Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 18 Jun 2006 19:09:51 +0100
From:      Brian Candler <B.Candler@pobox.com>
To:        Nash Nipples <trashy_bumper@yahoo.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Simple LAN IP accounting
Message-ID:  <20060618180951.GA37133@uk.tiscali.com>
In-Reply-To: <20060618142644.81731.qmail@web36304.mail.mud.yahoo.com>
References:  <4495530f.265f68ff.360d.48fa@mx.gmail.com> <20060618142644.81731.qmail@web36304.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Jun 18, 2006 at 07:26:44AM -0700, Nash Nipples wrote:
>    ipfw add 5 skipto 500 ip from 192.168.110.1 to any out via tun0 
>  ipfw add 10 skipto 500 ip from any to 192.168.110.1 to any in via tun0
>  ipfw add .. skipto 500 ip from 192.168.110... to any out via tun0
>  ...
>  ipfw add 500 divert from any to any in via tun0 #back to normal rules
>  
>  ipfw show 
>  00005 274943  64986791 ip from 192.168.110.1 to any out via tun0
>  00010 274943  64986791 ip from any to 192.168.110.1 in via tun0
>  
>  thats pretty stupid but works. and you need a program to proccess the output
>  thats what im working on time to time :)
>  
>  it doesnt overload the filter cuz a matching rule is passed once at a time and the unmatched skipped to normal rules. if you get out of ipfw rules limits you might consider to split.. lol
>  
>  anyone else?

Another approach is to capture absolutely everything using libpcap into a
userland process, and then post-process afterwards. This is how 'ntop'
works. At a very simplistic level you could just use tcpdump -w <file> to
capture the packets (or packet headers) into a file, and then tcpdump -r
<file> to pipe them into a script to analyse them, such as totalising the
sizes of all packets to/from a particular IP address.

Another approach is to use statistical sampling - pick packets at random, so
that overall you capture, say, 1 packet in 128, and analyse those. This is
the approach used by sflow. If you have an sflow-capable switch, this is a
very efficient way of doing this analysis. You can turn the sflow data into
simple CSV records using 'sflowtool', or ntop has an sflow module.

This assumes that taking the sampled data and multiplying it by 128 will be
sufficiently accurate for your purposes, of course.

Regards,

Brian.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060618180951.GA37133>