An alchemists view from the bar

Network Security Alchemy

Archive for September 2010

An OpenFPC Example: Clustering packet capture over multiple links/devices/countries.

with 3 comments

It’s been a while since my last post, but it’s because I’ve been busy working on ofpc. To rectify that, I thought I would share some of the concepts that are behind how OpenFPC should be able to grow rapidly into a distributed system.

One of the more useful features of ofpc is its self-referencing method for scaling out master/master/slave devices. This concept gets interest when I explain it to people, however it’s not really documented anywhere. So let me introduce it here with a working example……

There are a few common situations where the master/slave relationship can provide real value via clustering.

  • Geographically separated network links with guaranteed or possible asymmetric traffic paths
  • Multi-link trunks
  • High(er) speed links where you need to spread traffic load over multiple slaves

Firstly, please forgive my terrible retro-diagram skills.

OpenFPC Cluster diagram

So here’s the situation:

There are two pipes between network “A” and network “B”, and for whatever the reason, you don’t know if the traffic you want to grab from the buffer could be in the archive of SLAVE1 or SLAVE2. You do know however it’s going to be in one or more of them. Combined they become one *logical* network link.

By requesting the data from the Master queue daemon responsible for these two devices (MASTER in the diagram here), without specifying which slave you want to route your request to, it will search/extract from all of the slaves below it. The master ofpc-queued doesn’t need to be on a separate bit of hardware, it’s just represented in the diagram that way.

Here’s an example of it functioning in my test environment.

lward@UbuntuDesktop:~/code/openfpc$ ./ofpc-client.pl  -a fetch \
 --src-addr=192.168.222.1 --dst-port=22
* ofpc-client.pl 0.1 *
Part of the OpenFPC project
Username: master
Password for user master : 
#####################################
Filename: /tmp/extracted-ofpc-1284615954.pcap
Size    : 7.0M
MD5     : a495c1f38dce3dc9dff50ead47a415ab
lward@UbuntuDesktop:~/code/openfpc$

 

This ofpc request provided me with a 7MB pcap file made up from the traffic seen by “slave1” and “slave2”, it’s all merged together so I can inspect the traffic as the logical link processes it rather than what can be captured on one physical leg of the link. This isn’t limited to a maximum of two slaves, it can of course be many many more.

If for any given reason I would still prefer to only look at the traffic on one slave, I can either:

  • Make an ofpc request directly to one of the ofpc-slave devices
  • Specify the device to focus on to the master

For example…..

lward@UbuntuDesktop:~/code/openfpc$ ./ofpc-client.pl  -a fetch \
--src-addr=192.168.222.1 --dst-port=22 -o 4240 --device slave2
* ofpc-client.pl 0.1 *
Part of the OpenFPC project
Username: master
Password for user master :
#####################################
Filename: /tmp/extracted-ofpc-1284616271.pcap
Size    : 6.0M
MD5     : 68132e2e12c16665913cb1e7f36336f3
lward@UbuntuDesktop:~/code/openfpc$ 

If you want to test this feature out, make sure you’re using the latest openfpc code out of svn.

-Leon

Advertisements

Written by leonward

September 24, 2010 at 12:42 pm

Posted in OpenFPC, Security

Tagged with , , ,

OpenFPC Test Release

leave a comment »

The weekend has landed, and I have time to pull together some of the bits I need for an OpenFPC (Open Full Packet Capture) release, but I need your help.

I know there are bugs that still need squishing (Master-mode install script for example), but if you have time and are interested, please help me test out an alpha release. Go grab it from here (download the latest version number, it may change repeatedly over the next few days) and run the installer.

So far, I have only tested it on Ubuntu 10.4, the Redhat auto-dependency checking isn’t there yet but it should work on that platform if you have the required RPMs installed with a little tweaking.

So what are you waiting for!? Find problems, tell me where the install and setup falls down, and have some fun.

-Leon

Written by leonward

September 10, 2010 at 5:35 pm

Posted in OpenFPC, Security

Tagged with , ,