On Tue, Sep 18, 2007 at 05:22:24PM +0200, Thierry wrote: > 2007/9/18, Rusty Dekema <[EMAIL PROTECTED]>: > > I don't mean to be argumentative, but I don't understand your reasons > > for trying to avoid tcpdump. > > I think it's nice to play with, but not using this as long term stats :) > > try parsing your ulog file generated by this line > > iptables -A INPUT -p UDP --dport 123 -j ULOG --ulog-prefix "NTP connection > attempt: " > > You could have 100 times the amount of request you usually have on ntp port > without seeing . ( not sure you could do that with tcpdump ).
When I was doing some logging I had a rule like: ((udp[8] & 7) = 4) and port ntp I've had to remind myself of the packet format, so this may not be quite right, but it should only collect "Server" packets, i.e. responses from your box. You could change the 4 to a 3 to only show client requests. The reason I was doing this was to filter out my boxes traffic from everyone else's. You will probably want "and src [server ip]" in there to filter everything out, but it's a starting point. I also ended up writing a little C program that would take the (binary) output from tcpdump and generate a very simple listing of packet time and target IP address. It was about ten times quicker (maybe more) than generating text output from tcpdump and then postprocessing with awk/sed. I don't really like perl, but you could probably do the same with it. > VIA Esther processor 2000MHz > MemTotal: 1017732 kB I'm running it on a 500MHz box and tcpdump plus associated gubbins used very little overhead. How does CPU usage show up when it's spent in the iptables code? Sam _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
