Re: bandwidth by user or process id

[Patrick Kurz <kurzpatrick () ymail com>]

----- Original Message ----
> From: Phil Vandry <vandry () TZoNE ORG>
> To: Rob Hasselbaum <rob () hasselbaum net>
> Cc: tcpdump-workers () lists tcpdump org
> Sent: Tue, October 5, 2010 7:53:16 PM
> Subject: Re: [tcpdump-workers] bandwidth by user or process id
>
> On Mon, 4 Oct 2010 09:51:39 -0400 Rob Hasselbaum <rob () hasselbaum net> wrote:
> > Yes,  it is possible (on Linux, anyway), but not extremely easy. You can
> >  correlate packet data to the kernel's network connection table and  network
> > connections to inode values by reading "/proc/net/tcp*"  and
>
> Isn't that unreliable? The connection might be short-lived and  disappear
> from /proc/net/{tc,ud}p* before you have a chance to find  it.

I was also slightly concerned about short-lived connections. But if the measured 
bandwidth is accurate by 10%, it is sufficient for my use case.
What kind of applications do in general create such short-lived connections and 
still produce considerable traffic (say, more than 100MB/hour)?
 
> Since you are assuming Linux anyway, have you considered using  iptables?
>
> If you don't have a huge number of users, you can create a rule  like this
> for each uid:
>
> iptables -I OUTPUT -m owner --uid-owner  <foo> -j ACCEPT
>
> and then just monitor the packet & byte  counters on these rules.

Very good suggestion. I'll learn more about iptables.
Do you know if this would also be able to distinguish the bandwidth consumed by 
different users on the same shared socket (e.g. ssh) as Rob pointed out in the 
previous post?

Thanks
Patrick



      

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.