Date: Sun, 18 Jun 2006 20:21:51 +0200 From: Phil Regnauld <regnauld@catpipe.net> To: Brian Candler <B.Candler@pobox.com> Cc: freebsd-net@freebsd.org, Nash Nipples <trashy_bumper@yahoo.com> Subject: Re: Simple LAN IP accounting Message-ID: <20060618182151.GB2627@catpipe.net> In-Reply-To: <20060618180951.GA37133@uk.tiscali.com> References: <4495530f.265f68ff.360d.48fa@mx.gmail.com> <20060618142644.81731.qmail@web36304.mail.mud.yahoo.com> <20060618180951.GA37133@uk.tiscali.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Candler (B.Candler) writes: > > Another approach is to capture absolutely everything using libpcap into a > userland process, and then post-process afterwards. ports/net/ipfm - been using it for some years now. > Another approach is to use statistical sampling - pick packets at random, so > that overall you capture, say, 1 packet in 128, and analyse those. This is > the approach used by sflow. One can also achieve this using good old netflow -- there's a boatload of netflow collectors -- and probes as well, see ng_netflow. > very efficient way of doing this analysis. You can turn the sflow data into > simple CSV records using 'sflowtool', or ntop has an sflow module. Ntop just seems very unreliable and bloated to me, at least after version 1. Has it changed ? > This assumes that taking the sampled data and multiplying it by 128 will be > sufficiently accurate for your purposes, of course. +/- 2% according to some large ISPs who use it, which is apparently considers acceptable.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060618182151.GB2627>