2

I have a box running Mikrotik RouterOS, which is set up to do transparent web proxying, as described here.

In short, this means that I have a firewall rule for destination NAT causing any port 80 traffic to get redirected to port 8080 on the router, which is received by the Mikrotik local web proxy. The local web proxy then makes the web request on the client's behalf, in this case to a parent web proxy server (which in turn does the real web request).

My question is, how will this two-part process get reported in the logging of traffic flow information (netflow)?

Looking at the logged information, what I seem to be seeing is this:

  • One flow recorded from client machine (private IP address) to remote proxy (8080)
  • Another flow recorded from router to remote proxy (8080)

The original request that the client made to port 80 isn't recorded.

I want to write code to analyse traffic usage, so I want to be sure I'm not losing information if I discard the latter of these.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Tim
  • 257
  • 4
  • 5
  • 12

1 Answers1

1

You can check the URLs passed in the HTTP requests. If the URLs between the two flows match, the flows are just duplicates and you can simply discard one of them. The first flow is more meaningful to you as you said because it tells the client IP.

Khaled
  • 35,688
  • 8
  • 69
  • 98
  • I'm not sure if I'm understanding you correctly, but the information that gets logged in the netflows doesn't tell me what was in the HTTP request, only the IP addresses that the flow was between. – Tim Nov 28 '10 at 12:42
  • @Tim: Don't you have the URL logged also? Logging HTTP traffic usually includes the links (URLs) that the users have requested. – Khaled Nov 28 '10 at 12:49
  • The logging here is via the Cisco netflows protocol, which as far as I'm aware only ever records the source and destination IP and port, and a couple of other such details. I could put a protocol analyser in the loop and see what's going on, but I'm not worried about the data actually being transferred (it works fine), only the data that's being logged via netflows. – Tim Nov 28 '10 at 14:54
  • If you have the source/destination IPs and source/destination ports, this is enough to identify a unique connection. So, you can check the duplicate entries. – Khaled Nov 28 '10 at 15:09