From owner-freebsd-net@FreeBSD.ORG Mon Jan 17 21:55:25 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 377B116A4CE for ; Mon, 17 Jan 2005 21:55:25 +0000 (GMT) Received: from borgtech.ca (borgtech.ca [216.187.106.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6AE1543D31 for ; Mon, 17 Jan 2005 21:55:24 +0000 (GMT) (envelope-from asegu@borgtech.ca) Received: from asegulaptop (unknown [161.53.212.129]) by borgtech.ca (Postfix) with ESMTP id DA10A54A5; Mon, 17 Jan 2005 21:59:17 +0000 (GMT) From: "Andrew Seguin" To: Date: Mon, 17 Jan 2005 22:54:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <8eea0408050117134812c17174@mail.gmail.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Thread-Index: AcT83uGIJtRkge2GSLC3xGiXPBYojQAAHVag Message-Id: <20050117215917.DA10A54A5@borgtech.ca> cc: jon@abccomm.com Subject: RE: Network accounting X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Jan 2005 21:55:25 -0000 Much clearer! Thank you very much and sorry for my ignorance. Hadn't caught on to the "mask" feature ;) This could be very well what I'm in need of... but any other suggestions from the list are still welcome! -----Original Message----- From: Jon Simola [mailto:jsimola@gmail.com] Sent: Monday, January 17, 2005 10:49 PM To: Andrew Seguin; freebsd-net@freebsd.org Subject: Re: Network accounting On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin wrote: > >What I was doing with the same setup: > >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512 > >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512 > >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged > >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged > I don't understand how this system will allow me to log traffic by-ip > without addition of 256 rules? from ipfw(8): mask mask-specifier Packets sent to a given pipe or queue by an ipfw rule can be fur- ther classified into multiple flows, each of which is then sent to a different dynamic pipe or queue. A flow identifier is con- structed by masking the IP addresses, ports and protocol types as specified with the mask options in the configuration of the pipe or queue. For each different flow identifier, a new pipe or queue is created with the same parameters as the original object, and match- ing packets are sent to it. # ipfw pipe 1 show | head 00001: unlimited 0 ms 50 sl. 246 queues (512 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 192.168.110.225/0 0.0.0.0/0 161697 12895342 0 0 0 2 ip 192.168.110.224/0 0.0.0.0/0 1 60 0 0 0 4 ip 192.168.110.227/0 0.0.0.0/0 150062 13695821 0 0 0 6 ip 192.168.110.226/0 0.0.0.0/0 168531 17030284 0 0 0 8 ip 192.168.110.229/0 0.0.0.0/0 4 240 0 0 0 10 ip 192.168.110.228/0 0.0.0.0/0 115875 10482197 0 0 0 12 ip 192.168.110.231/0 0.0.0.0/0 155357 14797338 0 0 0 # ipfw pipe 2 show | head 00002: unlimited 0 ms 50 sl. 256 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 256 ip 0.0.0.0/0 192.168.110.132/0 505 30828 0 0 0 257 ip 0.0.0.0/0 192.168.110.133/0 507 30962 0 0 0 258 ip 0.0.0.0/0 192.168.110.134/0 475 28994 0 0 0 259 ip 0.0.0.0/0 192.168.110.135/0 499 30426 0 0 0 260 ip 0.0.0.0/0 192.168.110.128/0 39852609 35479316635 0 0 0 261 ip 0.0.0.0/0 192.168.110.129/0 503 30732 0 0 0 262 ip 0.0.0.0/0 192.168.110.130/0 527 32134 0 0 0 > server maintains a csv of in/out/abnormal (in+out). But I criticaly need > per-ip and highly need per-protocol (major ones at least). The above shows per-ip. Per protocol can be done similar. Hope these sample outputs explain a bit better. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005