HowTo Geolocate Active Connection Information

From NST Wiki
Jump to: navigation, search

Quick Start

  • Set up your NST system such that it can geolocate IP addresses (see: HowTo Setup The NST System To Geolocate Data).
  • From the NST WUI menu bar select the Network menu, then Monitors and finally Active Connections.
  • Explore the controls and information displayed and try out Map mode (Hint: there are tool tips everywhere).

Screencasts

The Active Connection Introduction screencast provides a introduction and overview to the Active Connection page.

EmbedVideo was given an illegal value for the alignment parameter "360". Valid values are "left", "center", or "right".

Kernel 2.6.40 (3.0) Issues

The Fedora project made a decision to move to the new Linux 3.0 kernel after the initial release of Fedora 15. They renamed the kernel release from a 3.0 series to a 2.6.40 series (I'm guessing they were worried that some programs might look for the 2.6 in the kernel version and might fail if they found 3.0).

In any case, when they decided to disable the nf_conntrack tables by default in the new kernel. The means when you first bring up the NST Active Connections page, you will just see a empty table initially when monitoring the Local connections as shown in the image below.

Initial Active Connections With 2.6.40 Kernel

To enable the updating of the nf_conntrack tables on your NST system, you need to run the following commands:

[root@dhcp150 ~]# modprobe nf_conntrack_ipv4
[root@dhcp150 ~]# sysctl net.netfilter.nf_conntrack_acct=1
net.netfilter.nf_conntrack_acct = 1
[root@dhcp150 ~]# 

If you also want to monitor IPv6 traffic (this will make the tables very wide), then run the following command:

[root@dhcp150 ~]# modprobe nf_conntrack_ipv6
[root@dhcp150 ~]# 

As a side note, you can run ssh to a IPv6 address on a NST system using the following syntax (this will let you verify that the IPv6 addresses are showing up in your Active Connections table):

[pkb@rice ~]$ ssh -6 "root@fe80::a00:27ff:fe8f:118c%eth0"
Last login: Tue Aug 16 11:30:00 2011 from fe80::224:1dff:fe19:4344%p2p1

================================================
= Linux Network Security Toolkit (NST v2.15.0) =
================================================

[root@dhcp150 ~]#

Our future intention, to address this issue, is to update the NST WUI to detect this situation and provide a button for you to press allowing you to enable the nf_conntrack tables directly from your browser.