log traffic

i need to log all traffic that is being created by a specific uid
the box have multiple nic's if it matters.
the uid dosent belong to a real system user with shell but will show up like #405 in ps where 405 is a uid in a chrooted /ftpd/etc/passwd
where do i start?
i need a full explenation since i dont really have time to read everything on the subject.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you need to log "what service" ??

ftp ?
loadetAuthor Commented:
does it matter?
i need to log all traffic from that uid
but its a ftpd .. not the standard ftpd service.
and i did try something like iptables -A OUTPUT -m owner --uid-owner 405
but it just gets me a iptables: Invalid argument
check if you have the owner module for ip tables. It should be in the modules subtree on your system ( /lib/modules/`uname -r`/kernel/net/ipv4/netfilter )

You are probably missing the module.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

loadetAuthor Commented:
i have ipt_owner.ko

would that be it?
That is the module your need. load it using:

modprobe ipt_owner

after that try your command again:

iptables -A OUTPUT -m owner --uid-owner 405 -j LOG

Should do the trick (just checked on my own machine)

Good Luck
loadetAuthor Commented:
yeah i thought that was the problem too but it was already loaded
FATAL: Module ipt_owner already in kernel.
That fatal is not fatal :-)

Does it accept the iptables command without complaining?
loadetAuthor Commented:
no it gives me a
iptables: Invalid argument
im running
iptables v1.2.6a
kernel 2.6.4

lsmod gives me

ipt_owner               4480  0
iptable_filter          3840  1
ip_tables              17168  2 ipt_owner,iptable_filter

so i dont really understand it
I did 2 things:

checked my version of iptables and kernel: iptables 1.2.9 and kernel 2.6.7

searched the sources of iptables and the kernel ipfilter modules for the "Invalid argument": it's not there. So whatever is giving this error, it is not in iptables or the kernel modules.

Could you please check what iptables you are executing? (try: which iptables)
loadetAuthor Commented:
start:/home/loadet# which iptables
I am at a loss now. I can only sussgest to upgrade your version of the iptables tools and to check again that you get the command line correctly:

/sbin/iptables -A OUTPUT -m owner --uid-owner <numeric> -j LOG

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
loadetAuthor Commented:
ok i will try that, thanks for trying.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.