A new way to log network traffic without syslogd and klogd

Thu, 31 Jan 2002 07:02:36 +0100

On Thu, Jan 31, 2002 at 10:47:45AM +0800, Sun LiWei wrote:
> I found a new way to read the packets passed iptables LOG target.I wrote a c++ program to read the file /proc/kmsg,I saw all the packes information like this 
> 
> <6>IN=eth0 OUT=eth1 SRC=202.101.165.246 DST=192.168.1.30 LEN=1452 TOS=0x00 PREC=0x00 TTL=115 ID=64273 DF PROTO=TCP SPT=82 DPT=1804 WINDOW=16544 RES=0x00 ACK URG P=0
> 
> Did anyone ever try this way to log the network traffic??Is it the right way??Did I miss something??

It is not the right way. /proc/kmsg, and the "dmesg" program, provide
raw access to the kernel->user logging ring buffer. This is read by
syslogd / klogd, and they care about properly handling that buffer.
You are not really supposed to use it directly. If you do, you are
in fact "reimplementing syslogd". If that's your intention, then it
is the proper way - but why do that?

best regards
  Patrick