Tue, Sep 09, 2003 at 07:49:43PM -0500, you(Marco Cova) wrote: > On Wed, Sep 10, 2003 at 05:05:54AM +0400, Sergey V. Burchu wrote: > > Hello. > > I understand this question is asked again and again... > > But I'm a newbie :) > > > > But I want to tell I want to do: > > > > I need info about traffic of every user on my linux box. > > I looked through list of available software but ... :( > > Checkout the `owner' module of iptables: > http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html#ss7.3 > > > > > So I decided to make if myself. Main idea was quite simple: > > > > When socket is created we can know uid of user who is trying to create > > socket. So I have to add rx and tx counters to data structures and > > Supposing that iptables doesn't solve your problem and you still have > to make it yourself: > *) Check out LSM, it seems to have a number of hooks in correspondence of > networking operations, e.g., socket creation but also others > (http://lsm.immunix.org/docs/2.4/lsm_interface.html). > > > So my questions are: > > Is my way of dumping correct? If yes where i can find a bug or ... If no > > where I can read about better way? Or tell me here... > > Your auditing mechanism seems quite complicated to me... > > If LSM is not ok for you: > *) you could use the usual architecture: daemon that reads binary data > from device driver or /proc file, handles it, and dumps the result in > a file. > There is also a nice patch that implements a relayfs, an optimized > filesystem to efficiently relay data from kernel- to user-space. You > can find it here: > http://www.opersys.com/relayfs/ > *) A different approach, is to try the IBM dynamic probes patch. More > info about it here: > http://oss.software.ibm.com/developer/opensource/linux/projects/dprobes/ > > Note that in any case, when you have a log file, it is easy to > compress it using logrotate(8). Thanks! :) I found another way: at startup I create kernel thread which sleeps and periodically wakes up and dumps everything I wanted without any crash :) Now it works for me on UP machine. In some week I'll have a chance to test it with SMP :) Thanks anyway :) -- Burchu Sergey. -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
