0

I'm trying to get TCP timestamp from the packets for clock skewing purposes on my application which is hosted on EC2. In my network I have an ALB.

So my question is how do I get TCP level packet information in my app ? Since ALB filters out all the OSI Layers except application level (HTTP)

Nebi M Aydin
  • 258
  • 1
  • 3
  • 16

1 Answers1

1

If the only reason to get access to TCP packet is to detect timestamp and correct clock drift, I would suggest to configure your EC2 instance to use NTP time server instead.
https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/

That being said, the ALB is not "removing" TCP information from network packets. HTTP connections made to your application are still transported over IP and TCP. If you need low level access to network packets from an app, I would suggest to look at the pCAP library which is used by TCPDUMP and many other tool to capture network traffic on an interface.

https://www.tcpdump.org/

[UPDATED to include comments]

It is important to understand the TCP connection between your client and the ALB is terminated at the ALB level. The ALB creates a second TCP connection to forward HTTP requests to your EC2 instance. The ALB does not remove information from TCP/IP, it just creates a second, independent and new connection. Usually the only information you want to propagate from the initial TCP connection is the source IP address. The ALB, like most load balancers and proxies, captures this information from the original connection (the one received from the client) and embed the information in an HTTP header called X-Forwarded-For.

This is documented at https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html

If you want to capture other information from the original connection, I am afraid it will not be possible using ALB. (but I also would be very curious about the use case, i.e. WHAT you're trying to achieve)

Sébastien Stormacq
  • 14,301
  • 5
  • 41
  • 64
  • I don't think that's the case, When I look at http packets at my application which is coming from ALB, Ip originator is always ALB's Ip, not the client's ip. – Nebi M Aydin Mar 20 '19 at 20:28
  • That's a different question. HTTP requests do not arrive magically to your instances, they arrive encapsulated in ethernet, IP and TCP packets. The source IP address is of course the load balancer itself. If you want to inspect the original sender IP address, your app must look at the X-Forwarded-For HTTP Header, as described at https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html – Sébastien Stormacq Mar 20 '19 at 20:33
  • If you would describe a bit more precisely WHAT you are trying to achieve, you will get more precise answers. – Sébastien Stormacq Mar 20 '19 at 20:33
  • I just want to have original packets that's sent to my ALB, Is there anyway to get original TCP ? – Nebi M Aydin Mar 21 '19 at 00:24
  • @SébastienStormacq ALB does indeed "remove" information below layer 7 because the connections on front-side and back-side are completely independent of each other. You cannot access low-level packets from an external device to an ALB from EC2 using libpcap because *packets* don't pass through ALB or (any other layer 7 balancer). Only the payload passes through, in new/different network packets, which not only have different addressing but are not even consistent in count and size. – Michael - sqlbot Mar 21 '19 at 04:45
  • @Michael : the question and my comment was different. I perfectly know that the ALB - EC2 connection is different than the Client - ALB connection. But the ALB does not "remove" information from IP or TCP packets. It's a whole new connection. The question reflects a deep misunderstanding of how a load balancer works. – Sébastien Stormacq Mar 21 '19 at 10:14
  • @nebi : no you can not. The connection between your client and the ALB is terminated at the ALB level. The ALB creates a second TCP connection to forward HTTP requests to your EC2 instance. The ALB does not remove information from TCP/IP, it just creates a second, independent and new connection. Usually the only information you want to propagate from the initial TCP connection is the source IP address, which can be retrieved in the X-Forwarded-For HTTP header as explained above. What other information are you interested to collect from the original client to ALB connection ? – Sébastien Stormacq Mar 21 '19 at 10:16
  • 1
    Thanks both of you guys, @SébastienStormacq please provide your answer in answer format not comment, so that I can check it as answer. – Nebi M Aydin Mar 21 '19 at 15:50