On Wednesday 10 April 2002 6:11 pm, Alex Kent wrote: > How possible would it be to add the ability to log connection tracking > information? Specifically something that did summary logging about > individual connections. It would be useful to be able to log at the > conclusion of a connection src/dst IPs/ports, number bytes/packets > moved, length of time the connection existed, and perhaps if the > connection ended in some abnormal manner. > > It seems like netfilter would be an excellent place to gather this > information and would provide an excellent addition to an integrated > intrusion detection system. Plus, you could make pretty statistics and > graphs by compiling the log data. :) > > How hard would it be to adapt the state module to do this? Comments on > whether this would actually be useful?
I would be very keen to see something like this available within netfilter - I already create traffic graphs by monitoring /proc/net/dev, and I monitor traffic type (by destination port) using iptables -L -v on a set of accept rules for each protocol. I find /proc/net/ip_conntrack very useful for monitoring what;'s happening on the machine right now, but I would certainly welcome anything which created a log entry of this data for analysis after the connection has gone away. Just my 2c. Antony.
