Date: Thu, 25 Nov 1999 07:26:08 +0100 (CET) From: "Kurt Jaeger" <pi@complx.LF.net> To: freebsd-isp@FreeBSD.ORG Subject: Re: IP or packet Accounting Software for burst connections. Message-ID: <m11qsM4-000zzTC@complx.LF.net> In-Reply-To: <Pine.BSF.4.05.9911241902280.18907-100000@misery.sdf.com> from "Tom" at Nov 24, 1999 07:03:30 PM
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! > > > > Basically, it will add up the bytes that match a given tcpdump expression, > > > > over a configurable interval. > > > That seems rather silly, since ipfw can do that already. > > ipfw only counts bytes and packets. It does not log touples of > > (src ip,dst ip,byte count, packet count) which is what is required > > for full ip accounting. > Yes, but you can specify the tuples that are significant. I doubt that > anyone wants every possible combination. There are interesting results if one does the full walk. e.G. just using the size variation of hourly/daily/etc matrices lets you detect in- and outgoing network scans. And yes, there are customers that want us to be able to track every <src,dst> pair. This is Europe, where IP traffic until very recently was more expensive than disk space. -- MfG/Best regards, Kurt Jaeger 21 years to go ! LF.net GmbH pi@LF.net Oberon.net GmbH pi@oberon.net Vor dem Lauch 23 fon +49 711 90074-23 Friedrich-Ebert-Str.1 D-70567 Stuttgart fax +49 711 7289041 40210 Duesseldorf fon +49 211 179253-11 For Redmond: "nuke the site from orbit -- it's the only way to be sure." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m11qsM4-000zzTC>