Time counter of connections (libnetfilter-conntrack?)

Time counter of connections (libnetfilter-conntrack?)

[Italo Valcy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys!

Is there an way to get time counter of the connections using
libnetfilter-conntrack? I mean, I'd like to know how long a connection
had taken (since the state NEW to DESTROY).

Any ideias?

Thanks for any help!


Kind Regards, italo.

- -- 
Saudações,

Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky5JOgACgkQfidLqjN6RNFlNACfULAt/4lV33jZsS3a16T9wf+7
nKoAnRXBjOSLpgBep0GHu2KlGyjDn4eu
=71oq
-----END PGP SIGNATURE-----

Re: Time counter of connections (libnetfilter-conntrack?)

[Pablo Neira Ayuso]

On 16/10/10 06:07, Italo Valcy wrote:
> Hi guys!
> 
> Is there an way to get time counter of the connections using
> libnetfilter-conntrack? I mean, I'd like to know how long a connection
> had taken (since the state NEW to DESTROY).
> 
> Any ideias?

The Linux kernel does not track this connection lifetime, so you would
have to listen to NEW events, put the ct objects into some structure
(hashtable, tree, list, etc) and calculate the difference by yourself
once you receive DESTROY events.

It wouldn't be hard to extend the existing code to do this in kernel space.

Re: Time counter of connections (libnetfilter-conntrack?)

[Jan Engelhardt]

On Saturday 2010-10-16 10:22, Pablo Neira Ayuso wrote:
>On 16/10/10 06:07, Italo Valcy wrote:
>> Hi guys!
>> 
>> Is there an way to get time counter of the connections using
>> libnetfilter-conntrack? I mean, I'd like to know how long a connection
>> had taken (since the state NEW to DESTROY).
>> 
>> Any ideias?
>
>The Linux kernel does not track this connection lifetime, so you would
>have to listen to NEW events, put the ct objects into some structure
>(hashtable, tree, list, etc) and calculate the difference by yourself
>once you receive DESTROY events.
>
>It wouldn't be hard to extend the existing code to do this in kernel space.

One could just enhance the ct struct by a genesis timestamp,
and calculate the delta once the destroy event is sent out.

Re: Time counter of connections (libnetfilter-conntrack?)

[Italo Valcy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi guys,

Thank you Jan, Pablo, for the reply. It's like I imagined. One doubt:
the 'id' field of nf_conntrack struct is unique? (I'd like to use it as
index to the struct that I'll use to track the timestamps...)


Kind regards, Italo.


- -- 
Saudações,

Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky5oRsACgkQfidLqjN6RNGuYQCeMXOT2pyUGJfExEGudf2Z+OK/
jIcAn0b1BIYnQ9K4MkjiB6YHEhcZGsRb
=YYhQ
-----END PGP SIGNATURE-----

Re: Time counter of connections (libnetfilter-conntrack?)

[Pablo Neira Ayuso]

On 16/10/10 11:28, Jan Engelhardt wrote:
> 
> On Saturday 2010-10-16 10:22, Pablo Neira Ayuso wrote:
>> On 16/10/10 06:07, Italo Valcy wrote:
>>> Hi guys!
>>>
>>> Is there an way to get time counter of the connections using
>>> libnetfilter-conntrack? I mean, I'd like to know how long a connection
>>> had taken (since the state NEW to DESTROY).
>>>
>>> Any ideias?
>>
>> The Linux kernel does not track this connection lifetime, so you would
>> have to listen to NEW events, put the ct objects into some structure
>> (hashtable, tree, list, etc) and calculate the difference by yourself
>> once you receive DESTROY events.
>>
>> It wouldn't be hard to extend the existing code to do this in kernel space.
> 
> One could just enhance the ct struct by a genesis timestamp,
> and calculate the delta once the destroy event is sent out.

Indeed, a small conntrack extension would be great. This can save lots
of memory for ulogd2 and it could be useful for IPFIX implementations.

Re: Time counter of connections (libnetfilter-conntrack?)

[Pablo Neira Ayuso]

On 16/10/10 14:57, Italo Valcy wrote:
> Hi guys,
> 
> Thank you Jan, Pablo, for the reply. It's like I imagined. One doubt:
> the 'id' field of nf_conntrack struct is unique? (I'd like to use it as
> index to the struct that I'll use to track the timestamps...)

Yes, it is.

Re: Time counter of connections (libnetfilter-conntrack?)

[Pablo Neira Ayuso]

On 16/10/10 19:59, Pablo Neira Ayuso wrote:
> On 16/10/10 14:57, Italo Valcy wrote:
>> Hi guys,
>>
>> Thank you Jan, Pablo, for the reply. It's like I imagined. One doubt:
>> the 'id' field of nf_conntrack struct is unique? (I'd like to use it as
>> index to the struct that I'll use to track the timestamps...)
> 
> Yes, it is.

Well, to be precise there have been lots of discussions in the past on
the uniqueness of the conntrack ID. Some situations in which we can find
two different conntracks with the same ID may occur due to race
conditions in the event delivery. To avoid problems I use the original
tuple and the id to identify one conntrack (part of the
conntrack-tools). I suggest you to do so.

Re: Time counter of connections (libnetfilter-conntrack?)

[Italo Valcy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Pablo,

Ok! Thank you so much for the help!!! I'll code a little now.. ;)


Kind regards, Italo.


- -- 
Saudações,

Italo Valcy :: http://wiki.dcc.ufba.br/~ItaloValcy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAky56vMACgkQfidLqjN6RNFCNwCfWd3lckao2urYG41a6TH3Gm/t
+1AAniTjaGJbuVDj2ZMPGHLHjmgYLd8s
=tuCM
-----END PGP SIGNATURE-----