Phil Vandry wrote:
> On Mon, 4 Oct 2010 09:51:39 -0400 Rob Hasselbaum <r...@hasselbaum.net> wrote:
>> Yes, it is possible (on Linux, anyway), but not extremely easy. You can
>> correlate packet data to the kernel's network connection table and network
>> connections to inode values by reading "/proc/net/tcp*" and
>
> Isn't that unreliable? The connection might be short-lived and disappear
> from /proc/net/{tc,ud}p* before you have a chance to find it.
>
> Since you are assuming Linux anyway, have you considered using iptables?
>
> If you don't have a huge number of users, you can create a rule like this
> for each uid:
>
> iptables -I OUTPUT -m owner --uid-owner <foo> -j ACCEPT
>
> and then just monitor the packet & byte counters on these rules.
You can also catch events using SystemTap's netdev.transmit and
netdev.receive probes.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
