Re: Very fast reads from an external program

So anyways, the question is how can I get in real time data from tcpdump, very, VERY fast?

If you just want to know that, then I'm sorry I don't know. :)

If you consider the TMTOWTDI, here is a couple of thoughs for you:

If you have a REALLY loaded network, write your own (or use one of the existing) daemons in C to store the data into the database (like MySQL) for example. You can later use Perl to extract the data, generate reports, and/or do any other fancy thingies.
Since you've mentioned that you are using a Linux box, you can use iptables(8) to do the counting. Check the manual for the --uid-owner and --gid-owner parameters. In this way, you will not have to write any C. You will also have very exact data and you will be use your hardware with most efficiency, since it'll be the kernel itself doing your job. :)

P.S.: Sorry for kind of off-topic answer though. :)

Comment on Re: Very fast reads from an external program

Replies are listed 'Best First'.
Re: Re: Very fast reads from an external program by slifox (Acolyte) on Apr 25, 2003 at 21:40 UTC
Actually, I've looked into this. I've found a few solutions that modify the kernel, but they're really, really old. If I can't get this working, I'll probably end up using a netfilter patch that allows me to match the owner on incoming packets as well (owner-socketinfo, I think). But, don't iptables counts reset after a while?	[reply]
Re: Re: Re: Very fast reads from an external program by TVSET (Chaplain) on Apr 26, 2003 at 00:04 UTC
Depends on what do you mean by "after a while". If that's `service iptables restart`, then, yes, of course. :) Leonid Mamtchenkov	[reply] [d/l]