Network traffic tracking using CONNTRACE

Since Version 4.2.4 Airlock provides a "conntrace" log message. It includes the information about the external and internal TCP connection, such as source IP and port as well as the destination IP and port. This information can be used to track one single request from client to back-end. It is possible to correlate front-end and back-end packet trace information with the corresponding Airlock log messages. The following example shows how this works: 

Airlock summary log messages of one request:

May 15 16:28:26 Web-Requests Access m:WR-SG-SUMMARY vhost:www.webapp.com:80 (http) GET / => http://bali/ , status:200 , redirection URL:<n/a> , referer:<n/a> , mapping:bali , request size: 421 , backend response size: 12960, audit token:- rid:T7JoCn8AAAEAACqxC7UAAAAh sid:718d525cbf99595348231c8e6bc44418 ip:172.18.61.2
May 15 16:28:26 Web-Requests Security m:WR-SG-FILT-016 Filter notification: HTTP header "Accept-Encoding: gzip,deflate,sdch" not allowed for request "" on mapping: "bali" with audit token "-", Removing header rid:T7JoCn8AAAEAACqxC7UAAAAh sid:718d525cbf99595348231c8e6bc44418 ip:172.18.61.2
May 15 16:28:26 Web-Requests Security m:WR-SG-FILT-018 Filter notification: Filter "Allow all" -> MATCHED rid:T7JoCn8AAAEAACqxC7UAAAAh sid:718d525cbf99595348231c8e6bc44418 ip:172.18.61.2

Important: To log the "conntrace" message make sure the log mode for the mapping is set to Integration mode.

The "conntrace" message can be found with the ID WR-SG-CONNTRACE and the according request ID (rid). The "conntrace" message is presented as follows:

May 15 16:28:26 Web-Requests Usage m:WR-SG-CONNTRACE frontend-src: 172.18.61.2:56491 frontend-dst: 172.18.61.176:80 backend-src: 172.18.99.176:44825 backend-dst: 172.18.99.1:80 rid:T7JoCn8AAAEAACqxC7UAAAAh sid:718d525cbf99595348231c8e6bc44418 ip:172.18.61.2

In this case we find the following connection information:

Front-end

• frontend-src (Source: Web client)
  IP:    172.18.61.2
  Port: 56491
• frontend-dst (Destination: Airlock external)
  IP:    172.18.61.176
  Port: 80

Back-end

• backend-src (Source: Airlock internal)
  IP:    172.18.99.176
  Port: 44825
• backend-dst (Destination: Back-end system)
  IP:    172.18.99.1
  Port: 80

Now capture packets from the external and internal Airlock interfaces (see tcpdump resp. snoop for example commands) and save them in two files (/tmp/conntrace_ext.snoop and /tmp/conntrace_int.snoop). Then, download the files from Airlock (e.g., using WinSCP) and open them in Wireshark.

To find the packets from the connection found in the "conntrace" message, do the following:

• open the packet capture files in Wireshark
• Filter the packets as follows:
  External interface:
  tcp.srcport == <frontend-src Port> or tcp.dstport == <frontend-src Port>Internal interface:
  tcp.srcport == <backend-src Port> or tcp.dstport == <backend-src Port>
• Only the packets of this single TCP connection are shown
  Example from internal interface: