Author: Catalin(ux) M. BOIE Link: http://kernel.embedromix.ro/ What sch_log do? sch_log mirrors pachets from aqdisc to a net device. This way you can easy see what traffic pass through default qdisc, for example. Also, from version 0.4 you can store the mark in destination mac address and the source qdisc in source mac address. When you insert the module, the init function allocs 4 net devices (log00, log01, log02, log03). If you want more devices, just add logno= to insmod. These devices will receive the traffic that is copied from the qdisc. Let's say that we have a htb tree attached on eth0 with 2 classes 1:2 and 1:3. Let's say that default is 1:3. You get some traffic in 1:3 that is weird and want to find out what traffic is? So, attach qdisc log to 1:3 and copy traffic to log02, for example: tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 Now you can run a tcpdump on log02 so you can "see" what traffic passes 1:3: ifconfig log02 up tcpdump -nvvvlei log02 With version 0.4, you can store the mark in dest mac address (last 4 bytes) and qdisc handler in source mac address. So, you will modify the line above to: tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 mark2dest to see something like this (mark 0x3344): 00:00:00:00:00:00 > 00:00:00:00:33:44, ethertype IPv4 (0x0800), ... Or: tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 q2src to see something like this: 00:00:00:00:80:27 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), ... Here qdisc handle was 8027:0. Of course, you can use both options: tc qdisc add dev eth0 parent 1:3 log limit 100 idx 2 mark2dest q2src 00:00:00:00:80:27 > 00:00:00:00:33:44, ethertype IPv4 (0x0800), ... Keep in mind that you must use -e option of tcpdump so you can see mac addresses. Enjoy! Catalin(ux) M. BOIE