2007/9/18, Sam Mason <[EMAIL PROTECTED]>: > > On Tue, Sep 18, 2007 at 05:22:24PM +0200, Thierry wrote: > > 2007/9/18, Rusty Dekema <[EMAIL PROTECTED] >: > > > I don't mean to be argumentative, but I don't understand your reasons > > > for trying to avoid tcpdump. > > > > I think it's nice to play with, but not using this as long term stats > :) > > > > try parsing your ulog file generated by this line > > > > iptables -A INPUT -p UDP --dport 123 -j ULOG --ulog-prefix "NTP > connection attempt: " > > > > You could have 100 times the amount of request you usually have on ntp > port > > without seeing . ( not sure you could do that with tcpdump ). > > When I was doing some logging I had a rule like: > > ((udp[8] & 7) = 4) and port ntp > > I've had to remind myself of the packet format, so this may not be quite > right, but it should only collect "Server" packets, i.e. responses from > your box. You could change the 4 to a 3 to only show client requests. > The reason I was doing this was to filter out my boxes traffic from > everyone else's. You will probably want "and src [server ip]" in there > to filter everything out, but it's a starting point. > > I also ended up writing a little C program that would take the (binary) > output from tcpdump and generate a very simple listing of packet time > and target IP address. It was about ten times quicker (maybe more) > than generating text output from tcpdump and then postprocessing with > awk/sed. I don't really like perl, but you could probably do the same > with it. > > > VIA Esther processor 2000MHz > > MemTotal: 1017732 kB > > I'm running it on a 500MHz box and tcpdump plus associated gubbins used > very little overhead. > > How does CPU usage show up when it's spent in the iptables code? > > > Sam
Basically, my load moved from 0 to 1 ( tcpdump using 80% of a cpu ) with, if I remember right when I looked, 80k requests being processed ( ntpd was using 0.2 %of the cpu at this time ). I did not find such overhead with iptables yet. Here is a start to avoid having tcpdump scanning ntp port # capture the first 68 bytes iptables -A INPUT -p UDP --dport 123 -j ULOG --ulog-cprange 68 # use tcpdump :) tail -f /var/log/ulogd/ulogd.pcap | tcpdump -r - -qntp Then I have a concern with iptables regarding IO, it s generating some IO, and as the only other option we have with ulogd is DB ( I have few experiences that tell me mysql is "less usable" with > 20 Millions entries, but maybe pgsql would be better. The problem is that I would like to avoid inserting something into the actual "generate stats process"). I think I'm going to gather all the infos I need and look around. I already saw pycap ( python module ), perhaps writting something in C ( i agree with you I think we could have something fast ). I just would like trying to have something fast that can handle a possible high load. Cheers, Thierry
_______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
