Logging packet owner

Logging packet owner

[John Guerrero]

Hi folks, I browsed the last 7 months of archives and 
didn't see this question addressed.

Are there plans to allow logging the packet owner?  For 
example, I get rogue DNS requests eminating from my 
workstation and I'd like to know which process is doing 
this.  

And for that matter, is there a place on the netfilter.org 
website that lists the completed and upcoming features?

Thanks,
jlg

Logging packet owner

[John E. Leon Guerrero]

Hi folks, I browsed the last 7 months of archives and didn't see this 
question addressed.

Are there plans to allow logging the packet owner?  For example, I get 
rogue DNS requests eminating from my workstation and I'd like to know 
which process is doing this.
 
And for that matter, is there a place on the netfilter.org website that 
lists the completed and upcoming features?

Thanks,
jlg

Re: Logging packet owner

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

Le jeu 11/12/2003 à 22:34, John E. Leon Guerrero a écrit :
> Hi folks, I browsed the last 7 months of archives and didn't see this 
> question addressed.
> 
> Are there plans to allow logging the packet owner?  For example, I get 
> rogue DNS requests eminating from my workstation and I'd like to know 
> which process is doing this.

you can do full user filtering and activity logging with the nufw
project which is based on netfilter :
	http://www.nufw.org/
Complete logging of dropped packets will be available on the next
release (0.6.1), which is planned to be available on monday (code is in
cleaning and testing phase).

BR,
-- 
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)

[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Logging packet owner

[Babar Kazmi]

[-- Attachment #1: Type: text/html, Size: 1892 bytes --]

Odp: Logging packet owner

[Maciej Soltysiak]

Try my patch:

It adds uid and gid (if applicable) of the socket that sent the packet.
It will show you who is sending whcih packets.
It would be easy to add the information about the process that handles
that packet (if applicable)

http://www.soltysiak.com/linux/LOG-ids.patch

Regards,
Maciej

Re: Logging packet owner

[John E. Leon Guerrero]

hi eric, thanks for pointing out that project.  it's a little much for 
my immediate needs, but i do see it's usefulness in a larger context :)

for those would be interested in what i did in the meantime, here's my 
workaround for finding the process that was issuing rogue dns queries:
1. log and allow outgoing DNS packet
2. deny incoming DNS packets
  -hopefully the process waits around long enough for a response
3. issue lsof -n -i UDP:53 as soon as the outgoing log message hits
  -the -n is important or it can hang waiting for DNS as well :)
4. ps fax is a good idea if it's not obvious what the parent process is

good luck out there,
jlg

Eric Leblond wrote:

>Le jeu 11/12/2003 à 22:34, John E. Leon Guerrero a écrit :
>  
>
>>Hi folks, I browsed the last 7 months of archives and didn't see this 
>>question addressed.
>>
>>Are there plans to allow logging the packet owner?  For example, I get 
>>rogue DNS requests eminating from my workstation and I'd like to know 
>>which process is doing this.
>>    
>>
>
>you can do full user filtering and activity logging with the nufw
>project which is based on netfilter :
>	http://www.nufw.org/
>Complete logging of dropped packets will be available on the next
>release (0.6.1), which is planned to be available on monday (code is in
>cleaning and testing phase).
>
>BR,
>  
>