IP Networking: ip_queue_xmit, sockets and TCP output question(Linux 2.6.17)

From: Manuel Feier
Date: Sat Jan 06 2007 - 14:49:40 EST

Next message: Stefan Richter: "Re: 2.6.20-rc3 regression? hdparm shows 1/2...1/3 the throughput"
Previous message: Nicholas Miell: "Re: [KORG] Re: kernel.org lies about latest -mm kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear Linux kernel hackers,

I'm trying to extend the kernel in a way that I am able to collect
user-based IP networking information (e.g. which system user generated
how much IP traffic). Unfortunately this doesn't seem to be a topic that
is well documented, so I try my luck here.

For capturing the outgoing TCP traffic, I found the function
"ip_queue_xmit" (net/ipv4/ip_output.c) would be adequate. I added the
following code to the function right after the line
skb->priority = sk->sk_priority;

if (sk && sk->sk_socket) {
ip4acct_user_sent(SOCK_INODE(sk->sk_socket)->i_uid,
ntohs(iph->tot_len),6);
}
else {
ip4acct_user_sent(IPACCT_NOUSER,
ntohs(iph->tot_len),6);
}

This seems to work well if I send a small amount of TCP
data (512 bytes) with nc from an unprivileged user of that host. If I
open a website (lots of data / images) however, a few packets
don't appear to be be related to a socket and
hence are accounted to NOUSER (~2 %). If I continuously keep opening
multiple webpages at a time, some outgoing TCP traffic even gets
accounted to user root (uid 0) instead of the unprivileged user that
owns the webbrowser.

For debugging, I logged the source and destination address of those
packets that go into the else{} branch above, and it appears these
are packets that clearly belong to the webbrowser connection.

I now wonder what I am getting wrong about the function ip_queue_xmit:

- How can it be that a TCP/IP packet which belongs to a http
transmission has no socket that could be found with the first function
above?
- How can it be that (seemingly under increased network load) another
socket owner is returned than the one responsible for the load?

I'd appreciate your help very much, also ideas about debugging or
conceptual hints.

Thanks,

Manuel

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stefan Richter: "Re: 2.6.20-rc3 regression? hdparm shows 1/2...1/3 the throughput"
Previous message: Nicholas Miell: "Re: [KORG] Re: kernel.org lies about latest -mm kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]