Network traffic tracking based on conntrace log messages

Airlock Gateway provides ​WR-SG-CONNTRACE log messages that include external and internal TCP connection information, such as the source IP, port, and destination IP with port number. This information can be used to track one single request from the client to the back-end. Front-end and back-end packet trace information can be correlated with the corresponding log messages.

To log the conntrace message, the log mode for the mapping must be set to Integration mode. See article Section – Service and Mode.

Example log message in JSON format:

Show moreShow less
{ 
  "_index": "airlock-gateway-default-2023.12.06", 
  "_id": "ZM5_P4wBJv2E8SO6m0tx", 
  "_version": 1, 
  "_score": 0, 
  "_source": { 
    "log_id": "WR-SG-CONNTRACE", 
    "mapping": "root", 
    "front_dst_port": "80", 
    "front_src_port": "18982", 
    "pid": "176182", 
    "program": "SG_child", 
    "priority": "info", 
    "message": "Connection Trace", 
    "back_src_ip": "172.18.98.225", 
    "back_dst_ip": "172.18.98.50", 
    "req_id": "ZXCC9-Ko6WsU10yuyRWf7wAAAIA", 
    "front_src_ip": "172.18.60.2", 
    "front_dst_ip": "172.18.60.225", 
    "rcpt_id": "1709447", 
    "@timestamp": "2023-12-06T15:19:35.763+01:00", 
    "back_dst_port": "80", 
    "sess_id": "8fda8ccee7d2a555c910cf9d2d5afb5e", 
    "log_cat": "U", 
    "host": "lesbos", 
    "back_src_port": "54444", 
    "client_ip": "172.18.60.2", 
    "facility": "user" 
  }, 
  "fields": { 
    "log_id": [ 
      "WR-SG-CONNTRACE" 
    ], 
    "mapping": [ 
      "root" 
    ], 
    "front_dst_port": [ 
      80 
    ], 
    "front_src_port": [ 
      18982 
    ], 
    "pid": [ 
      176182 
    ], 
    "program": [ 
      "SG_child" 
    ], 
    "priority": [ 
      "info" 
    ], 
    "message": [ 
      "Connection Trace" 
    ], 
    "back_dst_ip": [ 
      "172.18.98.50" 
    ], 
    "back_src_ip": [ 
      "172.18.98.225" 
    ], 
    "req_id": [ 
      "ZXCC9-Ko6WsU10yuyRWf7wAAAIA" 
    ], 
    "front_dst_ip": [ 
      "172.18.60.225" 
    ], 
    "front_src_ip": [ 
      "172.18.60.2" 
    ], 
    "@timestamp": [ 
      "2023-12-06T14:19:35.763Z" 
    ], 
    "rcpt_id": [ 
      1709447 
    ], 
    "back_dst_port": [ 
      80 
    ], 
    "log_cat": [ 
      "U" 
    ], 
    "sess_id": [ 
      "8fda8ccee7d2a555c910cf9d2d5afb5e" 
    ], 
    "host": [ 
      "lesbos" 
    ], 
    "back_src_port": [ 
      54444 
    ], 
    "client_ip": [ 
      "172.18.60.2" 
    ], 
    "Facility": [ 
      "user" 
    ] 
  } 
}

From the above example, we can extract the following connection information:

Front-end source (web client)

"front_src_ip": "172.18.60.2",
    "front_src_port": "18982",

Front-end destination (Airlock Gateway address)

"front_dst_ip": "172.18.60.225", 
    "front_dst_port": "80",

Back-end source (web client)

"back_src_ip": "172.18.98.225",
    "back_src_port": "54444",

Back-end destination (Airlock Gateway address)

"back_dst_ip": "172.18.98.50",
    "back_dst_port": "80",

How to record and examine packets

Packets from the external and internal Airlock Gateway interface can be recorded and examined.

  1. Use tools like TCPdump or TShark to record the packages. See the article Traffic recording with tcpdump or TShark for details.
  2. Save the external and internal recordings in separate files, e.g., /tmp/conntrace_ext.snoop and /tmp/conntrace_int.snoop.
  3. Use a tool like WinSCP to download the files from the gateway.
  4. Open the files in Wireshark.
    • To filter for the external interface – tcp.srcport == <frontend-src Port> or tcp.dstport == <frontend-src Port>
    • To filter for the internal interface – tcp.srcport == <backend-src Port> or tcp.dstport == <backend-src Port>
  5. Note that only the packets of a single chosen TCP connection are shown.