From owner-freebsd-isp@FreeBSD.ORG Tue Jan 18 11:05:42 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7196E16A4CE for ; Tue, 18 Jan 2005 11:05:42 +0000 (GMT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8690243D41 for ; Tue, 18 Jan 2005 11:05:41 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.11/8.12.11) with ESMTP id j0IB5eKp085042; Wed, 19 Jan 2005 00:05:40 +1300 (NZDT) (envelope-from andrew@scoop.co.nz) Date: Wed, 19 Jan 2005 00:05:40 +1300 (NZDT) From: Andrew McNaughton To: dima <_pppp@mail.ru> In-Reply-To: Message-ID: <20050118233707.W9021@a2.scoop.co.nz> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.6 (a2.scoop.co.nz [127.0.0.1]); Wed, 19 Jan 2005 00:05:40 +1300 (NZDT) X-Virus-Scanned: ClamAV 0.80/643/Sun Dec 26 11:47:31 2004 clamav-milter version 0.80j on a2.scoop.co.nz X-Virus-Status: Clean cc: freebsd-isp@freebsd.org Subject: Re: Monitoring traffic volumes by country X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 11:05:42 -0000 On Tue, 18 Jan 2005, dima wrote: > Date: Tue, 18 Jan 2005 12:36:15 +0300 > From: dima <_pppp@mail.ru> > To: Andrew McNaughton > Cc: freebsd-isp@freebsd.org > Subject: Re: Monitoring traffic volumes by country > >> Can anyone suggest a tool that can collect statistics on traffic volumes >> by the country of the remote host. That on its own would go a long way >> for me, but if it coulod also break down on incoming vs outgoing traffic >> and by local port number that would be ideal. > NetFlow is the "ideal" solution for you. > The best solution for FreeBSD would be ng_netflow kernel module > since all the other implementations (softflowd, fprobe, ntop etc) > use pcap which is a quite CPU-consuming way. > > You can: > 1) force collector to aggregate traffic by source AS > and find out autonomous system to country relation somehow; > 2) aggregate traffic by source IP and make the IP address to country resolution with GeoIP. Where does the CPU time go with pcap? Is it in the kernal or in userland? I suspect that for my current needs I can live with a bit of CPU load, but am not sure where to expect to look for it to turn up. Andrew -- The United States is committed to the worldwide elimination of torture and we are leading this fight by example." - George Bush, 26 June 2003 ------------------------------------------------------------------- Andrew McNaughton Living in a shack in Tasmania andrew@scoop.co.nz Between the bush and the sea Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc http://www.scoop.co.nz/