From owner-freebsd-isp@FreeBSD.ORG  Tue Jan 18 09:36:16 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B92BD16A4CE
	for <freebsd-isp@freebsd.org>; Tue, 18 Jan 2005 09:36:16 +0000 (GMT)
Received: from f9.mail.ru (f9.mail.ru [194.67.57.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6E6B143D39
	for <freebsd-isp@freebsd.org>; Tue, 18 Jan 2005 09:36:16 +0000 (GMT)
	(envelope-from _pppp@mail.ru)
Received: from mail by f9.mail.ru with local 
	id 1CqpmZ-000Ebc-00; Tue, 18 Jan 2005 12:36:15 +0300
Received: from [81.200.13.122] by win.mail.ru with HTTP;
	Tue, 18 Jan 2005 12:36:15 +0300
From: dima <_pppp@mail.ru>
To: Andrew McNaughton <andrew@scoop.co.nz>
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [81.200.13.122]
Date: Tue, 18 Jan 2005 12:36:15 +0300
In-Reply-To: <20050118204636.K9021@a2.scoop.co.nz>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Message-Id: <E1CqpmZ-000Ebc-00._pppp-mail-ru@f9.mail.ru>
cc: freebsd-isp@freebsd.org
Subject: Re: Monitoring traffic volumes by country
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: dima <_pppp@mail.ru>
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2005 09:36:16 -0000

> Can anyone suggest a tool that can collect statistics on traffic volumes 
> by the country of the remote host.  That on its own would go a long way 
> for me, but if it coulod also break down on incoming vs outgoing traffic 
> and by local port number that would be ideal.
NetFlow is the "ideal" solution for you.
The best solution for FreeBSD would be ng_netflow kernel module
since all the other implementations (softflowd, fprobe, ntop etc)
use pcap which is a quite CPU-consuming way.

You can:
1) force collector to aggregate traffic by source AS
   and find out autonomous system to country relation somehow;
2) aggregate traffic by source IP and make the IP address to country resolution with GeoIP.

> 
> I figure someone must have built something like this already, probably 
> using something along the lines of the GeoIP service to do IP -> country 
> code lookups.
> 
> Any suggestions?
> 
> Andrew McNaughton