Auditing network traffic
Paul Moore
paul at paul-moore.com
Wed Jan 20 21:40:38 UTC 2016
On Wed, Jan 20, 2016 at 9:26 AM, Lev Stipakov <lstipakov at gmail.com> wrote:
> Another way of getting network stats is the AUDIT target for netfilter.
> Looks good, no need to worry about fds/addrs. However there is no pid. What
> would be the ”best” way to get pid for those records? Anything else besides
> looking into /proc/net/tcp?
Linking a specific process/PID to a network packet is very difficult,
if not impossible, for the simple reason that the kernel doesn't track
the originating process, only the originating socket (which is an
unreliable way to determine the sending process). Not to mention the
fact Steve already mentioned that some packets do not originate in
userspace; forwarded traffic, streaming protocol control messages,
ICMP error messages are all common examples of non-local userspace
generated messages.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list