0

I am working on an analyzer script. It is a simple bash script that apply some logic on tcpdump sniffed capture.

My task is to find out number of concurrent sessions made by individual IPs. The logic I have applied is I have counted different source ports request by each ip for same destination IP and port i.e. 3128 as it is a proxy server.

For example, consider my dest ip is 172.31.1.1 and dest port is 3128

Now I have sniffed traffic only limited for this dest port and dest ip.

Then I have filtered out source ip and source port pair for each packet.

then I have counted number of different source port for each source IP and I think that would be equal to number of concurrent sessions made by each individual IP with this proxy server.

Now by looking at the output on a running proxy server for a 10,000 packets sample, number of sessions by each IP goes like 300,250,200 and some less also. For 1 lakh, it goes like 3000,2500 also.

Is there something wrong with my interpretation of sessions as number of concurrent session allowed by firewall is 100 per IP.

Udit Gupta
  • 3,162
  • 11
  • 43
  • 71
  • Are you looking at TCP connections, or just any IP traffic? – Nikolai Fetissov Jan 30 '13 at 15:17
  • Soory not to mention it ... yes Its about TCP Connections – Udit Gupta Jan 30 '13 at 16:28
  • You have to track connection establishment/tear downs, i.e. SYN and FIN handshakes, and connection resets. Otherwise you are counting ALL connections made by given source within time of capture, not at any given moment. – Nikolai Fetissov Jan 30 '13 at 16:33
  • Can you elaborate it and please submit it as answer so that I can accept it to help others. Also It would be of great help if you can tell me further that `only counting SYN,FIN and RST is enough` or I need to to first capture `this traffic (SYN,FIN,RST only)` and then do the same analysis based on source port and source ip as I did above. – Udit Gupta Jan 30 '13 at 19:09

1 Answers1

2

As I mentioned in my comment, if you want to know number of TCP connections from single source IP at any given time, you will need to figure out connection establishment (TCP three way handshake) and termination (four-way tear-down and reset) points. Otherwise you are counting all TCP connection, established and attempted from given IP, for the whole duration of the capture (but since ephemeral client ports could be recycled during the capture period even this count might not be accurate).

I should mention that incrementing running count of connections on a SYN and decrementing it on a FIN or RST is not going to be enough, since TCP tend to re-transmit packets. You'll need to track TCP states, so good familiarity with TCP state diagram is probably in order:

TCP State Transition Diagram

(from (http://upload.wikimedia.org/wikipedia/commons/thumb/a/a2/Tcp_state_diagram_fixed.svg/250px-Tcp_state_diagram_fixed.svg.png).

Nikolai Fetissov
  • 82,306
  • 11
  • 110
  • 171