Date: Thu, 25 Nov 1999 16:05:57 +1100 (EST) From: Bryan Collins <bryan@casper.spirit.net.au> To: tom@sdf.com (Tom) Cc: ck@toplink.net (Christian Kratzer), pi@complx.LF.net (Kurt Jaeger), vandj@securenet.net (Jean M. Vandette), freebsd-isp@FreeBSD.ORG Subject: Re: IP or packet Accounting Software for burst connections. Message-ID: <199911250505.QAA45460@casper.spirit.net.au> In-Reply-To: <Pine.BSF.4.05.9911241910010.18907-100000@misery.sdf.com> from Tom at "Nov 24, 1999 07:12:03 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > Do you not require the IP stream to be routed 'thru' the box running ipfw? > > Another point of failure in a network... > > It is logical to do this kind of accounting on the gateway. > > If SPOFs are on issue, use multiple gateways. > > > ipfw isnt promiscuous, tcpdump is/canbe. > > And therefore won't work on switched networks either, unless you > configure it on a "shared" port, which limits how much traffic you will be > able to handle. you'd still need to pass the IP traffic thru your accounting box on a switch 'monitoring' port I've actually used a few different methods of IP accounting, ranging from hacked tcpdumps, hacked netramet, a custom BPF perl5 capture, and what I'm using right now, which is snmp to cisco IP accounting... tcpdump worked as an interim, but being promiscuous, we couldnt guarantee all packets be counted. The custom bpf system that we wrote was rather sweet, it had process pools and so on, so that once a given ammount of traffic was counted, that process went off to aggregate it, while another capture process started. But by far the easiest and cleanest is our snmp queries to cisco's IP accounting (and checkpoint IP accounting) on both border routers and access servers. nothing gets missed now. Bry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911250505.QAA45460>