IP Networking: ip_queue_xmit, sockets and TCP output question (Linux 2.6.17)

IP Networking: ip_queue_xmit, sockets and TCP output question (Linux 2.6.17)

[Manuel Feier]

Dear Linux kernel hackers, 

I'm trying to extend the kernel in a way that I am able to collect
user-based IP networking information (e.g. which system user generated
how much IP traffic). Unfortunately this doesn't seem to be a topic that
is well documented, so I try my luck here.

For capturing the outgoing TCP traffic, I found the function
"ip_queue_xmit" (net/ipv4/ip_output.c) would be adequate. I added the
following code to the function right after the line
skb->priority = sk->sk_priority; 

if (sk && sk->sk_socket) {
ip4acct_user_sent(SOCK_INODE(sk->sk_socket)->i_uid,
ntohs(iph->tot_len),6); 
}
else {
ip4acct_user_sent(IPACCT_NOUSER,
ntohs(iph->tot_len),6);
}

This seems to work well if I send a small amount of TCP
data (512 bytes) with nc from an unprivileged user of that host. If I
open a website (lots of data / images) however, a few packets
don't appear to be be related to a socket and
hence are accounted to NOUSER (~2 %). If I continuously keep opening
multiple webpages at a time, some outgoing TCP traffic even gets
accounted to user root (uid 0) instead of the unprivileged user that
owns the webbrowser.

For debugging, I logged the source and destination address of those
packets that go into the else{} branch above, and it appears these
are packets that clearly belong to the webbrowser connection.

I now wonder what I am getting wrong about the function ip_queue_xmit:

- How can it be that a TCP/IP packet which belongs to a http
transmission has no socket that could be found with the first function
above?
- How can it be that (seemingly under increased network load) another
socket owner is returned than the one responsible for the load?

I'd appreciate your help very much, also ideas about debugging or
conceptual hints.

Thanks,

Manuel