[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ulogd
Subject:    [ulogd] Re: New offers for an ULOG module.
From:       Ben La Monica <ben.lamonica () gmail ! com>
Date:       2005-02-17 10:58:20
Message-ID: 7174b1e40502170258205ccf8d () mail ! gmail ! com
[Download RAW message or body]

On Thu, 17 Feb 2005 13:08:18 +0500, serjio <serjio@tajik.net> wrote:
> I had a some problems with using ULOG module. You can found a
> description of them in my post at last month at
> http://lists.gnumonks.org/pipermail/ulogd/2005-January/000687.html

> In shortly there were troubles with data transmissions between ULOG
> module and ULOGD daemon
> program. I also was worried by repeteadly messages like "ipt_ULOG: can't
> alloc whole buffer"
> from my ULOG module. Due to this I was unable to check my network
> traffic for 100%.

I just ran a test at 10Mbs (forced my network card to 10 Mbs for the
same test that I ran at http://www.pojo.us/ulogd/index.html) and it
didn't lose a single packet.

Here are the packet results:

Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
143607 201811616 ULOG       tcp  --  *      *       0.0.0.0/0         
  0.0.0.0/0           tcp dpt:5001 ULOG copy_range 64 nlgroup 1
queue_threshold 50

Total number of records in db:
143607

What are the arguments that you are specifying in iptables? You don't
need to copy the entire packet if all you want it the header
information (destination and source ip, port, mac, etc).

If you haven't limited the amount to copy to ulogd, try to add these settings
(ie: iptables <some chain, some rule> -j ULOG --ulog-cprange 64
--ulog-qthreshold 50)
This tells ULOG to only copy the first 64 bytes out of the packet to
userspace, and to queue the packets until you have 50 of them (saving
on overhead).

Give that a try and see if you get better results.

-Ben La Monica

[prev in list] [next in list] [prev in thread] [next in thread]