Community discussions

MikroTik App
 
OrCAD
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 20, 2005 12:37 pm

How to Log?

Wed May 18, 2005 11:30 am

Hi,
I need to log, in file or snmp or vs IP, complete path of all user's,
now, how to send this information? es: src ip:port <-> dst ip:port
many 10x.

OrCAD
Last edited by OrCAD on Wed May 25, 2005 11:01 pm, edited 1 time in total.
 
OrCAD
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 20, 2005 12:37 pm

Wed May 25, 2005 2:25 pm

any idea?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: How to Log?

Wed May 25, 2005 9:22 pm

I need to log, in file or snmp or vs IP, completly path of all user's,
now, how to send this information?

What exactly do you mean by "complete path"?


--Tom
 
OrCAD
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 20, 2005 12:37 pm

Wed May 25, 2005 11:12 pm

Hardware configuration:

hotspot users <---> RB532 <--> Internet gateway

I want to track (log file) destination ip for each user with source ip association:

ip hp-user <---> ip request in gateway

or

ip hs-user ---> ip request in gateway

I have nomadix AG2000w+ in another network and log is composed exactly in this form. I like it!

RB can generate log in this form or with special script?
10x
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Wed May 25, 2005 11:51 pm

You want to log the NAT translations per hotspot user?

I don't see how this could even make sense unless you configure your hotspot
to do one-to-one NAT between external and internal addresses (but then, why NAT at all?)
If you masquerade, then the externally visible IP address will always be the same one anyway...

Or do you plan to use a pool of external addresses that is possibly smaller than
the range of internal addresses and expect a hotspot user to always
retain the same internal <--> external address mapping for the duration of a
hotspot session? That would limit the max. number of concurrent
hotspot users to the number of available addresses in the external range, though.

--Tom
 
OrCAD
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 20, 2005 12:37 pm

Thu May 26, 2005 12:04 am

Oki, I understand all.....but one question:

if a malicious user, in my network, damage one url or other, after (x es.:)1month where find:
- user name
- source ip
- destination ip damaged
- time
- mac of user

ecc ?

Nomadix save log each day in this format! (Nat 1:1 or not)

Is a stupid question?
10x tneumann..
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Thu May 26, 2005 12:23 am

if a malicious user, in my network, damage one url or other, after (x es.:)1month where find:
- user name
- source ip
- destination ip damaged
- time
- mac of user

Well, the basic info such as the clients assigned address and MAC address are logged by the
MikroTik router, such as
12:55:46 dhcp,info,debug dhcp1 assigned 10.5.50.254 to 00:04:23:76:D7:6C
12:56:37 hotspot,account,info,debug tom (10.5.50.254): logged in
which is a DHCP assignment to a client, followed by a hotspot login from that client.
You could configure your MikroTik router to send these lines to a remote syslog server
on one of your administrative computers if you want to retain this information for some time.

As for the destination IP address and the time of an event, I think you would
need to log every packet that flows through the router, i.e. add an
"accept and log" rule somewhere in the forward chain. But this will generate
huge amounts of information on a busy hotspot, not very practical.

--Tom
 
OrCAD
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 20, 2005 12:37 pm

Thu May 26, 2005 12:31 am

Ok, I try this and post result....
Many thank's....

OrCAD
 
OrCAD
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 20, 2005 12:37 pm

Fri May 27, 2005 4:23 pm

oki, for complete tracking log I have add this rule:

forward in-interface=wlan1 out-interface=ether2 packet-size=50-1500 action=log

is necessary limit min packet-size because log is too heavy!
Now, I want to unsend same packet (x user) in log for limit occupation band... i.e. send only new packet or new connection estabilished from user.
I try "connection state" in general option but not work properly for me.
Idea??
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Fri May 27, 2005 4:53 pm

forward in-interface=wlan1 out-interface=ether2 packet-size=50-1500 action=log

Now, I want to unsend same packet (x user) in log for limit occupation band... i.e. send only new packet or new connection estabilished from user.
If it's OK for you to only monitor TCP connections then try to add
this to your rule
protocol=tcp tcp-flags=syn,!ack
This will only log packets that establish a new TCP connection.
But then maybe you need to remove the packet-size=50-1500
restriction because TCP SYN packets tend to be small (maybe smaller than 50 bytes).

--Tom

Who is online

Users browsing this forum: No registered users and 13 guests