On Wed, Sep 10, 2003 at 05:05:54AM +0400, Sergey V. Burchu wrote: > Hello. > I understand this question is asked again and again... > But I'm a newbie :) > > But I want to tell I want to do: > > I need info about traffic of every user on my linux box. > I looked through list of available software but ... :( Checkout the `owner' module of iptables: http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3 > > So I decided to make if myself. Main idea was quite simple: > > When socket is created we can know uid of user who is trying to create > socket. So I have to add rx and tx counters to data structures and Supposing that iptables doesn't solve your problem and you still have to make it yourself: *) Check out LSM, it seems to have a number of hooks in correspondence of networking operations, e.g., socket creation but also others (http://lsm.immunix.org/docs/2.4/lsm_interface.html). > So my questions are: > Is my way of dumping correct? If yes where i can find a bug or ... If no > where I can read about better way? Or tell me here... Your auditing mechanism seems quite complicated to me... If LSM is not ok for you: *) you could use the usual architecture: daemon that reads binary data from device driver or /proc file, handles it, and dumps the result in a file. There is also a nice patch that implements a relayfs, an optimized filesystem to efficiently relay data from kernel- to user-space. You can find it here: http://www.opersys.com/relayfs/ *) A different approach, is to try the IBM dynamic probes patch. More info about it here: http://oss.software.ibm.com/developer/opensource/linux/projects/dprobes/ Note that in any case, when you have a log file, it is easy to compress it using logrotate(8). Marco -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
