Example 8
Goal
You are an administrator of a large Internet Service Provider
(ISP). Your ISP has 10Mbit Internet Connection, about 200 users
(say, they have IP addresses 192.168.0.0/24) and 5000-10000 active
sessions. You want to record all packets transmitted between the
Internet and the users. What is the best solution?
Solution
For this scenario, it will not be effective to use the strategy
"one filter per one user" due to the complexity of managing the
filterset with 200 filters. The simplest way is to create filter
"Your users - WAN" and enable Packet Logging:
Filter 1. The total Internet traffic of the users | ||||||||
N Rule |
Type of IP protocol |
Source address |
Source port |
Destination address |
Destination port |
Both directions |
Action for packet |
Additional condition |
1 | Any | 192.168.0.0/24 | IP addresses of WAN | Yes | Count |
Note
Because Packet Collector has a size of 2000 positions, there is a probability that you'll get an overflow of Packet Collector for such filter. It means that not of all the captured packets will be recorded. To avoid this problem, you can decrease the frequency of Packet Collector flushing down to 10 seconds or apply a load balancing for Packet Collector. The idea of the load balancing is a logical dividing (not a physical dividing) of your network into several subnets and performing the recording of the captured packets for every subnet:
Filter 1. The total Internet traffic of the users 192.168.0.0/26 | ||||||||
N Rule |
Type of IP protocol |
Source address |
Source port |
Destination address |
Destination port |
Both directions |
Action for packet |
Additional condition |
1 | Any | 192.168.0.0/26 | IP addresses of WAN | Yes | Count | |||
Filter 2. The total Internet traffic of the users 192.168.0.64/26 | ||||||||
N Rule |
Type of IP protocol |
Source address |
Source port |
Destination address |
Destination port |
Both directions |
Action for packet |
Additional condition |
2 | Any | 192.168.0.64/26 | IP addresses of WAN | Yes | Count | |||
Filter 3. The total Internet traffic of the users 192.168.0.128/26 | ||||||||
N Rule |
Type of IP protocol |
Source address |
Source port |
Destination address |
Destination port |
Both directions |
Action for packet |
Additional condition |
3 | Any | 192.168.0.128/26 | IP addresses of WAN | Yes | Count | |||
Filter 4. The total Internet traffic of the users 192.168.0.192/26 | ||||||||
N Rule |
Type of IP protocol |
Source address |
Source port |
Destination address |
Destination port |
Both directions |
Action for packet |
Additional condition |
4 | Any | 192.168.0.192/26 | IP addresses of WAN | Yes | Count |
If you get a message "Packet Collector is full" for any filter with a network mask /26, you should consider dividing your network into more small subnets (for example, use a network mask /28).
Is it possible to create Packet Collector with an unlimited size?
Yes. But this will be not effective. To put the captured packet into Packet Collector, the proper position for the new packet must be found in Packet Collector. If Packet Collector is unlimited size, the searching will take many CPU cycles.