Dropping the interface into promiscuous mode didn't 
help (btw, you need an IP assigned to an interface before OpenBSD will 
allow you to use tcpdump on it).
Here is a recap of the problem....
I am setting up a machine to log usage of my colo clients. I already 
have one that just uses ipfm and it works great, but I want to do 
something a little more advanced. I saw an article by Randal L. 
Schwartz [0] that showed how he used labels in pf to track usage. It 
looks really nice and would allow me to do a bunch of things that my 
clients would love (like have nice graphs of usage based on port etc.).
I set up the machine with OpenBSD 3.5 and it is sort of working, but 
not exactly what it should.
The machine has two interfaces (int = tx0, ext = tx1), the external 
interface doesn't have an IP bound to it and is plugged into a hub 
between my switch and my provider (the same place as my ipfm machine 
which is working fine). The internal interface is plugged into an 
internal network.
The pf.conf file has the following (for now, it will get much larger 
later):
-bash-2.05b# more /etc/pf.conf
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 80 
label "synack-www" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 25 
label "synack-smtp" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 143 
label "synack-imap" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 53 
label "synack-dns" keep state
pass in quick on tx1 proto udp from any to 64.42.224.131 port = 53 
label "synack-dns-udp" keep state
pass in quick on tx1 proto tcp from any to 64.42.224.131 port = 22 
label "synack-ssh" keep state
Using pfctl -vsl get the following:
bash-2.05b# pfctl -vsl
synack-www 369 0 0
synack-smtp 0 0 0
synack-imap 0 0 0
synack-dns 0 0 0
synack-dns-udp 0 0 0
synack-ssh 0 0 0
man pfctl [1] says that the first entry is the number of times the rule 
has been evaluated, the second is the number of packets, and the third 
is the bytes.
I thing pf isn't recording the traffic because the traffic isn't 
actually going through the interface.
Any ideas?
thanks
shawn
[0] - http://www.stonehenge.com/merlyn/UnixReview/col51.html
[1] - "Show per-rule statistics (label, evaluations, packets, bytes) of 
filter rules with labels, useful for accounting."