Logging packet owner

Logging packet owner

[John Guerrero]

Hi folks, I browsed the last 7 months of archives and 
didn't see this question addressed.

Are there plans to allow logging the packet owner?  For 
example, I get rogue DNS requests eminating from my 
workstation and I'd like to know which process is doing 
this.  

And for that matter, is there a place on the netfilter.org 
website that lists the completed and upcoming features?

Thanks,
jlg

Logging packet owner

[John E. Leon Guerrero]

Hi folks, I browsed the last 7 months of archives and didn't see this 
question addressed.

Are there plans to allow logging the packet owner?  For example, I get 
rogue DNS requests eminating from my workstation and I'd like to know 
which process is doing this.
 
And for that matter, is there a place on the netfilter.org website that 
lists the completed and upcoming features?

Thanks,
jlg

Re: Logging packet owner

[Eric Leblond]

[-- Attachment #1: Type: text/plain, Size: 725 bytes --]

Le jeu 11/12/2003 à 22:34, John E. Leon Guerrero a écrit :
> Hi folks, I browsed the last 7 months of archives and didn't see this 
> question addressed.
> 
> Are there plans to allow logging the packet owner?  For example, I get 
> rogue DNS requests eminating from my workstation and I'd like to know 
> which process is doing this.

you can do full user filtering and activity logging with the nufw
project which is based on netfilter :
	http://www.nufw.org/
Complete logging of dropped packets will be available on the next
release (0.6.1), which is planned to be available on monday (code is in
cleaning and testing phase).

BR,
-- 
Eric Leblond
Nufw, Now User Filtering Works (http://www.nufw.org)

[-- Attachment #2: Ceci est une partie de message numériquement signée. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Logging packet owner

[Babar Kazmi]

[-- Attachment #1: Type: text/html, Size: 1892 bytes --]

Re: Logging packet owner

[John E. Leon Guerrero]

hi eric, thanks for pointing out that project.  it's a little much for 
my immediate needs, but i do see it's usefulness in a larger context :)

for those would be interested in what i did in the meantime, here's my 
workaround for finding the process that was issuing rogue dns queries:
1. log and allow outgoing DNS packet
2. deny incoming DNS packets
  -hopefully the process waits around long enough for a response
3. issue lsof -n -i UDP:53 as soon as the outgoing log message hits
  -the -n is important or it can hang waiting for DNS as well :)
4. ps fax is a good idea if it's not obvious what the parent process is

good luck out there,
jlg

Eric Leblond wrote:

>Le jeu 11/12/2003 à 22:34, John E. Leon Guerrero a écrit :
>  
>
>>Hi folks, I browsed the last 7 months of archives and didn't see this 
>>question addressed.
>>
>>Are there plans to allow logging the packet owner?  For example, I get 
>>rogue DNS requests eminating from my workstation and I'd like to know 
>>which process is doing this.
>>    
>>
>
>you can do full user filtering and activity logging with the nufw
>project which is based on netfilter :
>	http://www.nufw.org/
>Complete logging of dropped packets will be available on the next
>release (0.6.1), which is planned to be available on monday (code is in
>cleaning and testing phase).
>
>BR,
>  
>