From owner-freebsd-net@FreeBSD.ORG Mon Jan 17 21:48:53 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB85F16A4CE for ; Mon, 17 Jan 2005 21:48:52 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4499043D1F for ; Mon, 17 Jan 2005 21:48:52 +0000 (GMT) (envelope-from jsimola@gmail.com) Received: by wproxy.gmail.com with SMTP id 58so133455wri for ; Mon, 17 Jan 2005 13:48:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=PbVGPkqrDN4yanm64wkYrSB7yTB6FuXzXjEMgdSk4fuWmbi/bh0F0G9IU+SO9/RDr5fQ4TvFCewlGXL1BEDicFw83Y97r277hxsl0MiTGTn03gWOrCrIpkmx9w5zLnF445t+uIQj69DcUC9bQTIiOv7GNpcCWY6LES1xntBv+R8= Received: by 10.54.8.70 with SMTP id 70mr45299wrh; Mon, 17 Jan 2005 13:48:49 -0800 (PST) Received: by 10.54.39.34 with HTTP; Mon, 17 Jan 2005 13:48:49 -0800 (PST) Message-ID: <8eea0408050117134812c17174@mail.gmail.com> Date: Mon, 17 Jan 2005 13:48:49 -0800 From: Jon Simola To: Andrew Seguin , freebsd-net@freebsd.org In-Reply-To: <20050117214549.4C5DC54A5@borgtech.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <8eea0408050117132657045645@mail.gmail.com> <20050117214549.4C5DC54A5@borgtech.ca> Subject: Re: Network accounting X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jon@abccomm.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 21:48:53 -0000 On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin wrote: > >What I was doing with the same setup: > >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512 > >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512 > >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged > >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged > I don't understand how this system will allow me to log traffic by-ip > without addition of 256 rules? from ipfw(8): mask mask-specifier Packets sent to a given pipe or queue by an ipfw rule can be fur- ther classified into multiple flows, each of which is then sent to a different dynamic pipe or queue. A flow identifier is con- structed by masking the IP addresses, ports and protocol types as specified with the mask options in the configuration of the pipe or queue. For each different flow identifier, a new pipe or queue is created with the same parameters as the original object, and match- ing packets are sent to it. # ipfw pipe 1 show | head 00001: unlimited 0 ms 50 sl. 246 queues (512 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 192.168.110.225/0 0.0.0.0/0 161697 12895342 0 0 0 2 ip 192.168.110.224/0 0.0.0.0/0 1 60 0 0 0 4 ip 192.168.110.227/0 0.0.0.0/0 150062 13695821 0 0 0 6 ip 192.168.110.226/0 0.0.0.0/0 168531 17030284 0 0 0 8 ip 192.168.110.229/0 0.0.0.0/0 4 240 0 0 0 10 ip 192.168.110.228/0 0.0.0.0/0 115875 10482197 0 0 0 12 ip 192.168.110.231/0 0.0.0.0/0 155357 14797338 0 0 0 # ipfw pipe 2 show | head 00002: unlimited 0 ms 50 sl. 256 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 256 ip 0.0.0.0/0 192.168.110.132/0 505 30828 0 0 0 257 ip 0.0.0.0/0 192.168.110.133/0 507 30962 0 0 0 258 ip 0.0.0.0/0 192.168.110.134/0 475 28994 0 0 0 259 ip 0.0.0.0/0 192.168.110.135/0 499 30426 0 0 0 260 ip 0.0.0.0/0 192.168.110.128/0 39852609 35479316635 0 0 0 261 ip 0.0.0.0/0 192.168.110.129/0 503 30732 0 0 0 262 ip 0.0.0.0/0 192.168.110.130/0 527 32134 0 0 0 > server maintains a csv of in/out/abnormal (in+out). But I criticaly need > per-ip and highly need per-protocol (major ones at least). The above shows per-ip. Per protocol can be done similar. Hope these sample outputs explain a bit better.