From owner-freebsd-net@FreeBSD.ORG  Mon Jan 17 21:48:53 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EB85F16A4CE
	for <freebsd-net@freebsd.org>; Mon, 17 Jan 2005 21:48:52 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4499043D1F
	for <freebsd-net@freebsd.org>; Mon, 17 Jan 2005 21:48:52 +0000 (GMT)
	(envelope-from jsimola@gmail.com)
Received: by wproxy.gmail.com with SMTP id 58so133455wri
        for <freebsd-net@freebsd.org>; Mon, 17 Jan 2005 13:48:50 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
	b=PbVGPkqrDN4yanm64wkYrSB7yTB6FuXzXjEMgdSk4fuWmbi/bh0F0G9IU+SO9/RDr5fQ4TvFCewlGXL1BEDicFw83Y97r277hxsl0MiTGTn03gWOrCrIpkmx9w5zLnF445t+uIQj69DcUC9bQTIiOv7GNpcCWY6LES1xntBv+R8=
Received: by 10.54.8.70 with SMTP id 70mr45299wrh;
        Mon, 17 Jan 2005 13:48:49 -0800 (PST)
Received: by 10.54.39.34 with HTTP; Mon, 17 Jan 2005 13:48:49 -0800 (PST)
Message-ID: <8eea0408050117134812c17174@mail.gmail.com>
Date: Mon, 17 Jan 2005 13:48:49 -0800
From: Jon Simola <jsimola@gmail.com>
To: Andrew Seguin <asegu@borgtech.ca>, freebsd-net@freebsd.org
In-Reply-To: <20050117214549.4C5DC54A5@borgtech.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <8eea0408050117132657045645@mail.gmail.com>
	 <20050117214549.4C5DC54A5@borgtech.ca>
Subject: Re: Network accounting
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: jon@abccomm.com
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2005 21:48:53 -0000

On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin <asegu@borgtech.ca> wrote:

> >What I was doing with the same setup:
> >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512
> >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512
> >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged
> >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged

> I don't understand how this system will allow me to log traffic by-ip
> without addition of 256 rules?

from ipfw(8):
     mask mask-specifier
           Packets sent to a given pipe or queue by an ipfw rule can be fur-
           ther classified into multiple flows, each of which is then sent to
           a different dynamic pipe or queue.  A flow identifier is con-
           structed by masking the IP addresses, ports and protocol types as
           specified with the mask options in the configuration of the pipe or
           queue.  For each different flow identifier, a new pipe or queue is
           created with the same parameters as the original object, and match-
           ing packets are sent to it.

# ipfw pipe 1 show | head
00001: unlimited    0 ms   50 sl. 246 queues (512 buckets) droptail
    mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip   192.168.110.225/0             0.0.0.0/0     161697 12895342  0    0   0
  2 ip   192.168.110.224/0             0.0.0.0/0        1       60  0    0   0
  4 ip   192.168.110.227/0             0.0.0.0/0     150062 13695821  0    0   0
  6 ip   192.168.110.226/0             0.0.0.0/0     168531 17030284  0    0   0
  8 ip   192.168.110.229/0             0.0.0.0/0        4      240  0    0   0
 10 ip   192.168.110.228/0             0.0.0.0/0     115875 10482197  0    0   0
 12 ip   192.168.110.231/0             0.0.0.0/0     155357 14797338  0    0   0

# ipfw pipe 2 show | head
00002: unlimited    0 ms   50 sl. 256 queues (512 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
256 ip           0.0.0.0/0     192.168.110.132/0      505    30828  0    0   0
257 ip           0.0.0.0/0     192.168.110.133/0      507    30962  0    0   0
258 ip           0.0.0.0/0     192.168.110.134/0      475    28994  0    0   0
259 ip           0.0.0.0/0     192.168.110.135/0      499    30426  0    0   0
260 ip           0.0.0.0/0     192.168.110.128/0     39852609
35479316635  0    0   0
261 ip           0.0.0.0/0     192.168.110.129/0      503    30732  0    0   0
262 ip           0.0.0.0/0     192.168.110.130/0      527    32134  0    0   0

> server maintains a csv of in/out/abnormal (in+out). But I criticaly need
> per-ip and highly need per-protocol (major ones at least).

The above shows per-ip. Per protocol can be done similar. Hope these
sample outputs explain a bit better.