From owner-freebsd-net@FreeBSD.ORG  Mon Jan 17 21:55:25 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 377B116A4CE
	for <freebsd-net@freebsd.org>; Mon, 17 Jan 2005 21:55:25 +0000 (GMT)
Received: from borgtech.ca (borgtech.ca [216.187.106.216])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6AE1543D31
	for <freebsd-net@freebsd.org>; Mon, 17 Jan 2005 21:55:24 +0000 (GMT)
	(envelope-from asegu@borgtech.ca)
Received: from asegulaptop (unknown [161.53.212.129])
	by borgtech.ca (Postfix) with ESMTP id DA10A54A5;
	Mon, 17 Jan 2005 21:59:17 +0000 (GMT)
From: "Andrew Seguin" <asegu@borgtech.ca>
To: <freebsd-net@freebsd.org>
Date: Mon, 17 Jan 2005 22:54:44 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="windows-1250"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
In-Reply-To: <8eea0408050117134812c17174@mail.gmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcT83uGIJtRkge2GSLC3xGiXPBYojQAAHVag
Message-Id: <20050117215917.DA10A54A5@borgtech.ca>
cc: jon@abccomm.com
Subject: RE: Network accounting
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2005 21:55:25 -0000

Much clearer! Thank you very much and sorry for my ignorance.

Hadn't caught on to the "mask" feature ;) This could be very well what I'm
in need of... but any other suggestions from the list are still welcome!

-----Original Message-----
From: Jon Simola [mailto:jsimola@gmail.com] 
Sent: Monday, January 17, 2005 10:49 PM
To: Andrew Seguin; freebsd-net@freebsd.org
Subject: Re: Network accounting

On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin <asegu@borgtech.ca> wrote:

> >What I was doing with the same setup:
> >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512
> >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512
> >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged
> >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged

> I don't understand how this system will allow me to log traffic by-ip
> without addition of 256 rules?

from ipfw(8):
     mask mask-specifier
           Packets sent to a given pipe or queue by an ipfw rule can be fur-
           ther classified into multiple flows, each of which is then sent
to
           a different dynamic pipe or queue.  A flow identifier is con-
           structed by masking the IP addresses, ports and protocol types as
           specified with the mask options in the configuration of the pipe
or
           queue.  For each different flow identifier, a new pipe or queue
is
           created with the same parameters as the original object, and
match-
           ing packets are sent to it.

# ipfw pipe 1 show | head
00001: unlimited    0 ms   50 sl. 246 queues (512 buckets) droptail
    mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
  0 ip   192.168.110.225/0             0.0.0.0/0     161697 12895342  0    0
0
  2 ip   192.168.110.224/0             0.0.0.0/0        1       60  0    0
0
  4 ip   192.168.110.227/0             0.0.0.0/0     150062 13695821  0    0
0
  6 ip   192.168.110.226/0             0.0.0.0/0     168531 17030284  0    0
0
  8 ip   192.168.110.229/0             0.0.0.0/0        4      240  0    0
0
 10 ip   192.168.110.228/0             0.0.0.0/0     115875 10482197  0    0
0
 12 ip   192.168.110.231/0             0.0.0.0/0     155357 14797338  0    0
0

# ipfw pipe 2 show | head
00002: unlimited    0 ms   50 sl. 256 queues (512 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
256 ip           0.0.0.0/0     192.168.110.132/0      505    30828  0    0
0
257 ip           0.0.0.0/0     192.168.110.133/0      507    30962  0    0
0
258 ip           0.0.0.0/0     192.168.110.134/0      475    28994  0    0
0
259 ip           0.0.0.0/0     192.168.110.135/0      499    30426  0    0
0
260 ip           0.0.0.0/0     192.168.110.128/0     39852609
35479316635  0    0   0
261 ip           0.0.0.0/0     192.168.110.129/0      503    30732  0    0
0
262 ip           0.0.0.0/0     192.168.110.130/0      527    32134  0    0
0

> server maintains a csv of in/out/abnormal (in+out). But I criticaly need
> per-ip and highly need per-protocol (major ones at least).

The above shows per-ip. Per protocol can be done similar. Hope these
sample outputs explain a bit better.


-- 
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005