Hello all,

I'm running Firestarter (a simple graphical front-end to iptables) on Ubuntu.

When I open Firefox (homepage is still the default http://start.ubuntu.com/9.10/) Firestarter shows the following two connections:

Dest: Host: avocado.canonical.com Port: 80

Dest: Host: iy-in-f147.1e100.net Port: 80

And after about 15 seconds of starting at my homepage two more appear:

Dest: Host: iy-in-f190.1e100.net Port: 443

Dest: Host:iy-in-f138.1e100.net Port: 80

Then after about 45 seconds the the first two terminate.

If anyone out there can give me an advanced verbose wordy highly technical explanation of why this all happens I would we very grateful. If you can explain this without using metaphors or analogies even better!

I've tested this several times. Sometimes the low level domains (the 'avacado' and 'iy-in-fxxx' parts in my example above) change but all else is generally the same. I've also noticed that other websites will often cause 6+ active connections to appear!

My guess is that the different parts of the webpage are coming from different servers, thus the various connections...

Thanks in advance!


>>My guess is that the different parts of the webpage are coming from different servers, thus the various connections...

You are correct... not much else to add. When you visit a webpage, say cnn.com, it could reference images from facebook.com or imageshack.com. There are also websites that run trash javascript that connect to other servers. One example is a javascript that waits for you to highlight text with your cursor. As soon as you highlight the text it posts to a server recording your IP and the text you highlighted. In theory they are "catching people who are copying and pasting content from their website". In practice they are pissing off users who highlight text as they read (me).

Thanks! Actually, I didn't know that was possible with javascript. Even so, I would like to configure my firewall to do two things:

1) Display more information about hosts to which I have an active connection, namely, what resource I'm downloading from them. e.g. say I connect to fuzzypotatoes.com and 5 active connections are initiated. I want my firewall to say which one I'm getting javascript from, which I'm getting css from etc.

2) I'd like to have my firewall color code the active connections according to the website their initiated by. (this one is easy of course :P just thought I'd include it hear anyways)

So is there anyway to do this easily? i.e. ideally without packet sniffing? I'd prefer to conserver resources. A whois lookup doesn't get me the info I need. If I open a webpage, there MUST be an EASY way to monitor the consequent connections, and determine which resource each one is retrieving.

Any ideas???

This is actually going to be very difficult...

This is called "deep packet inspection" because you need to gather packet fragments, reassemble them in to complete conversations, parse the packets for HTTP header values so you can determine the content type, URL and resource type.

This is not going to be easy to roll your own solution.

Also -- what type of firewall are you running?