suggested, is to use iptables: Run Skype, and then use iptables'
"--pid-owner" or "--cmd-owner" option to add an iptables rule which will
allow traffic from this process. Then use "iptables -nvL" to get the count
of packets and bytes that passed through this rule.
OK, so I took Nadav's advise which turned out to be pretty simple:
1. " addgroup skype" and "chown skype /usr/bin/skype; chmod g+s skype /usr/bin/skype" in order to run skype in its own group. That way I hope to:
a. avoid multi-cpu troubles (though my current system is single-core)
b. speed things up by having to match gid's instead of command names.
2. setup iptables rules to the effect of:
# match all outgoing packets from gid skype and mark their connection
iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol tcp -j CONNMARK --set-mark 1
iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol udp -j CONNMARK --set-mark 2
# all packets which match the connection should go through the skype rule
iptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcp
iptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp
# match all packets on Skype's public TCP port and mark their connection
iptables -A INPUT -p tcp -m tcp --dport 31673 --in-interface eth0 -j CONNMARK --set-mark 1
iptables -A INPUT -p udp -m udp --dport 31673 --in-interface eth0 -j CONNMARK --set-mark 2
# all packets which match the connection will be counted by these
iptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcp
iptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp
This allows me to distinguish in vs. out traffic and tcp vs. udp traffic. A simple perl script that uses IPTables::IPv4 perl module (i.e. direct access to the syscalls) and looks up at the comments gives me all 8 numbers (tcp/udp, in/out and packets/bytes).
I'll provide the scripts if anyone is interested. If you see an error in what I did then I'd appreciate a howler.
I'm now trying to find a way to identify the "Port Unreachable" ICMP packets which I see to be sent back to Skype's UDP port (and are currently dropped together with other ICMP packets). Current plan is to use the "u32" extension. If someone knows how to achieve that (the ICMP packet recognition, either using u32 or whatever) I'd appreciate a pointer.
And double-thanks to Nadav for pointing me to read the iptables manual more carefully - I found the geoip module mentioned there very promising.
Cheers,
--Amos
"Military justice is to justice what military music is to music"
