Only seeing half the traffic.

  Alestan

    Alestan - 2011-08-12

    So I have a project for which I am using bandwidthd to monitor traffic going out to the outside world.  I have a port mirror set up from the firewall at the border to a server running bandwidthd.  It is configured to record the data in a postgresql database. The trouble is it doesn't see all the traffic.  The table bd_tx_log correctly records traffic sent from the local subnet, while the bd_rx_log records traffic sent off campus under the IP address to which it is sent.  The same is not true in reverse, traffic sent from off campus is not recorded in the bd_tx_log under the outside ip, nor the bd_rx_log under the destination ip.  The exception to this is traffic sent to a non used ip address (probably someone is using it as their ip and the return traffic is sent to us).  This traffic is recorded normally. 

    Here's the confusing part, wireshark sees both halves of the traffic, wireshark is built off libpcap, same as bandwidthd.  Second:  If I set up a second port mirror from the outside through, going off the other half of the same traffic stream, it records everything, which means the second port mirror traffic only records the traffic from off campus to on, and not the traffic from on campus to off.  Trouble is the traffic volume is high enough that doing a double port mirror exceeds the network speed available and drops some packets sent to the monitor.  I suspect the issue is something to do with how bandwidthd has libpcap configured, but so far I have been unable to figure out what.  It is listening on only one interface (eth1) and is set in promiscuous mode.  Anyone else notice this trouble?  And anyone have an idea for a solution?

  Alestan

    Alestan - 2011-08-25

    Okay, I have it working.  It was on an old computer (ubuntu 8.04), I updated to LMDE with a newer version of libpcap and everything is working properly.

  Alestan

    Alestan - 2012-07-25

    Once again it quit working, turns out the problem was with vlan tagged packets being sent by the switch.  No idea why it worked for a while and now doesn't.  I've patched bandwidthd to support vlan tagged packets and it once again works.


