Logging output UIDs.

Discussion:

Sthu Deus

2012-07-14 07:11:03 UTC

Good time of the day.

I try to get UIDs of the processes that generate OUTPUT traffic:

/sbin/iptables -A OUTPUT -j LOG --log-uid --log-prefix OUTPT->
--log-level 2

But I do not get the UIDs:

OUTPT->IN= OUT=br0 SRC=XXXX DST=ZZZZ LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=48282 DPT=9001 WINDOW=842
RES=0x00 ACK URGP=0

I tried w/ log level 1 and others - still no luck.

Also, may You know the answer to my curiocity, Why I can not locate '-j
LOG' in above iptables rule at the end of the rule? - For iptables
complains about unknown '--log-uid'. - I understand that something is
then missing before the sufix, but from iptables man. it is not evident
to me what.

Thanks for Your time.

Pascal Hambourg

2012-07-14 08:00:47 UTC

Permalink

Hello,

Post by Sthu Deus
/sbin/iptables -A OUTPUT -j LOG --log-uid --log-prefix OUTPT->
--log-level 2
OUTPT->IN= OUT=br0 SRC=XXXX DST=ZZZZ LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=48282 DPT=9001 WINDOW=842
RES=0x00 ACK URGP=0

Is the UID missing for all packets or only for this one ?
According to a quick test, it seems that the last ACK in a TCP
connection does not have a UID (probably because the socket is closed).
Packets generated by the kernel itself (TCP RST, ICMP messages...) do no
have a UID.

Post by Sthu Deus
Also, may You know the answer to my curiocity, Why I can not locate '-j
LOG' in above iptables rule at the end of the rule? - For iptables
complains about unknown '--log-uid'. - I understand that something is
then missing before the sufix, but from iptables man. it is not evident
to me what.

--log-* are options to the LOG target, so iptables does not expect them
before.

--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org

Pascal Hambourg

2012-07-15 13:50:25 UTC

Permalink

[Reply CC'ed to the list]

Good time of the day, Pascal.
Thank You for Your time and important to me answer.

Post by Pascal Hambourg
Is the UID missing for all packets or only for this one ?
According to a quick test, it seems that the last ACK in a TCP
connection does not have a UID (probably because the socket is
closed). Packets generated by the kernel itself (TCP RST, ICMP
messages...) do no have a UID.

I have tested and found that it is true - only filtered out packets
have no UID - others had (when I logged all of them and just the
filtered out ones).
Am I correct supposing that those packets having no UIDs are kernel
generated ones, and only?

I have no certainty, but I suppose so.

Post by Pascal Hambourg

Post by Sthu Deus
Also, may You know the answer to my curiocity, Why I can not locate
'-j LOG' in above iptables rule at the end of the rule? - For
iptables complains about unknown '--log-uid'. - I understand that
something is then missing before the sufix, but from iptables man.
it is not evident to me what.

--log-* are options to the LOG target, so iptables does not expect
them before.

Oh, I've got the point - I though LOG target is same as others and
therefore failed understanding it. Thanks for explanation, again.

The same as what others ?
LOG is handles by iptables just as any other target or match. Its
options must appear after its name.

--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org