From owner-freebsd-isp@FreeBSD.ORG  Tue Jan 18 11:30:23 2005
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4765516A4CE
	for <freebsd-isp@freebsd.org>; Tue, 18 Jan 2005 11:30:23 +0000 (GMT)
Received: from f31.mail.ru (f31.mail.ru [194.67.57.70])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F422943D48
	for <freebsd-isp@freebsd.org>; Tue, 18 Jan 2005 11:30:22 +0000 (GMT)
	(envelope-from _pppp@mail.ru)
Received: from mail by f31.mail.ru with local 
	id 1CqrYx-00064P-00; Tue, 18 Jan 2005 14:30:19 +0300
Received: from [81.200.13.122] by win.mail.ru with HTTP;
	Tue, 18 Jan 2005 14:30:19 +0300
From: dima <_pppp@mail.ru>
To: Andrew McNaughton <andrew@scoop.co.nz>
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [81.200.13.122]
Date: Tue, 18 Jan 2005 14:30:19 +0300
In-Reply-To: <20050118233707.W9021@a2.scoop.co.nz>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Message-Id: <E1CqrYx-00064P-00._pppp-mail-ru@f31.mail.ru>
cc: freebsd-isp@freebsd.org
Subject: Re[2]: Monitoring traffic volumes by country
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: dima <_pppp@mail.ru>
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jan 2005 11:30:23 -0000

> >> Can anyone suggest a tool that can collect statistics on traffic volumes
> >> by the country of the remote host.  That on its own would go a long way
> >> for me, but if it coulod also break down on incoming vs outgoing traffic
> >> and by local port number that would be ideal.
> > NetFlow is the "ideal" solution for you.
> > The best solution for FreeBSD would be ng_netflow kernel module
> > since all the other implementations (softflowd, fprobe, ntop etc)
> > use pcap which is a quite CPU-consuming way.
> >
> > You can:
> > 1) force collector to aggregate traffic by source AS
> >   and find out autonomous system to country relation somehow;
> > 2) aggregate traffic by source IP and make the IP address to country resolution with GeoIP.
> 
> 
> Where does the CPU time go with pcap?  Is it in the kernal or in userland?
pcap is the original Linux userland packet capturing facility.

> I suspect that for my current needs I can live with a bit of CPU load, 
> but am not sure where to expect to look for it  to turn up.
You need NetFlow to get your work done well anyway.
So, why would you use a more CPU-consuming version of it?
The only possible reason could be that ng_netflow module isn't included in the base system yet;
but it surely suites an ISP to account as much traffic as a FreeBSD box can route.

> Andrew