Dear Linux kernel hackers, I'm trying to extend the kernel in a way that I am able to collect user-based IP networking information (e.g. which system user generated how much IP traffic). Unfortunately this doesn't seem to be a topic that is well documented, so I try my luck here.
For capturing the outgoing TCP traffic, I found the function "ip_queue_xmit" (net/ipv4/ip_output.c) would be adequate. I added the following code to the function right after the line skb->priority = sk->sk_priority; if (sk && sk->sk_socket) { ip4acct_user_sent(SOCK_INODE(sk->sk_socket)->i_uid, ntohs(iph->tot_len),6); } else { ip4acct_user_sent(IPACCT_NOUSER, ntohs(iph->tot_len),6); } This seems to work well if I send a small amount of TCP data (512 bytes) with nc from an unprivileged user of that host. If I open a website (lots of data / images) however, a few packets don't appear to be be related to a socket and hence are accounted to NOUSER (~2 %). If I continuously keep opening multiple webpages at a time, some outgoing TCP traffic even gets accounted to user root (uid 0) instead of the unprivileged user that owns the webbrowser. For debugging, I logged the source and destination address of those packets that go into the else{} branch above, and it appears these are packets that clearly belong to the webbrowser connection. I now wonder what I am getting wrong about the function ip_queue_xmit: - How can it be that a TCP/IP packet which belongs to a http transmission has no socket that could be found with the first function above? - How can it be that (seemingly under increased network load) another socket owner is returned than the one responsible for the load? I'd appreciate your help very much, also ideas about debugging or conceptual hints. Thanks, Manuel - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/