Hello list,
I''m currently a bit planless so perhaps someone here could give me a
point in
the right direction.
History: I wrote a shaper web tool (http://shaper.netshadow.at) and now got
several feature requests if it would be possible to graph "what''s
going on"
(this mean per IP address, tcp/udp ports or protocols) in a specific chain. A
chain represents a specific tc-class. Packets get into this chains via
tc-filter or iptables MARK.
Currently I''m drawing graphs with data got from the dequeuing counters
via tc
-s class show dev ${IF}. Not the best way - I know - but it was enough till
yet.
Now the question is - is it possible to get direct access to network packets
that flow through a specifc tc-class?
I was thinking about iptables and dumping the MARK-value via libpcap. But I
don''t think that this will work because the pcap-filter is attached to
the
device itself before the iptables rules (like the restore-mark) are acting. So
I guess libpcap will not see this.
I was also thinking about forwarding the traffic of each chain to a dummy
device. But with a greater amount of chains this will become a enormous
overhead.
In summary I''m searching for a "easy" way to get the traffic
which flows to a
specific tc-class to make some graphs. From IP/MAC-Level to tcp/udp ports.
If there is no such way I will simply dump all the data from libpcap and try
to extract the necessary details from this data and parse it.
Any ideas are welcome.
Cheers,
Andreas
Andreas Unterkircher wrote:> Hello list, > > I''m currently a bit planless so perhaps someone here could give me a point in > the right direction. > > History: I wrote a shaper web tool (http://shaper.netshadow.at) and now got > several feature requests if it would be possible to graph "what''s going on" > (this mean per IP address, tcp/udp ports or protocols) in a specific chain. A > chain represents a specific tc-class. Packets get into this chains via > tc-filter or iptables MARK. > > Currently I''m drawing graphs with data got from the dequeuing counters via tc > -s class show dev ${IF}. Not the best way - I know - but it was enough till > yet. > > Now the question is - is it possible to get direct access to network packets > that flow through a specifc tc-class? > > I was thinking about iptables and dumping the MARK-value via libpcap. But I > don''t think that this will work because the pcap-filter is attached to the > device itself before the iptables rules (like the restore-mark) are acting. So > I guess libpcap will not see this.No it won''t, but its not able to use the netfilter mark anyway. One way would be to use the ipt action combined with the ULOG target and send packets to userspace that way.
Good suggestion to use ulog for this. So I could dump the exactly traffic which would run through a class (CLASSIFY) to analyze and extract the necessary data to draw the graphs. So I do not have to parse my class (IP or MAC) out of a full tcpdump stream. Sadly not possible with tc-filter. But perhaps I could do this for tc with Vincent Perrier''s sch_spy module. Cheers, Andreas Patrick McHardy schrieb:> Andreas Unterkircher wrote: >> Hello list, >> >> I''m currently a bit planless so perhaps someone here could give me a >> point in >> the right direction. >> >> History: I wrote a shaper web tool (http://shaper.netshadow.at) and >> now got >> several feature requests if it would be possible to graph "what''s >> going on" >> (this mean per IP address, tcp/udp ports or protocols) in a specific >> chain. A >> chain represents a specific tc-class. Packets get into this chains via >> tc-filter or iptables MARK. >> >> Currently I''m drawing graphs with data got from the dequeuing >> counters via tc >> -s class show dev ${IF}. Not the best way - I know - but it was >> enough till >> yet. >> >> Now the question is - is it possible to get direct access to network >> packets >> that flow through a specifc tc-class? >> >> I was thinking about iptables and dumping the MARK-value via libpcap. >> But I >> don''t think that this will work because the pcap-filter is attached >> to the >> device itself before the iptables rules (like the restore-mark) are >> acting. So >> I guess libpcap will not see this. > > No it won''t, but its not able to use the netfilter mark anyway. One way > would be to use the ipt action combined with the ULOG target and send > packets to userspace that way.
Andreas Unterkircher wrote:> Good suggestion to use ulog for this. So I could dump the exactly > traffic which would run through a class (CLASSIFY) > to analyze and extract the necessary data to draw the graphs. So I do > not have to parse my class (IP or MAC) out of a > full tcpdump stream. > > Sadly not possible with tc-filter. But perhaps I could do this for tc > with Vincent Perrier''s sch_spy module.Its possible using tc action, namely with the ipt action which can use iptables targets from tc.
On Thu, Dec 01, 2005 at 06:45:42PM +0100, Andreas Unterkircher wrote:> Good suggestion to use ulog for this. So I could dump the exactly > traffic which would run through a class (CLASSIFY) > to analyze and extract the necessary data to draw the graphs. So I do > not have to parse my class (IP or MAC) out of a > full tcpdump stream. > > Sadly not possible with tc-filter. But perhaps I could do this for tc > with Vincent Perrier''s sch_spy module. >sch_log is also good for this: http://kernel.umbrella.ro/net/sch_log/v0.4/sch_log-0.4.tar.gz /pch -- Dyslexia bug unpatched since 1977 ... exploit has been leaked to the underground.