* abusing ipset and ulog for tcpdump-like functions?
@ 2006-01-26 23:09 Carl-Daniel Hailfinger
2006-01-27 8:48 ` Jozsef Kadlecsik
0 siblings, 1 reply; 2+ messages in thread
From: Carl-Daniel Hailfinger @ 2006-01-26 23:09 UTC (permalink / raw)
To: netfilter
Hi,
in the process of trying to get CPU usage on my router to saner
levels, I noticed that tcpdump instances were consuming about
30% of the total cpu load. Since that is a bit too much for my
taste, I decided to try to implement a solution for my problem
with ipset and ulog.
Problem:
For a given set A of IPs, I want to log the first packet per
IP to userspace with full headers. Further packets shall only
be logged if their MAC address differs from the MAC address of
the first logged packet. After the first packet with a differing
MAC address has been logged for a given IP, log only packets
for this IP which don't have either the first or the second MAC.
The general pattern is that I want to log each MAC used by a
few IPs I have to keep a look on.
Now you could say that this is exactly what arpwatch does.
Well, mostly. And arpwatch doesn't scale to gigabit throughput
on the interface it is watching.
I have a userspace script which does exactly that with tcpdump
and it works fine except that the tcpdump instances spawned by
it consume too much CPU in the af_packet module.
My idea was to use an ipmap (level0) from ipset to match set A.
If a packet is matched by level0, it is checked against a
macipmap (level1). If doesn't match level1, log the packet and
add it to level1. If it can't be added to level1 (because
another packet with the same IP has already been added to level1)
add it to another macipmap table level2. And so on.
Can I add one IP with multiple MACs to a given macipmap table?
(That would give me the easiest solution.) If so, will this
affect performance very much? If this impossible, what other
options do I have? Will --matchunset help?
Regards,
Carl-Daniel
--
http://www.hailfinger.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: abusing ipset and ulog for tcpdump-like functions?
2006-01-26 23:09 abusing ipset and ulog for tcpdump-like functions? Carl-Daniel Hailfinger
@ 2006-01-27 8:48 ` Jozsef Kadlecsik
0 siblings, 0 replies; 2+ messages in thread
From: Jozsef Kadlecsik @ 2006-01-27 8:48 UTC (permalink / raw)
To: Carl-Daniel Hailfinger; +Cc: netfilter
Hi,
On Fri, 27 Jan 2006, Carl-Daniel Hailfinger wrote:
> Can I add one IP with multiple MACs to a given macipmap table?
No, you cannot. It is assumed that there is one MAC address per IP.
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-01-27 8:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-01-26 23:09 abusing ipset and ulog for tcpdump-like functions? Carl-Daniel Hailfinger
2006-01-27 8:48 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.