Auditing network traffic

[Lev Stipakov]

Hi Steve,

Thank you for your comments! It seems that AUDIT target is better option 
than hooking syscalls and managing fds. I don't have to look inside 
traffic, just src/dest and bytes count is enough for me.

What would be the performance implications of that approach comparison 
to, say, libpcap option? Mostly I am concerned about logging part - 
seems that every packet produces NETFILTER_PKT record. I could not find 
any way to disable that, except probably disabling logging all together 
but that will break ausearch.

-Lev