Hi Paolo,
On Wed, 18 Jul 2012, Paolo Lucente wrote:
On an unrelated note, how hard would it be to get the log message from
ULOG stored in the database, for example in the classification field? I
had a look through the code but I couldn't see any way to store this
field from the received packet into the in-memory structure used to
track flows.
For clarity: which log messages are you referring to? The original
packet (portion) itself with (or without) ancillary netfilter
structures? If yes - than that is not currently possible.
The log message is an option of the ULOG target in iptables. We use it to
help us debug our QoS traffic classification by showing which packets have
which classification:
iptables -t mangle -A POSTROUTING "$@" -j CLASSIFY --set-class $class
iptables -t mangle -A POSTROUTING "$@" -j ULOG --ulog-prefix $class
iptables -t mangle -A POSTROUTING "$@" -j RETURN
This results in a class string such as "1:123" being included in the
output of the ulogd user-space application which receives the logs:
Jul 18 15:50:44 fen-fw2 1:123 IN= OUT=ppp0 MAC= SRC=10.0.156.131
DST=176.58.108.189 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=54141 CE DF ...
This seems to come from ulog_packet_msg_t.prefix according to the ulogd 2
sources.
It's always possible to embed some data in some fields but the
showstopper i see is an entry in the database has not 1:1 relationship
with a single packet (portion): these should be concatenated or so
(which i can anticipate is some work). What is the case study?
In our case, the classification could change mid-stream, as it depends on
TOS flags and UDP packet sizes. I wonder whether it's possible to include
the classification in the flow key in such cases, so we can separate out
high and low priority traffic in the same stream and see how much traffic
is being wrongly classified?
Cheers, Chris.
--
Aptivate | http://www.aptivate.org | Phone: +44 1223 967 838
Future Business, Cam City FC, Milton Rd, Cambridge, CB4 1UY, UK
Aptivate is a not-for-profit company registered in England and Wales
with company number 04980791.
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
