Get NXLog to use a random port for each connection

#1 cyberkryptoin 3 years ago

Hi All,

I wonder if someone can answer this for me.

According to the documentation, it states that for a UDP client, the localport will be a random high port as per https://nxlog.co/documentation/nxlog-user-guide/om_udp.html

I have a situation where I am sending Zeek logs via UDP through a Google Seesaw load balancer see https://github.com/google/seesaw

The issue I am facing is that each separate log packet / connection from NXLog has the same client source port i.e 41460 in my case.

Tcpdump confirms this

Packet 1 15:55:10.533740 IP (tos 0x0, ttl 64, id 57228, offset 0, flags [DF], proto UDP (17), length 506) 172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 478

Packet 2 15:55:10.534026 IP (tos 0x0, ttl 64, id 57229, offset 0, flags [DF], proto UDP (17), length 847)172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 819

Is there a way to get NXLog to use a random client port for each connection?

It looks as if it chooses a random high port when the service is started.

Cheers

Cyberkryption

Permalink

#2 b0ti Nxlog ✓ 3 years ago

#1 cyberkryptoin

Hi All, I wonder if someone can answer this for me. According to the documentation, it states that for a UDP client, the localport will be a random high port as per https://nxlog.co/documentation/nxlog-user-guide/om_udp.html I have a situation where I am sending Zeek logs via UDP through a Google Seesaw load balancer see https://github.com/google/seesaw The issue I am facing is that each separate log packet / connection from NXLog has the same client source port i.e 41460 in my case. Tcpdump confirms this Packet 1 15:55:10.533740 IP (tos 0x0, ttl 64, id 57228, offset 0, flags [DF], proto UDP (17), length 506) 172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 478 Packet 2 15:55:10.534026 IP (tos 0x0, ttl 64, id 57229, offset 0, flags [DF], proto UDP (17), length 847)172.16.4.10.41640 > 172.16.4.166.12210: [udp sum ok] UDP, length 819 Is there a way to get NXLog to use a random client port for each connection? It looks as if it chooses a random high port when the service is started. Cheers Cyberkryption

The random high ports are called ephemeral ports. Unfortunately the port number is assigned by the network stack of the OS when the socket/connection is created. Based on your requirements om_udp would need to close the socket and allocate a new one for each event record which would be quite inefficient. The only way I see this could work is via spoofing the address and port. The address spoofing is already implemented in the om_udpspoof module which is an NXLog EE feature, however it doesn't yet support spoofing the port number, though it wouldn't be hard to implement this.