From owner-freebsd-isp  Wed Nov 29 17:41:22 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from inago.swcp.com (inago.swcp.com [198.59.115.17])
	by hub.freebsd.org (Postfix) with ESMTP id 2C75737B6AF
	for <freebsd-isp@FreeBSD.ORG>; Wed, 29 Nov 2000 17:41:19 -0800 (PST)
Received: from localhost (deichert@localhost)
	by inago.swcp.com (8.8.7/8.8.7) with ESMTP id SAA12815;
	Wed, 29 Nov 2000 18:39:31 -0700 (MST)
X-Authentication-Warning: inago.swcp.com: deichert owned process doing -bs
Date: Wed, 29 Nov 2000 18:39:30 -0700 (MST)
From: Diana Eichert <deichert@wrench.com>
X-Sender: deichert@inago.swcp.com
To: Rowan Crowe <rowan@sensation.net.au>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: tcpdump & user-ppp/tunX. Ethereal ?
In-Reply-To: <Pine.BSF.4.21.0011301206020.55961-100000@velvet.sensation.net.au>
Message-ID: <Pine.GSO.4.10.10011291828020.12719-100000@inago.swcp.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Since FreeBSD also support IP Filter you could look at:

"IP Accounting Package for Darren Reed's IP Filter"
from http://www2.empnet.com/ipacct/

BTW, you can now build a command line version of Ethereal called tethereal
without having to build all of Ethereal.

diana

On Thu, 30 Nov 2000, Rowan Crowe wrote:

> I don't run X on any of my machines (especially the little 486dx2-66 I
> want to track traffic on!) so it's not really an option...
> 
> Some time ago I wrote a program which accepted the output from tcpdump and
> generated 4 lists ordered by:
> 
> source port
> destination port
> source IP
> destination IP
> 
> In this way it was very easy to be able to see where content was coming
> from, how much HTTP or SMTP traffic was coming in, which customer is
> receiving the most traffic, etc. I've included a sample output below.
> 
> This program makes use of the apparent -e "packet size" parameter which I
> later discovered is not guaranteed; it works fine on 2.2.8 systems but of
> course breaks on later versions of tcpdump which output things a little
> differently. Another limitation is that it only handles UDP and TCP
> packets, and quietly ignores anything else.
> 
> I want to adapt this program to a 3.x system. Perhaps it's time to hack
> tcpdump. :-)
> 
> Thanks for the suggestion.
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message