Re: Auditing network traffic
On Wed, Jan 20, 2016 at 9:26 AM, Lev Stipakov <lstipakov(a)gmail.com> wrote:
Another way of getting network stats is the AUDIT target for
netfilter.
Looks good, no need to worry about fds/addrs. However there is no pid. What
would be the ”best” way to get pid for those records? Anything else besides
looking into /proc/net/tcp?
Linking a specific process/PID to a network packet is very difficult,
if not impossible, for the simple reason that the kernel doesn't track
the originating process, only the originating socket (which is an
unreliable way to determine the sending process). Not to mention the
fact Steve already mentioned that some packets do not originate in
userspace; forwarded traffic, streaming protocol control messages,
ICMP error messages are all common examples of non-local userspace
generated messages.
--
paul moore
www.paul-moore.com