Re: bandwidth by user or process id

[Maciej Grela <maciej.grela () gmail com>]

2010/10/6 Patrick Kurz <kurzpatrick () ymail com>:
> ----- Original Message ----
> > From: Phil Vandry <vandry () TZoNE ORG>
> > To: Rob Hasselbaum <rob () hasselbaum net>
> > Cc: tcpdump-workers () lists tcpdump org
> > Sent: Tue, October 5, 2010 7:53:16 PM
> > Subject: Re: [tcpdump-workers] bandwidth by user or process id
> >
> > On Mon, 4 Oct 2010 09:51:39 -0400 Rob Hasselbaum <rob () hasselbaum net> wrote:
> > > Yes,  it is possible (on Linux, anyway), but not extremely easy. You can
> > >  correlate packet data to the kernel's network connection table and  network
> > > connections to inode values by reading "/proc/net/tcp*"  and
> >
> > Isn't that unreliable? The connection might be short-lived and  disappear
> > from /proc/net/{tc,ud}p* before you have a chance to find  it.
>
> I was also slightly concerned about short-lived connections. But if the measured
> bandwidth is accurate by 10%, it is sufficient for my use case.
> What kind of applications do in general create such short-lived connections and
> still produce considerable traffic (say, more than 100MB/hour)?
>
> > Since you are assuming Linux anyway, have you considered using  iptables?
> >
> > If you don't have a huge number of users, you can create a rule  like this
> > for each uid:
> >
> > iptables -I OUTPUT -m owner --uid-owner  <foo> -j ACCEPT
> >
> > and then just monitor the packet & byte  counters on these rules.

BTW, is it possible to monitor *incoming* packages using this kind of rule ?

-- 
Maciej Grela
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.