Date: Mon, 17 Jan 2005 22:54:44 +0100 From: "Andrew Seguin" <asegu@borgtech.ca> To: <freebsd-net@freebsd.org> Cc: jon@abccomm.com Subject: RE: Network accounting Message-ID: <20050117215917.DA10A54A5@borgtech.ca> In-Reply-To: <8eea0408050117134812c17174@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Much clearer! Thank you very much and sorry for my ignorance. Hadn't caught on to the "mask" feature ;) This could be very well what I'm in need of... but any other suggestions from the list are still welcome! -----Original Message----- From: Jon Simola [mailto:jsimola@gmail.com] Sent: Monday, January 17, 2005 10:49 PM To: Andrew Seguin; freebsd-net@freebsd.org Subject: Re: Network accounting On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin <asegu@borgtech.ca> wrote: > >What I was doing with the same setup: > >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512 > >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512 > >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged > >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged > I don't understand how this system will allow me to log traffic by-ip > without addition of 256 rules? from ipfw(8): mask mask-specifier Packets sent to a given pipe or queue by an ipfw rule can be fur- ther classified into multiple flows, each of which is then sent to a different dynamic pipe or queue. A flow identifier is con- structed by masking the IP addresses, ports and protocol types as specified with the mask options in the configuration of the pipe or queue. For each different flow identifier, a new pipe or queue is created with the same parameters as the original object, and match- ing packets are sent to it. # ipfw pipe 1 show | head 00001: unlimited 0 ms 50 sl. 246 queues (512 buckets) droptail mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 ip 192.168.110.225/0 0.0.0.0/0 161697 12895342 0 0 0 2 ip 192.168.110.224/0 0.0.0.0/0 1 60 0 0 0 4 ip 192.168.110.227/0 0.0.0.0/0 150062 13695821 0 0 0 6 ip 192.168.110.226/0 0.0.0.0/0 168531 17030284 0 0 0 8 ip 192.168.110.229/0 0.0.0.0/0 4 240 0 0 0 10 ip 192.168.110.228/0 0.0.0.0/0 115875 10482197 0 0 0 12 ip 192.168.110.231/0 0.0.0.0/0 155357 14797338 0 0 0 # ipfw pipe 2 show | head 00002: unlimited 0 ms 50 sl. 256 queues (512 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 256 ip 0.0.0.0/0 192.168.110.132/0 505 30828 0 0 0 257 ip 0.0.0.0/0 192.168.110.133/0 507 30962 0 0 0 258 ip 0.0.0.0/0 192.168.110.134/0 475 28994 0 0 0 259 ip 0.0.0.0/0 192.168.110.135/0 499 30426 0 0 0 260 ip 0.0.0.0/0 192.168.110.128/0 39852609 35479316635 0 0 0 261 ip 0.0.0.0/0 192.168.110.129/0 503 30732 0 0 0 262 ip 0.0.0.0/0 192.168.110.130/0 527 32134 0 0 0 > server maintains a csv of in/out/abnormal (in+out). But I criticaly need > per-ip and highly need per-protocol (major ones at least). The above shows per-ip. Per protocol can be done similar. Hope these sample outputs explain a bit better. -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050117215917.DA10A54A5>