2007/9/18, Rusty Dekema <[EMAIL PROTECTED]>: > > > I'm still trying to avoid the tcpdump solution for these reasons : > > I don't mean to be argumentative, but I don't understand your reasons > for trying to avoid tcpdump.
I think it's nice to play with, but not using this as long term stats :) try parsing your ulog file generated by this line iptables -A INPUT -p UDP --dport 123 -j ULOG --ulog-prefix "NTP connection attempt: " You could have 100 times the amount of request you usually have on ntp port without seeing . ( not sure you could do that with tcpdump ). I know this solution is generating IO, but that's another issue. > - promiscuous mode is not safe > > Not safe in what way? Since you are the one receiving the packets in > promiscuous mode, you know for a fact that you aren't going to do > anything malicious with the data you receive in that manner. Also, if > you are running tcpdump on your NTP server (as opposed to on a router > in front of your NTP server), you can run it with the -p flag to > prevent it from putting the interface into promiscuous mode. here is why for promiscuous mode :) ( pls see below for tcpdump ) *Promiscuous mode*, in computing, refers to a configuration of a network card <http://en.wikipedia.org/wiki/Network_card> wherein a setting is enabled so that the card passes all traffic it receives to the CPU rather than just packets addressed to it, a feature normally used for packet sniffing <http://en.wikipedia.org/wiki/Packet_sniffing>. Inside each packet is a hardware (MAC<http://en.wikipedia.org/wiki/Media_Access_Control>) address. When a computer receives a particular packet, it checks the hardware address in it to see if the packet is addressed to it. If not, then the network card normally drops the packet. When in promiscuous mode, the network card doesn't drop the packet, thereby enabling it to read all packets. ( http://en.wikipedia.org/wiki/Promiscuous_mode ) > - tcpdump should be use only for troubleshooting > > Why's that? i would say if we are using libpcap let's try using Net::PCAP instead of tcpdump, but that ll be the same it s sniffing, and i m sure we could find a better solution to generate stats :) > - tcpdump is capturing the whole packet where we only need a part of it. > > By default, tcpdump will only capture the first 68 bytes of each > packet. You can use the -s flag to set this to a different value. Even > if tcpdump did capture the whole packet, NTP packets are "only" 80 > bytes, so I'm not sure how much difference it would really make. I'm just trying to understand that if we have a server running ntp and this actual solution . The server will die first because of tcpdump instead of ntp. And I'd like doing things in the best way we could. With iptables you only have time, number of packets ( iptables -Lxv ), and ip source ( log/ulog ) ( info that could interest us ). maybe that's enough . > I looked a bit around and the only proper solution i found was to use > > iptables and ULOG. My concern now is that's generating io. > > What kind of computer are you running this on where performance is > such a tight constraint? > Cheers, > Rusty > VIA Esther processor 2000MHz MemTotal: 1017732 kB The server is doing nothing except a few small websites and ntp server. -- Thierry
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
