Brian Candler wrote:
The reason: vendors have bugs in their accounting implementations, and we want to be able to show them the original raw packets to prove it's not our accounting collectors which are mis-interpreting the data.
My $0.02 is that you should name && shame the vendors. This has worked well in the past.
The problem with tcpdump is being able to find quickly the packets of interest (e.g. given a username, or given a FreeRadius Acct-Unique-Session-Id which is an MD5 across multiple attributes). So I want to extract the attributes of interest and index them alongside the raw data, or offsets into the raw data.
You can log the packet src/dst ip/port, and the timestamp. That should be good enough to quickly find it in a PCAP file. The problem with dumping raw packets is that you can't. You'll have to convert them to hex, which doubles the size. It's possible, and probably only ~200 lines of code. But I don't really see much benefit for the wider audience. I'd suggest writing a module which does nothing more than register a "paw_packet" xlat callback. That way it will be easy to integrate into any new release of the server. Alan DeKok.