Hi, I'm having problems finding a decent way to monitor packets dropped by iptables in realtime.

I have this perl (microperl) script that reads STDIN line by line and parses the lines. I tried this to pipe syslog DROP messages to the script:
root@OpenWrt:/etc# logread -f|/etc/blacklist-realtime.pl

But when new syslog messages come in, the script never receives them. Same happens if I try to grep the lines from logread -f:

on first terminal I type:

on second one I type:

...but I can't see anything on the first terminal. Just to prove that the script itself works:

I'm not very familiar with unix programming and how the pipes work, but shouldn't the script be able to analyze logread -f 's output line by line?

If you know any better way to monitor dropped packets, other than parsing syslog's output, that would be cool too. BTW, this is my 2nd day with openwrt, pretty damn awesome system it is.

(Last edited by keitsi on 23 Oct 2005, 23:04)

logread is probably buffering it's output, hence so many messages would have to be sent before it gets flushed to the pipe. To test this you can do something like this:

shell #1
# logread -f | grep hello

shell #2
# while true; do logger hello; done

After a short time you should see bursts of lines with "hello" in it. I'm not sure if there is a way to force logread not to buffer it's output. It will eventually get to your program, but probably not as fast as you would like when it's buffered. The reason you see it immediately when just typing "logread" is because it closes the file handle (stdout) when the command output is complete which causes the buffer to be flushed.

I just looked at the source for logread (which is actually part of busybox) and it appears that there *is* an "fflush(stdout)" in the code, but only if it was compiled with "CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING" defined. I'm guessing that the one compiled for OpenWRT must not have had that config option set. I'm not entirely sure that will solve the problem though but I think it might. At least that should be the general area that would need attention. Here's the source (it's very short):

http://www.busybox.net/cgi-bin/viewcvs. … ;view=auto

Yep, I just defined that config option and rebuilt busybox and tested it on my WRT and now if I "logread -f | grep hello" and send a single hello to the log with logger it immediately displays (well, within 1 or 2 seconds). To enable this in your build root edit this file:

build_mipsel/busybox-1.00/include/config.h

Change this line:

#undef CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING

to this:

#define CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING 1

Then build your image. I wonder if there is a specific reason for not enabling this? If not I wonder how hard it would be to get it into RC4?

Ohh, that actually makes sense. I'll try compile a new image... too bad I don't currently have a linux desktop, but I'll try to get my hands on one. I just don't want to try anything weird with production servers :P

I'll post my blacklisting script on the forums if I get it done some day. The #1 priority feature will be port scan detection, cause I don't want anyone to find my servers by scanning.

Thanks!

I finally managed to compile it. Works as expected now, I can get back to writing the script again. Thanks!!

Are you planning on sharing your script? It sounds interesting.

Of course I am. I might be able to finish it this weekend unless I decide to have a life instead

Ahh don't get a life, that's boring.

Here:
http://forum.openwrt.org/viewtopic.php?pid=14525#p14525