Hello, I've got a problem on my server and I had to find out which process was sending UDP packets to a specified host opening and closing the socket fastly. I can see the UDP requests using $ netstat -unap or $ ss -uap I was finally able to catch the request running netstat in a fast loop and catching it. I was now wandering if it was possibile to do that in another way. Something like log the source PID using -j LOG. But I saw that LOG target just support the uid/gid. Reading the sources of netfilter I saw that's not possibile and I think that's because one socket could be used by several processes (I think about the case of a process with a socket using a fork). So is it not technically possible? Is it the only way writing an xtables target doing somethin like this: # for any fd on the system: # if fd == skb->sk->..->file # match... # ... Is this the only way? That's looks a bit heavy for the system to process. I wander also about the outgoing traffic: Is it not possible to match any packet coming from a certain PID using a match module? I saw the xt_owner and how was the old --pid-owner match (I've also fixed it for the new kernel to try it) Is it the only way to check for every fd open by that PID and than match against the socket related to the packet coming? Thanks! -- Daniele Iamartino Computer engineering student at Politecnico di Milano, Italy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
