Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Nov 2002 14:45:49 -0600
From:      "Mark Johnston" <mjohnston@skyweb.ca>
To:        "'Scott Gerhardt'" <scott@g-it.ca>
Cc:        <freebsd-isp@freebsd.org>
Subject:   RE: Traffic Analysis
Message-ID:  <00f401c28f43$7a51d7c0$490fa8c0@MJOHNSTON>
In-Reply-To: <B9FEA88B.2B73%scott@g-it.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
> Scott Gerhardt wrote:
> 
> I would like to monitor gateway traffic mostly for bandwidth 
> accounting.
> 
> Are there any good utilities to parse tcpdump output?
> 
> I just want to parse hosts, protocol and byte counts.  How 
> would this be
> accomplished with tcpdump?  I'm finding the tcpdump man page a little
> difficult to understand in this regard.
> 
> What other options/utilities are available?
> 
 [snipped]

I expect parsing tcpdump output long-term would be a study in
unpleasantness - I've done it and it has been.  The easiest way to find
the data is probably to add the appropriate ipfw rules and pull the
numbers from ipfw show.  For instance:

count ip from 192.168.1.1 to any
count ip from any to 192.168.1.1
count ip from 192.168.1.2 to any
count ip from any to 192.168.1.2
count tcp from 192.168.1.0/24 to any port 80

I'm sure you get the idea.  For reference, ipfw show's output looks
like:

00400    85621    7962473 allow ip from x.x.x.x to me
00500     2232     164352 allow tcp from x.x.x.x to me 22
00600      245      18900 allow tcp from x.x.x.x to me 22,80,443

The first column is the rule number, second is a packet count and third
is a byte count.  The difference between a 'count' and an 'allow' rule
is that 'count' will continue processing, so a packet can be counted
multiple times (for instance, as a packet to 192.168.1.2 and a packet on
port 80) and 'allow' will pass the packet through the firewall and stop
processing.  IPA (http://www.simon.org.ua/ipa/ or ports/sysutils/ipa) is
a package that does IP accounting with this process, AFAIK, so it might
save you some scripting.  I haven't used IPA myself, but I've heard good
things about it.

Good luck,
Mark



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f401c28f43$7a51d7c0$490fa8c0>