From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: Iptables logs on High bandwidth traffic network
Date: Wed, 04 May 2005 18:13:14 -0500 [thread overview]
Message-ID: <4279570A.1090509@riverviewtech.net> (raw)
In-Reply-To: <42794F67.7060803@danbbs.dk>
> How about using a fifo (man mkfifo and man syslog) and let syslog pipe
> to that fifo. Some program can then read from the fifo, parse data, and
> maybe use a database for storing the parsed, now more limited, data.
> Might be a good ide to have the database on another system :-
Using a FIFO to a program that parses and transmits the data to another system to network might be a possibility. Keep in mind that any processing that you do on the packets has to be able to be done at least as fast if not faster than the rate the packets come in. If you ever end up getting behind on the processing things will snowball on you VERY quickly and more than likely end up in a very nasty mess. This is why I think it would be better to use something like TCPDump or Snort to sniff the network and then post process the dumps. This post processing could probably be done as often or seldom as you would like, this is all tunable. The reason that I like the post processing is that you have a rather large buffer before you start snowballing on your self, namely the disk to store dumps on.
(maning mkfifo...)
After reading about FIFOs and playing with them momentarily (mkfifo test; ls > test; (jump to different terminal) cat test) I would be worried about how much data could be queued in a fifo and what would happen if more data than that was dumped in to the fifo. I personally see too many opportunities for things to break login this way. Login this way may indeed work but I would not want to try this, especially on a higher speed link. Seeing as I have no idea what speed this would break on I am even less likely to try it, but that is just me and my opinion. You know what they say about opinions...
Grant. . . .
next prev parent reply other threads:[~2005-05-04 23:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-04 12:45 Iptables logs on High bandwidth traffic network bharathi
2005-05-04 15:59 ` Taylor, Grant
2005-05-04 22:40 ` Mogens Valentin
2005-05-04 23:13 ` Taylor, Grant [this message]
2005-05-05 6:59 ` Jozsef Kadlecsik
2005-05-05 7:24 ` Taylor, Grant
2005-05-05 8:15 ` Jozsef Kadlecsik
2005-05-05 11:24 ` Mogens Valentin
2005-05-05 11:59 ` Jozsef Kadlecsik
2005-05-05 9:37 ` Mogens Valentin
2005-05-05 10:07 ` Jozsef Kadlecsik
2005-05-04 16:39 ` Jason Opperisano
2005-05-04 17:18 ` Steven M Campbell
2005-05-04 20:37 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4279570A.1090509@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.