From owner-freebsd-isp Mon Nov 18 14:44: 6 2002 Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5F9E37B401 for ; Mon, 18 Nov 2002 14:44:04 -0800 (PST) Received: from skyweb.ca (smtp-1.vancouver.ipapp.com [216.152.192.207]) by mx1.FreeBSD.org (Postfix) with ESMTP id 535C343E77 for ; Mon, 18 Nov 2002 14:44:04 -0800 (PST) (envelope-from mjohnston@skyweb.ca) Received: from mjohnston ([209.5.243.50]) by smtp-1.vancouver.ipapp.com ; Mon, 18 Nov 2002 12:42:20 -0800 From: "Mark Johnston" To: "'Scott Gerhardt'" Cc: Subject: RE: Traffic Analysis Date: Mon, 18 Nov 2002 14:45:49 -0600 Message-ID: <00f401c28f43$7a51d7c0$490fa8c0@MJOHNSTON> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Importance: Normal Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Scott Gerhardt wrote: > > I would like to monitor gateway traffic mostly for bandwidth > accounting. > > Are there any good utilities to parse tcpdump output? > > I just want to parse hosts, protocol and byte counts. How > would this be > accomplished with tcpdump? I'm finding the tcpdump man page a little > difficult to understand in this regard. > > What other options/utilities are available? > [snipped] I expect parsing tcpdump output long-term would be a study in unpleasantness - I've done it and it has been. The easiest way to find the data is probably to add the appropriate ipfw rules and pull the numbers from ipfw show. For instance: count ip from 192.168.1.1 to any count ip from any to 192.168.1.1 count ip from 192.168.1.2 to any count ip from any to 192.168.1.2 count tcp from 192.168.1.0/24 to any port 80 I'm sure you get the idea. For reference, ipfw show's output looks like: 00400 85621 7962473 allow ip from x.x.x.x to me 00500 2232 164352 allow tcp from x.x.x.x to me 22 00600 245 18900 allow tcp from x.x.x.x to me 22,80,443 The first column is the rule number, second is a packet count and third is a byte count. The difference between a 'count' and an 'allow' rule is that 'count' will continue processing, so a packet can be counted multiple times (for instance, as a packet to 192.168.1.2 and a packet on port 80) and 'allow' will pass the packet through the firewall and stop processing. IPA (http://www.simon.org.ua/ipa/ or ports/sysutils/ipa) is a package that does IP accounting with this process, AFAIK, so it might save you some scripting. I haven't used IPA myself, but I've heard good things about it. Good luck, Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message