On 30/05/2016 5:07 PM, Ben Woods wrote:
On Monday, 30 May 2016, Yuri <y...@rawbw.com
<javascript:_e(%7B%7D,'cvml','y...@rawbw.com');>> wrote:
There is vnstat that does this by interface.
But is there a way to do this by the application? This is because nearly
every packet that is sent through the system is sent on behalf of some
process running on the system.
It would be nice to be able to see which applications (in general sense)
generate most traffic.
I am fully aware that the link between pid and an "application" is vague
because some processes are run through some cryptic command lines. I am
just interested if anything exists in this area at all.
Yuri
Hi Yuri,
There is an application called nethogs which does this on Linux, but the
website says it makes heavy use of Linuxisms so won't work on BSD. I had a
quick look at the code and couldn't immediately recognise the Linuxisms in
question, but haven't done a thorough look.
On FreeBSD, I tend to filter traffic by src and destination ip/port to
determine how much traffic an application is using.
Easiest solution I can think of: Use net-mgmt/darkstat.
https://unix4lyfe.org/darkstat/
Slightly more complicated solution, but with potentially more power for
filtering the data: Netflow/NfDump/NfSen
https://forums.freebsd.org/threads/49724/
at $JOB we had to do this for outgoing sessions of one particular app.
The answer was to make that app run as a special group and use teh
'gid' match for the outgoing SYN packets from that process to run a
keep-state rule to make all packets from that session go through a
particular counting rule..
it was something like:
ipfw add 10 skipto 15 tcp from any to any not layer 2 setup gid
${SPECIAL_GID} out xmit ${EXTERNAL} keep-state
ipfw add 11 skipto 20 ip from any to any
ipfw add 15 count ip from any to any in
ipfw add 16 count ip from any to any out
ipfw add 20 <whatever comes next>
since keep-state as an implicit check-state before evaluation, all
session packets from sessions initiate by that process.
the not-layer2 was needed in our case to stop a kernel panic, we had
bridging ipfw as well and it caused problems.
I have considered adding a feature where sockets opened by a partuclar
process would generate packets with a particular tag
which could be detected in the firewall
it would be a bit like using the 'setfib' command.. the property would
be inherrited.
so setsockflag -4 ssh foo.com would make all ssh's packet be marked
with a tag of 4.
there is already a rule in ipfw to detect these tags.
I did consider using setfib and setting up a separate fib for that app
to use. Fib associations can also be detected in the firewall.
Good luck!
Regards,
Ben
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
