Logging TCP Sessions

Logging TCP Sessions

Problem

You want to log the total number of TCP sessions.

Solution

You can configure the router to log the total number of TCP sessions, rather than just the number of packets, with the following set of commands:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 122 permit tcp any any eq telnet established
Router1(config)#access-list 122 permit tcp any any eq telnet
Router1(config)#access-list 122 permit ip any any
Router1(config)#interface Serial0/0
Router1(config-if)#ip access-group 122 in
Router1(config-if)#exit
Router1(config)#end
Router1#

Here is an alternative method that will also work:

Router1#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 121 permit tcp any any eq telnet syn
Router1(config)#access-list 121 permit tcp any any eq telnet
Router1(config)#access-list 121 permit ip any any
Router1(config)#interface Serial0/0
Router1(config-if)#ip access-group 121 in
Router1(config-if)#exit
Router1(config)#end
Router1#

Discussion

When you configure an access-list, the router counts the total number of times it finds something that matches each line in the ACL. While this information is often useful, it does not tell you whether these counters are recording a thousand packets on a single session, or a single packet from each of a thousand sessions. The ACLs in this recipe count the number of TCP sessions as well as the total number of packets.

In the first example, the first line in the ACL permits all established telnet packets to pass through the access-list, as we did in Recipe 19.5. The second line then matches all of the Telnet packets that the first one does not, which mainly means the initial SYN packet that starts the TCP session. As we mentioned in Recipe 19.4, the first packet of a TCP session contains the SYN bit. And, as we discussed in Recipe 19.5, an ACL that includes the established keyword will not match any packets that have the SYN bit set.

So the second line will catch the initial session establishment, while the first line matches all of the other packets in the session. Therefore, the second line will give us a way to count the total number of TCP sessions that pass through the router. Note that these sessions can be between any two devices; as long as they communicate through this router, we can count them. Of course, the ACL in the example only counts Telnet sessions, that is sessions on TCP port number 23. But it is easy enough to change the port number in the ACL to monitor other TCP-based applications.

After applying this ACL to an interface for a while, the show access-list command starts to show a running count of the number of Telnet sessions that have occurred:

Router1#show access-list 122
Extended IP access list 122
permit tcp any any eq telnet established (3843 matches)
permit tcp any any eq telnet (6 matches)
permit ip any any (31937 matches)
Router1#

As you can see, six separate Telnet sessions have passed through the interface where we applied this ACL. If you want to know the total number of Telnet packets, you can simply add the first two line together: 3,843 + 6 = 3,849 packets.

The second example uses a slightly different method for counting the number of sessions. In this case, the first line of the access-list matches only Telnet packets with the SYN bit set, as we discussed in Recipe 19.4:

Router1(config)#access-list 121 permit tcp any any eq telnet syn

The only packets that have this bit set are the packets from the initial TCP three-phase handshake that establishes the session. So this also gives us a way of counting the total number of Telnet sessions. The second line of this ACL captures the remaining Telnet packets:

Router1#show access-list 121
Extended IP access list 121
permit tcp any any eq telnet syn (7 matches)
permit tcp any any eq telnet (3057 matches)
permit ip any any (9404 matches)
Router1#

So this ACL has counted seven separate Telnet sessions and 7 + 3057 = 3064 total Telnet packets.

We can take the counting functionality of these ACLs a step further by adding the log keyword to the ACL lines that count the sessions:

Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#access-list 121 permit tcp any any eq telnet syn log
Router1(config)#access-list 121 permit tcp any any eq telnet
Router1(config)#access-list 121 permit ip any any
Router1(config)#end
Router1#

Including the log keyword like this allows us to keep a log of every TCP session, without needing to log all of the packets in these sessions. This can be useful for security records and audits:

Router1#show logging | include list 121
Feb 7 15:36:13: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(3886) -> 10.2.2.2(23), 1 packet
Feb 7 15:36:39: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(3887) -> 10.2.2.2(23), 1 packet
Feb 7 15:38:32: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(3888) -> 10.2.2.2(23), 1 packet
Feb 8 07:48:20: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(4332) -> 10.2.2.2(23), 1 packet
Feb 8 07:49:35: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(4333) -> 10.2.2.2(23), 1 packet
Feb 8 08:08:57: %SEC-6-IPACCESSLOGP: list 121 permitted tcp 172.25.1.1(4339) -> 10.2.2.2(23), 1 packet
Router1#

For more information about logging, please see Chapter 18.

See Also