• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 305
  • Last Modified:

log traffic

i need to log all traffic that is being created by a specific uid
the box have multiple nic's if it matters.
the uid dosent belong to a real system user with shell but will show up like #405 in ps where 405 is a uid in a chrooted /ftpd/etc/passwd
where do i start?
i need a full explenation since i dont really have time to read everything on the subject.
0
loadet
Asked:
loadet
  • 6
  • 5
1 Solution
 
pablouruguayCommented:
you need to log "what service" ??

ftp ?
httpd?
 
0
 
loadetAuthor Commented:
does it matter?
i need to log all traffic from that uid
but its a ftpd .. not the standard ftpd service.
and i did try something like iptables -A OUTPUT -m owner --uid-owner 405
but it just gets me a iptables: Invalid argument
0
 
de2ZotjesCommented:
check if you have the owner module for ip tables. It should be in the modules subtree on your system ( /lib/modules/`uname -r`/kernel/net/ipv4/netfilter )

You are probably missing the module.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
loadetAuthor Commented:
i have ipt_owner.ko

would that be it?
0
 
de2ZotjesCommented:
That is the module your need. load it using:

modprobe ipt_owner

after that try your command again:

iptables -A OUTPUT -m owner --uid-owner 405 -j LOG

Should do the trick (just checked on my own machine)

Good Luck
0
 
loadetAuthor Commented:
yeah i thought that was the problem too but it was already loaded
FATAL: Module ipt_owner already in kernel.
0
 
de2ZotjesCommented:
That fatal is not fatal :-)

Does it accept the iptables command without complaining?
0
 
loadetAuthor Commented:
no it gives me a
iptables: Invalid argument
im running
iptables v1.2.6a
kernel 2.6.4

lsmod gives me

ipt_owner               4480  0
iptable_filter          3840  1
ip_tables              17168  2 ipt_owner,iptable_filter

so i dont really understand it
0
 
de2ZotjesCommented:
I did 2 things:

checked my version of iptables and kernel: iptables 1.2.9 and kernel 2.6.7

searched the sources of iptables and the kernel ipfilter modules for the "Invalid argument": it's not there. So whatever is giving this error, it is not in iptables or the kernel modules.

Could you please check what iptables you are executing? (try: which iptables)
0
 
loadetAuthor Commented:
start:/home/loadet# which iptables
/sbin/iptables
0
 
de2ZotjesCommented:
I am at a loss now. I can only sussgest to upgrade your version of the iptables tools and to check again that you get the command line correctly:

/sbin/iptables -A OUTPUT -m owner --uid-owner <numeric> -j LOG
0
 
loadetAuthor Commented:
ok i will try that, thanks for trying.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now