Traffic Discovery linux kernel project

Traffic Discovery Linux kernel project

Purpose

The main purpose of this project is to help system administrators to monitor different kinds of IP traffic on a Linux router.

It is supported for two kernel releases - 2.2.x (2.2.19) and 2.4.x (2.4.18).

Advantages

- Much more faster and reliable than packet-capture-type traffic monitoring projects. This project consists mainly of kernel patch,

which modifies Linux kernel to track and monitor all kinds of IP traffic. Packets do not leave kernel space for that purpose (for

example, traffic monitors which user pcap library are obliged to transfer packets to userspace, because of pcap library nature).

This makes traffic discovery excellent tool for routers under high pressure, where all resources must be used optimally;

- Provides complicated criteria for traffic monitoring;

- Easy to manage;

- Two modes of traffic monitoring available - route-based and host-based;

- Output information is parsed in file in process information pseudo-filesystem (/proc), where it is viewed as a table (ease to parse).

Disadvantages

- OS-specific;

- There is no user-friendly interface for management and statistics (you should make your own. I'm still working on mine:>)

Version 1.0

A patch for Linux kernel 2.2.19 (may work on 2.2.16 and up), which allows the superuser to log received/transmitted traffic by

transport layer protocol (TCP/UDP/ICMP) and by key (port for TCP/UDP; code for ICMP). It allows two modes of logging -

route-based (where subnet-generated traffic is not logged) and host-based (where all traffic is logged). Of course, local traffic

is not logged.:>

How to apply:

# tar xzf tdisc2219-10.tgz

# cd /usr/src/linux

# patch -p1 < where-tdisc2219.diff-is/tdisc2219.diff

# make menuconfig

Select "IP: Traffic discovery" from Network Options

Save kernel configuration and exit

# make bzImage

# make lilo <--- if u'll use this kernel as default

# shutdown -r now

After rebooting, u should have these two files into the proc file system:

/proc/net/tdisc - this is the file, containing traffic statistics

/proc/sys/net/ipv4/ip_tdisc_mode - this is the system control, used to select workmode

(0 for route-based (which is the default mode),

1 for host-based mode)

# cd where-did-u-untar-tdisc2219-10.tgz/tdisc

# make

N.B. !!!

There are 3 entries with key FFFF. These entiries, achieve statistics for keys, which are not applied (e.g. all not applied keys)

How to use:

# cd where-did-u-untar-tdisc2219-10.tgz/tdisc

tdisc syntax:

# tdisc <cmd> <protocol> [key]

where:

cmd - ADD DEL FLUSH

ADD - adds a statistics line

DEL - dels statistics line

FLUSH - flushes protocol statistics

N.B.!!! key is mandatory for ADD and DEL

protocol - TCP UDP ICMP

key - Port for TCP/UDP; Code for ICMP

Examples:

# tdisc add tcp 21 <--- Adds logging of port 21 (ftp)

# tdisc add tcp 20 <--- Adds logging of port 20 (ftp)

# cat /proc/sys/net/ipv4/ip_tdisc_mode

0 <--- Route-based policy

# cat /proc/net/tdisc

Proto Key Recieved_bytes Recieved_packets Sent_bytes Sent_packets

TCP 0014 0000000000000000 0000000000000000 0000000000000000 0000000000000000

TCP 0015 0000000000000000 0000000000000000 0000000000000000 0000000000000000

TCP FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

UDP FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

ICMP FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

# ftp upload.sourceforge.net

Connected to osdn.dl.sourceforge.net.

220 ProFTPD 1.2.0pre10 Server (ftp1.sourceforge.net) [66.35.250.221]

Name (upload.sourceforge.net:root): ftp

331 Anonymous login ok, send your complete e-mail address as password.

Password:

230-********************************************************************

SourceForge.net FTP server - San Jose (osdn.dl.sourceforge.net)

Additional access is at http://osdn.dl.sourceforge.net/pub/mirrors/

Mirrors, try 'rsync osdn.dl.sourceforge.net::'

Got a fat pipe and something to prove? Host a SourceForge download

server! Email ftpadmin@sourceforge.net for opportunities.

On This Site:

/pub/sourceforge/ SourceForge.net Project File Archive

*********************************************************************

230 Anonymous access granted, restrictions apply.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd pub

250 CWD command successful.

ftp> ls

200 PORT command successful.

150 Opening ASCII mode data connection for file list.

drwxr-xr-x 7 root root 4096 Apr 30 21:15 mirrors

drwxr-xr-x 24859 sfftp sfftp 430080 May 23 07:45 sourceforge

226-Transfer complete.

226 Quotas off

ftp> quit

221 Goodbye.

# cat /proc/net/tdisc

Proto Key Recieved_bytes Recieved_packets Sent_bytes Sent_packets

TCP 0014 0000000000000192 0000000000000005 00000000000000D8 0000000000000004

TCP 0015 0000000000000786 0000000000000013 0000000000000555 0000000000000018

TCP FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

UDP FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

ICMP FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

Version 1.1

This is an upgrade of the Traffic Discovery patch ver 1.0. This upgrade, allows traffic accounting. It uses new pseudo-protocol,

called CNT (from ClieNT). It allows registering a network or some networks to a CNT key (which I call code), and to log

traffic received/transmitted from/to these networks to a client. It also contains a sample database of well-known TCP/UDP

ports and ICMP codes, which can be applied. It has a database of networks by countries, which is used for building a sample

client logging database (CLD). This CLD could 'tell' the superuser, how many packets are received/transmitted from/to a country.

How to apply:

Look at Version 1.0, it's the same.

How to use:

Except the options, which can be used from v1.0, I add a new options, according to the new features.

tdisc's new features syntax:

# tdisc ADD/DEL CNT [code] [network_address] [network_prefix]

# tdisc FLUSH CNT [ZONE/code] <prefix>

where:

ADD CNT - adds a network with NETWORK_ADDRESS ip and NETWORK_PREFIX prefix to a key, called code

DEL CNT - dels a network with NETWORK_ADDRESS ip and NETWORK_PREFIX prefix to a key, called code

FLUSH CNT - dels all network entries, and flushes all CNT statistics

FLUSH CNT code - dels all statistics by code

FLUSH CNT ZONE prefix - dels all networks whitin PREFIX prefix

Examples:

Presumption: Our router is within an Ethernet network. We should collect information from this network.

# tdisc add cnt 1 192.168.0.1 24 <--- This will add network 192.168.0.0/24 to key 1

# echo "1" > /proc/sys/net/ipv4/ip_tdisc_mode <--- We will collect traffic in internal network (host-based, non-routable)

# cat /proc/net/tdisc

Proto Key Recieved_bytes Recieved_packets Sent_bytes Sent_packets

TCP FFFF 0000000000000AFC 0000000000000025 00000000000009B4 0000000000000025

UDP FFFF 000000000000009C 0000000000000002 0000000000000000 0000000000000000

ICMP FFFF 0000000000000054 0000000000000001 0000000000000054 0000000000000001

CNT 0001 0000000000000BEC 0000000000000028 0000000000000A08 0000000000000026

CNT FFFF 0000000000000000 0000000000000000 0000000000000000 0000000000000000

Version 2.0

This is an upgrade of the Traffic Discovery patch ver 1.1. This upgrade is the same as ver 1.1, but it is for 2.4.x (2.4.18) Linux kernel.