Help understanding script output


#1

Hi All, I have a script that I’ve been using to determine who is talking to who. I’m trying to better understand the output, but not strong with python. Here’s a snippet of the script output.

I’m trying to clarify the bytes in vs. bytes out.
At first glance, one would assume that in the first case, 10.1.1.25 initiated the conversation and in the second case, 10.1.2.35 initiated, but that does not always seem to be the case. So my question is, based on the main processing of the following script, is it even possible to determine which system initiated the conversation? Knowing this would be critical for creating firewall rules. If both systems are initiating, a firewall rule will be needed in both directions, but if only one system is initiating and EH is simply seeing the return traffic, only a single rule would be needed.

for device in devices:
print "Your device ID is " + device.device_id

if(device.ipaddr4): # only care about L3 devices
    print "Grabbing Device " + str(device.ipaddr4)
    ipaddr = device.ipaddr4
    oid = device.oid
    if(device.dns_name):
        host = device.dns_name
    else:
        host = "No DNS Name Captured"
    Failed = True
    
while(Failed):
        try:
            # Grab Bytes In and Bytes Out by L7 protocol
            metrics = ehop.get_exstats_total("extrahop.device.app_detail", "device", [(oid, lookback, 0)], ["bytes_in", "bytes_out"], {'cycle': "slow"})
            Failed = False
        except:
            # Ff the Extrahop is backed up.. wait 5 seconds and try again
            print "Extrahop Backed up.. waiting 5 secs"
            time.sleep(5)

    for stat in metrics.stats:
        for L7 in stat.bytes_out:     #Loop through L7 protocols
            for peer in L7.value:     #Loop through peer devices per L7 protocol
                try:
                    peerName = peer.key.host     #Check to see if we have a host value 
                except:
                    peerName = "No DNS name gathered"     #If no host value, let the user know
                #write to the screen and to the file
                f.write(str(ipaddr) + "," + str(peer.key.addr) + ",,,,,," + str(L7.key.str) + ",,," + str(host) + "," + str(peerName) + "," + "Bytes Out" + ","  + str(peer.value) + "," + opts.host + "\n")
        for L7 in stat.bytes_in:      #Do same thing as above, but for Bytes In
            for peer in L7.value:
                try:
                    peerName = peer.key.host
                except:
                    peerName = "No DNS name gathered"
                f.write(str(ipaddr) + "," + str(peer.key.addr) + ",,,,,," + str(L7.key.str) + ",,," + str(host) + "," + str(peerName) + "," + "Bytes In" + "," +  str(peer.value) + "," + opts.host + "\n")

f.close()


#2

Looking a little closer at the output, it appears that I’m definitely seeing response traffic as “bytes in” in many cases. A good example is NTP. There’s no reason an external IP would be “initiating” an NTP request to an internal server (Bytes In) so in that case this must be a response. What may help here is a timestamp. Anyone know how I can add a timestamp request to the script? Thanks!