i hope your help.
My cloudWatch example is below.
image capture: ssh connection logs with 172.0.0.10
As you see, cloudWatch is logging both of request and response packets.
In this case, everyone knows that packets displaying 22 as destination port is reponse packets because port 22 is well-known ssh server port.
However, if it is not a well-known port number, you will not be able to distinguish between request and response packets. How do you distinguish it in that case? The cloudwatch log alone does not show me how. No matter how I google it, I can not find a way. Please advise.
In this case, everyone knows that packets displaying 22 as destination port is reponse packets because port 22 is well-known ssh server port.
That's not actually correct. It's the opposite.
The server side of a TCP connection is using the well-known port, not the client¹ thus the well-known port is the destination of a request and the source of a response.
Packets with the source port of 22 would be the SSH "response" (server → client) packets. Ports with the destination port of 22 would be the SSH "request" (client → server) packets.
When I make a request to a web server, my source port is ephemeral but the destination port is 80. Responses come from source port 80.
But of course, the argument can be made that the terms "request" and "response" don't properly apply to packets,
But rather they apply to what the packet contains -- and that is protocol specific. In many cases, the client does the requesting and the server does the responding, but that correlation does not cleanly map down to the low layers of the protocol stack.
In the case of TCP, one side is always listening for connections, usually on a specific port, and that port is usually known to you, if not a "well-known" port, because you are the one who created the service and configured it to listen there.
As these flow log records do not capture the flags that are needed to discern the source and dest of the SYN... SYN+ACK... ACK sequence, you can't ascertain who originated the connection.
With no knowledge of the well-known-ed-ness or other significance of "port 22," it is still easy to conclude from your logs that 172.0.0.10 has a TCP socket listening on that port and that numerous other clients are connecting to it from their ephemeral ports... and we can confirm that this is still listening by running netstat -tln on that machine.
¹ not the client most of the time. There are cases where a server daemon is also a client and will use the well-known port as its source port for outgoing connections, so source and dest might be the same in such a case. I believe Sendmail might be an example of this, at least in some cases, but these are exceptions.
Related
I am bit puzzled about how TCP load balancer works, in particular AWS ELB. By looking at AWS ELB doc:
For TCP traffic, the load balancer selects a target using a flow hash algorithm based on the protocol, source IP address, source port, destination IP address, destination port, and TCP sequence number. The TCP connections from a client have different source ports and sequence numbers, and can be routed to different targets. Each individual TCP connection is routed to a single target for the life of the connection.
This confuses me. I assume/expect that a TCP connection persists to the same target for the duration of it. However (!) if the hash algorithm takes in account also the TCP sequence number - which is going to change for every tcp packet round-trip - then such connection is (wrongly) routed to other targets after every tcp packet round-trip.. Please help.
I'm trying to get TCP timestamp from the packets for clock skewing purposes on my application which is hosted on EC2. In my network I have an ALB.
So my question is how do I get TCP level packet information in my app ? Since ALB filters out all the OSI Layers except application level (HTTP)
If the only reason to get access to TCP packet is to detect timestamp and correct clock drift, I would suggest to configure your EC2 instance to use NTP time server instead.
https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/
That being said, the ALB is not "removing" TCP information from network packets. HTTP connections made to your application are still transported over IP and TCP. If you need low level access to network packets from an app, I would suggest to look at the pCAP library which is used by TCPDUMP and many other tool to capture network traffic on an interface.
https://www.tcpdump.org/
[UPDATED to include comments]
It is important to understand the TCP connection between your client and the ALB is terminated at the ALB level. The ALB creates a second TCP connection to forward HTTP requests to your EC2 instance. The ALB does not remove information from TCP/IP, it just creates a second, independent and new connection. Usually the only information you want to propagate from the initial TCP connection is the source IP address. The ALB, like most load balancers and proxies, captures this information from the original connection (the one received from the client) and embed the information in an HTTP header called X-Forwarded-For.
This is documented at https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html
If you want to capture other information from the original connection, I am afraid it will not be possible using ALB. (but I also would be very curious about the use case, i.e. WHAT you're trying to achieve)
I can't seem to be able to have Aws ec2 machines send outgoing socket communications. I allowed all traffic, turned of the firewall, and set a Elasitic I.P nothing is working. I'm using a python socket for simplicity. I'm able to listen and receive connections although then send data to that connection find. But whenever I try to connect I get a timeout. I searched far and wide for a answer to this question and none match my issue.
I'm trying to write a C++ chat program that is based on Peer To Peer technique, with no need to a server. Say peers connect to each other using their IP addresses as identifier.
Can I listen to incoming connections without configuring port forwarding on the router?
It is possible if peers are not behind a NAT. If they are you have to make port mapping(forward ports). You can easily write a function to check if a peers machine is behind NAT or not. And if it is, you can reconsider using server as a transfer place of the messages between peers.
Edit:
You can also think about using public VPN as a proxy(with port forward included). However, it is hard to find free one. Even if you are willing to pay for it, you have no assurance that no one will listen to it and you will be dependent of the uptime of the VPN servers.
Assume that I have a server directly connected to internet and a client connected to a router. The client can send messages to server since it knows the server's IP address and port. But how does the server send message back to the client? It can get the client's external IP address and port but should it send message to that port? and how does the client listen to the message,which port should it listen to? assuming no port forwarding.
I assume the difficulty is that your client is behind a NAT firewall. If that's the case, then the answer is simple: you don't. That's the entire point of NAT.
But this also assumes that you're talking about the creation of a new socket from the server to the client. If the socket already exists, you just talk over it and the stateful NAT router keeps track of the things it needs to in order to get the message through.
If neither of these answers your question, you'll need to reformulate it.