update (was: Re: Measuring network traffic of a particular program?)
On 15/08/06, Nadav Har'El [EMAIL PROTECTED] wrote: suggested, is to use iptables: Run Skype, and then use iptables'--pid-owner or --cmd-owner option to add an iptables rule which willallow traffic from this process. Then use iptables -nvL to get the count of packets and bytes that passed through this rule.OK, so I took Nadav's advise which turned out to be pretty simple:1. addgroup skype and chown skype /usr/bin/skype; chmod g+s skype /usr/bin/skype in order to run skype in its own group. That way I hope to: a. avoid multi-cpu troubles (though my current system is single-core) b. speed things up by having to match gid's instead of command names.2. setup iptables rules to the effect of:# match all outgoing packets from gid skype and mark their connection iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol tcp -j CONNMARK --set-mark 1iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol udp -j CONNMARK --set-mark 2 # all packets which match the connection should go through the skype ruleiptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcpiptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp # match all packets on Skype's public TCP port and mark their connectioniptables -A INPUT -p tcp -m tcp --dport 31673 --in-interface eth0 -j CONNMARK --set-mark 1iptables -A INPUT -p udp -m udp --dport 31673 --in-interface eth0 -j CONNMARK --set-mark 2 # all packets which match the connection will be counted by theseiptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcpiptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp This allows me to distinguish in vs. out traffic and tcp vs. udp traffic. A simple perl script that uses IPTables::IPv4 perl module (i.e. direct access to the syscalls) and looks up at the comments gives me all 8 numbers (tcp/udp, in/out and packets/bytes). I'll provide the scripts if anyone is interested. If you see an error in what I did then I'd appreciate a howler.I'm now trying to find a way to identify the Port Unreachable ICMP packets which I see to be sent back to Skype's UDP port (and are currently dropped together with other ICMP packets). Current plan is to use the u32 extension. If someone knows how to achieve that (the ICMP packet recognition, either using u32 or whatever) I'd appreciate a pointer. And double-thanks to Nadav for pointing me to read the iptables manual more carefully - I found the geoip module mentioned there very promising.Cheers,--Amos-- Military justice is to justice what military music is to music
Re: Measuring network traffic of a particular program?
On Tue, Aug 15, 2006, Amos Shapira wrote about Measuring network traffic of a particular program?: Following some recent article about Skype's network load which isn't consistent with my experience, I'd like to try to measure the network traffic generated by my Skype process. One thing you might want to try, which is much simpler than the ideas you suggested, is to use iptables: Run Skype, and then use iptables' --pid-owner or --cmd-owner option to add an iptables rule which will allow traffic from this process. Then use iptables -nvL to get the count of packets and bytes that passed through this rule. I haven't tried this approach, but according to the manual it should work (on a one CPU kernel). -- Nadav Har'El| Tuesday, Aug 15 2006, 21 Av 5766 [EMAIL PROTECTED] |- Phone +972-523-790466, ICQ 13349191 |If I am not for myself, who will be for http://nadav.harel.org.il |me? If I am only for myself, who am I? = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Measuring network traffic of a particular program?
Quoting Amos Shapira, from the post of Tue, 15 Aug: Now it's not that trivial to just watch a particular TCP or UDP port (or even a port range) since my Skype is defined as a Super-node which exposes it to the net and apparently causes it to open variable port numbers. (I did this because it drastically cuts down on the number of hops used in conversations and therefore drastically increases Skype's international call quality and reliability). check the instructions again, Skype need only one TCP and one UDP ports open, and you can even select which. I chose myself a port, set it to PAT from the firewall to my skype machine and set the traffic on that port to get the lowest delay in the QOS of the firewall (apt-get install wondershaper) to clock the bandwidth it takes it's as simple as monitoring just that pair of ports, which you can do with iptables as suggested or even with TCPdump/libpcap, alone or as part of Wireshark (OKA Ethereal). there was also ntop, but I can't remember if it tracks per-process or per protocol type. -- Kodak moment Ira Abramov http://ira.abramov.org/email/ = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Measuring network traffic of a particular program?
On 15/08/06, Nadav Har'El [EMAIL PROTECTED] wrote: One thing you might want to try, which is much simpler than the ideas yousuggested, is to use iptables: Run Skype, and then use iptables'--pid-owner or --cmd-owner option to add an iptables rule which will allow traffic from this process. Then use iptables -nvL to get the countof packets and bytes that passed through this rule.Thanks. My home machine is an old single-core AMD Athlon so I can use this module which I wasn't aware of. This module seems to solve only half of my problem - it doesn't trap INCOMING packets, only locally generated packets. If I could use the MARK options then maybe it'll work. If not then maybe I can use ULOG to trigger a user-level program to alter the interception rules dynamically. (Also this read revealed to me the geoip option which is just what I wanted in order to limit access to my home machine from certain countries).Thanks,--Amos
Re: Measuring network traffic of a particular program?
On 15/08/06, Ira Abramov [EMAIL PROTECTED] wrote: check the instructions again, Skype need only one TCP and one UDP portsopen, and you can even select which. I chose myself a port, set it toOf course I read the instructions - otherwise I wouldn't have been able to setup Skype as a super-node behind my ADSL modem/router NAT. Have you checked your netstat -tp lately?Here is a list of the connections related to my Skype process (I only list established connections, just to try to abbreviate my post):192.168.x.y :36510 80.92.66.240:12350192.168.x.y:37747 80.92.66.238:12351192.168.x.y:37801 80.92.66.238:12351 192.168.x.y:37872 80.92.66.238:12351192.168.x.y:37887 212.72.49.142:12350192.168.x.y:37333 212.72.49.142:12350192.168.x.y:40383 80.92.66.238:12351192.168.x.y:39210 212.72.49.142:12350192.168.x.y:34561 212.72.49.142:12350192.168.x.y:39422 80.92.66.240:12350192.168.x.y:36506 212.72.49.142:12350192.168.x.y:36480 80.92.66.238:12351192.168.x.y:39603 81.228.27.52:1687192.168.x.y:35339 195.215.8.140:23456192.168.x.y:35796 195.215.8.142:12350192.168.x.y:35789 195.215.8.142:12350192.168.x.y:31673 66.127.49.202:1950Almost none of these ports is the one I set for Skype. And so far I couldn't find a common theme in the port numbers used. I suspect that maybe the outside world can reach my Skype process through the port I told it to listen on, but other stuff causes Skype to open connections on other ports (e.g. when it opens a port to some other Skype process and lets the kernel pick a local port number). 192.168.x.y is the local address, of course.Am I missing something here?I know of ntop and even better - nethogs, but they still won't allow me to get what I want, at least not without some hacking on their 1-2 years old source. Thanks,--Amos
