lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070106202837.0e1a0053@equilibrum>
Date:	Sat, 6 Jan 2007 20:28:37 +0100
From:	Manuel Feier <mfeier@...steps.ch>
To:	linux-kernel@...r.kernel.org
Subject: IP Networking: ip_queue_xmit, sockets and TCP output question
 (Linux 2.6.17)

Dear Linux kernel hackers, 

I'm trying to extend the kernel in a way that I am able to collect
user-based IP networking information (e.g. which system user generated
how much IP traffic). Unfortunately this doesn't seem to be a topic that
is well documented, so I try my luck here.

For capturing the outgoing TCP traffic, I found the function
"ip_queue_xmit" (net/ipv4/ip_output.c) would be adequate. I added the
following code to the function right after the line
skb->priority = sk->sk_priority; 

if (sk && sk->sk_socket) {
ip4acct_user_sent(SOCK_INODE(sk->sk_socket)->i_uid,
ntohs(iph->tot_len),6); 
}
else {
ip4acct_user_sent(IPACCT_NOUSER,
ntohs(iph->tot_len),6);
}

This seems to work well if I send a small amount of TCP
data (512 bytes) with nc from an unprivileged user of that host. If I
open a website (lots of data / images) however, a few packets
don't appear to be be related to a socket and
hence are accounted to NOUSER (~2 %). If I continuously keep opening
multiple webpages at a time, some outgoing TCP traffic even gets
accounted to user root (uid 0) instead of the unprivileged user that
owns the webbrowser.

For debugging, I logged the source and destination address of those
packets that go into the else{} branch above, and it appears these
are packets that clearly belong to the webbrowser connection.

I now wonder what I am getting wrong about the function ip_queue_xmit:

- How can it be that a TCP/IP packet which belongs to a http
transmission has no socket that could be found with the first function
above?
- How can it be that (seemingly under increased network load) another
socket owner is returned than the one responsible for the load?

I'd appreciate your help very much, also ideas about debugging or
conceptual hints.

Thanks,

Manuel

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ