Re: Auditing network traffic

Hi Steve, Thank you for your comments! It seems that AUDIT target is better option than hooking syscalls and managing fds. I don't have to look inside traffic, just src/dest and bytes count is enough for me. What would be the performance implications of that approach comparison to, say, libpcap option? Mostly I am concerned about logging part - seems that every packet produces NETFILTER_PKT record. I could not find any way to disable that, except probably disabling logging all together but that will break ausearch. -Lev