From owner-freebsd-net Fri Oct 25 15:28:51 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2191D37B401 for ; Fri, 25 Oct 2002 15:28:48 -0700 (PDT) Received: from aker.amduat.net (aker.amduat.net [206.124.149.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E9D243E65 for ; Fri, 25 Oct 2002 15:28:47 -0700 (PDT) (envelope-from jbarrett@amduat.net) Received: from amduat.net (nat-bhm1.attachmate.com [63.115.16.66]) (authenticated bits=0) by aker.amduat.net (8.12.5/8.12.5) with ESMTP id g9PMSdT7051541; Fri, 25 Oct 2002 15:28:40 -0700 (PDT) (envelope-from jbarrett@amduat.net) Message-ID: <3DB9C596.7090802@amduat.net> Date: Fri, 25 Oct 2002 15:28:38 -0700 From: "Jacob S. Barrett" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: freebsd-net@FreeBSD.ORG Subject: Re: determining "originator/source" of connection ... References: <20021022143427.Y47756-100000@hub.org> <20021022113249.C33933@carp.icir.org> In-Reply-To: <20021022143427.Y47756-100000@hub.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there a way to zero out the packet/byte counters on pipes and queues like you can to the rules? The command "ipfw pipe|queue zero" display a message that accounting was cleared, but rather than clear out pipe or queue counters it clears the rules counters only. Am I missing something or is this just not possible yet? -Jake Luigi Rizzo wrote: > let me understand, you basically want something that puts flow statistics > in the bucket identified by the of the first SYN > packet you see (the assumption being that connections are > initiated by clients towards a well known port, which appears > as dst-port in the first syn packet ? > > Or if you are just happy to aggregate by IP, one solution i often > use is the following (based on dummynet's dynamic pipes): > > # do not expire pipes even if they have no pending traffic > sysctl net.inet.ip.dummynet.expire=0 > > # create separate pipes for src and dst masks > ipfw pipe 20 config mask src-ip 0xffffffff buckets 256 > ipfw pipe 21 config mask dst-ip 0xffffffff buckets 256 > > ipfw add pipe 20 ip from $my_subnet to any > ipfw add pipe 21 ip from any to $my subnet > > cheers > luigi > > > On Tue, Oct 22, 2002 at 02:47:36PM -0300, Marc G. Fournier wrote: > > >I've got FreeBSD setup as a firewall to our campus network, and its doing > >a great job of it, but we want to be able log statistics on traffic going > >in and out ... > > > >I have trafd running on the server, with it dumping its data to a > >PostgreSQL database, but for every ~8min "segment", it is logging ~12 000 > >records ... so ~90k/hr, or 2.16 million per day ... > > > >Now, I'm figuring that if I could determine direction of flow (did we > >originate the connection, or did someone off campus originate it), I > could > >shrink that greatly, as right now I have stuff like: > > > >216.158.133.242 80 131.162.158.24 3914 6 2356 4 > >216.158.133.242 80 131.162.158.24 3915 6 47767 34 > >216.158.133.242 80 131.162.158.24 3916 6 78962 56 > >216.158.133.242 80 131.162.158.24 3917 6 330141 224 > >216.158.133.242 80 131.162.158.24 3918 6 118862 89 > >216.158.133.242 80 131.162.158.24 3919 6 264139 185 > >216.158.133.242 80 131.162.158.24 3920 6 259543 179 > >216.158.133.242 80 131.162.158.24 3921 6 98014 73 > >216.158.133.242 80 131.162.158.24 3922 6 267772 186 > >216.158.133.242 80 131.162.158.24 3923 6 148879 109 > >216.158.133.242 80 131.162.158.24 3924 6 6406 8 > >216.158.133.242 80 131.162.158.24 3925 6 2486 5 > >216.158.133.242 80 131.162.158.24 3928 6 109584 75 > >216.158.133.242 80 131.162.158.24 3929 6 92435 62 > >216.158.133.242 80 131.162.158.24 3936 6 13059 9 > >216.158.133.242 80 131.162.158.24 3937 6 22641 17 > > > >where I don't care about the source port, only the dest port ... except, > >in the above, trafd is writing it as 'source port == 80' and 'dest port' > >is arbitray ... > > > >while later in the results, I'll get something like: > > > > 130.94.4.7 40072 131.162.138.193 25 6 2976 10 > > 130.94.4.7 58562 131.162.138.193 25 6 5249 16 > > > >which does make sense (ie. source port -> dest port) ... > > > >is there something that i can do with libpcap that will give me better > >information then trafd does? is there a 'tag' in the IP headers that can > >be used to determine the originator of the connection? > > > >thanks ... > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-net" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- Jacob S. Barrett jbarrett@amduat.net www.amduat.net "I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message