Traffic accounting over ULOG inefficient?

Traffic accounting over ULOG inefficient?

[Thilo Schulz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

Since all of the other traffic accounting implementations I have met right now 
are inflexible, I decided to write my own one. There are some 
implementations, that parse the byte counters displayed by iptables and feed 
their traffic databases by this output. A dirty hack in my opinion. Something 
that knows about traffic instantly is just better .. so ULOG is a bit more 
interesting.

The only thing that disturbs me: Just for counting packet lengths queue whole 
packets to userspace? That sounds pretty inefficient to me. Why go to such 
lengths, if the netfilter kernel code itself already has a way of keeping 
track of packet lengths? Since the computer I intend to use this accounter on 
is connected with a 100Mbit NIC I guess something like that would eat up a 
good chunk of CPU time when there's much traffic to be processed.

I am still inexperienced with kernel programming, I would be grateful for any 
pointers or hints on how to achieve this "real time traffic tracking" without 
either having to read out any iptable counters every 10 minutes or queue 
entire packets to userspace.
Would a small kernel module do the trick?

- -- 
Thilo Schulz

My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAyKLaZx4hBtWQhl4RArdBAKDhJx2PsIMp9RqtQvKjJGShKWW9GwCeNfZf
MWmMffdTQZYcXNP51NtL5js=
=wrkr
-----END PGP SIGNATURE-----

Re: Traffic accounting over ULOG inefficient?

[Chris Green]

Thilo Schulz <arny@ats.s.bawue.de> writes:

>
> I am still inexperienced with kernel programming, I would be
> grateful for any pointers or hints on how to achieve this "real time
> traffic tracking" without either having to read out any iptable
> counters every 10 minutes or queue entire packets to userspace.
> Would a small kernel module do the trick?

There is a patch in patch-o-matic for ctnetlink that implements a
different type of interface to get these counters from connection
tracking but I can't seem to find out any information on it aside
from questions about it go unanswered.  
-- 
Chris Green <cmg@dok.org>
"Yeah, but you're taking the universe out of context."

Re: Traffic accounting over ULOG inefficient?

[Thilo Schulz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 June 2004 20:25, Chris Green wrote:
> There is a patch in patch-o-matic for ctnetlink that implements a
> different type of interface to get these counters from connection
> tracking but I can't seem to find out any information on it aside
> from questions about it go unanswered.

Actually, I'm not so much interested in connection checking. What I need is a 
counter, that tells me how much data is going through a rule, without giving 
me the content of the packet itself.

- -- 
Thilo Schulz

My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAyLKAZx4hBtWQhl4RAhYFAKC9NYJLi/OwZFcwscPMDjwE7x91egCg2sTh
KJFi0oL3xREB6z3t/CtbC6Y=
=+AB/
-----END PGP SIGNATURE-----

Re: Traffic accounting over ULOG inefficient?

[KOVACS Krisztian]

  Hi,

On Thu, Jun 10, 2004 at 09:11:48PM +0200, Thilo Schulz wrote:
> On Thursday 10 June 2004 20:25, Chris Green wrote:
> > There is a patch in patch-o-matic for ctnetlink that implements a
> > different type of interface to get these counters from connection
> > tracking but I can't seem to find out any information on it aside
> > from questions about it go unanswered.
> 
> Actually, I'm not so much interested in connection checking. What I need is a 
> counter, that tells me how much data is going through a rule, without giving 
> me the content of the packet itself.

  Maybe this tiny module is what you're looking for? (Although I've never
used it myself, it looks to me a viable approach to traffic accounting.)

  http://www.intra2net.com/opensource/ipt_account/

-- 
 KOVACS Krisztian

Re: Traffic accounting over ULOG inefficient?

[Marc Haber]

On Thu, Jun 10, 2004 at 08:05:14PM +0200, Thilo Schulz wrote:
> Since all of the other traffic accounting implementations I have met right now 
> are inflexible, I decided to write my own one. There are some 
> implementations, that parse the byte counters displayed by iptables and feed 
> their traffic databases by this output. A dirty hack in my opinion. Something 
> that knows about traffic instantly is just better .. so ULOG is a bit more 
> interesting.

Make sure to take a look at ulog-acctd before re-inventing a wheel
that has probably already been invented.

> The only thing that disturbs me: Just for counting packet lengths
> queue whole packets to userspace?

You can control how much of the packet should be copied to userspace
in the iptables statement and takt the packet length from the IP header.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Karlsruhe, Germany |  lose things."    Winona Ryder | Fon: *49 721 966 32 15
Nordisch by Nature |  How to make an American Quilt | Fax: *49 721 966 31 29