Author: Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
Link: http://kernel.umbrella.ro/


What sch_log do?
sch_log mirrors pachets from aqdisc to a net device.
This way you can easy see what traffic pass through default qdisc, for
example.
Also, from version 0.4 you can store the mark in destination mac address and
the source qdisc in source mac address.


When you insert the module, the init function allocs 4 net devices (log00,
log01, log02, log03).
If you want more devices, just add logno=<nomber_of_devices-wanted> to insmod.
These devices will receive the traffic that is copied from the qdisc.

Let's say that we have a htb tree attached on eth0 with 2 classes 1:2 and 1:3.
Let's say that default is 1:3. You get some traffic in 1:3 that is weird and want
to find out what traffic is?
So, attach qdisc log to 1:3 and copy traffic to log02, for example:
tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2
Now you can run a tcpdump on log02 so you can "see" what traffic passes 1:3:

ifconfig log02 up
tcpdump -nvvvlei log02

With version 0.4, you can store the mark in dest mac address (last 4 bytes)
and qdisc handler in source mac address.

So, you will modify the line above to:
tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 mark2dest
to see something like this (mark 0x3344):
00:00:00:00:00:00 > 00:00:00:00:33:44, ethertype IPv4 (0x0800), ...

Or:
tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 q2src
to see something like this:
00:00:00:00:80:27 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), ...
Here qdisc handle was 8027:0.

Of course, you can use both options:
tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 mark2dest q2src
00:00:00:00:80:27 > 00:00:00:00:33:44, ethertype IPv4 (0x0800), ...

Keep in mind that you must use -e option of tcpdump so you can see mac
addresses.

Enjoy!

Catalin(ux aka Dino) BOIE <catab at umbrella.ro>
