Date: Wed, 2 Jun 1999 20:32:00 +1000 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@freebsd.org Subject: monitoring at the packet level Message-ID: <Pine.BSF.4.01.9906022024580.2604-100000@velvet.sensation.net.au>
next in thread | raw e-mail | index | archive | help
Hi all, I am currently working on a monitoring system which does more than simple byte counting, it instead monitors connections. Output can be sorted by most popular source host, most popular destination host, most popular source port, most popular destination port. As it's just a test of concept right now, it's basically tcpdump piped to a program that converts the ASCII output into binary form for its own internal use. (As a bonus this makes it a little portable, assuming the target platform has a similar tcpdump) The problem with tcpdump (and I presume BPF in general) is that it applies only to specific interfaces - if I have 15 ppp* interfaces this means I'll need to have 15 BPFs open! I'm concerned about the load on the machine and the general "non scaleability" of this method. Obviously a better way would be to snoop on packets as they pass through the lowest level kernel processing. Perhaps an ipfw tee socket might help here? I have zero programming experience with tee sockets and very little with sockets in general - as C is not my normal language of choice I tend to program from first principles without getting too caught up in system specific calls. :) Anyway, I'm posting here in the hope that someone has done something like this before. TIA... Cheers. -- Rowan Crowe http://www.rowan.sensation.net.au/ Sensation Internet Services http://www.sensation.net.au/ Melbourne, Australia Phone: +61-3-9388-9260 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9906022024580.2604-100000>