Logging raw accounting packets
I would like to put accounting logs into some sort of database, but store the entire raw binary packet as well as some decoded attributes. I can think of plenty of options for the storage: e.g. mysql Blob column, CouchDB binary attachment, MongoDB etc. But I can't see how to get at the raw packet from the freeradius config. Even rlm_perl doesn't seem to receive the raw packet, only a hash of decoded attributes. Is there a module which can do this already, or should I be looking to hack something up in C? Thanks, Brian.
Brian Candler wrote:
I would like to put accounting logs into some sort of database, but store the entire raw binary packet as well as some decoded attributes.
I'd suggest using tcpdump for raw packets.
I can think of plenty of options for the storage: e.g. mysql Blob column, CouchDB binary attachment, MongoDB etc. But I can't see how to get at the raw packet from the freeradius config. Even rlm_perl doesn't seem to receive the raw packet, only a hash of decoded attributes.
Is there a module which can do this already, or should I be looking to hack something up in C?
There's no module to do this. There are very few reasons to do this, IMHO. Alan DeKok.
There's no module to do this. There are very few reasons to do this, IMHO.
The reason: vendors have bugs in their accounting implementations, and we want to be able to show them the original raw packets to prove it's not our accounting collectors which are mis-interpreting the data. The problem with tcpdump is being able to find quickly the packets of interest (e.g. given a username, or given a FreeRadius Acct-Unique-Session-Id which is an MD5 across multiple attributes). So I want to extract the attributes of interest and index them alongside the raw data, or offsets into the raw data.
Brian Candler wrote:
The reason: vendors have bugs in their accounting implementations, and we want to be able to show them the original raw packets to prove it's not our accounting collectors which are mis-interpreting the data.
My $0.02 is that you should name && shame the vendors. This has worked well in the past.
The problem with tcpdump is being able to find quickly the packets of interest (e.g. given a username, or given a FreeRadius Acct-Unique-Session-Id which is an MD5 across multiple attributes). So I want to extract the attributes of interest and index them alongside the raw data, or offsets into the raw data.
You can log the packet src/dst ip/port, and the timestamp. That should be good enough to quickly find it in a PCAP file. The problem with dumping raw packets is that you can't. You'll have to convert them to hex, which doubles the size. It's possible, and probably only ~200 lines of code. But I don't really see much benefit for the wider audience. I'd suggest writing a module which does nothing more than register a "paw_packet" xlat callback. That way it will be easy to integrate into any new release of the server. Alan DeKok.
participants (2)
-
Alan DeKok -
Brian Candler