Re: Simple LAN IP accounting

On Sun, Jun 18, 2006 at 07:26:44AM -0700, Nash Nipples wrote:
ipfw add 5 skipto 500 ip from 192.168.110.1 to any out via tun0
ipfw add 10 skipto 500 ip from any to 192.168.110.1 to any in via tun0
ipfw add .. skipto 500 ip from 192.168.110... to any out via tun0
...
ipfw add 500 divert from any to any in via tun0 #back to normal rules

ipfw show
00005 274943 64986791 ip from 192.168.110.1 to any out via tun0
00010 274943 64986791 ip from any to 192.168.110.1 in via tun0

thats pretty stupid but works. and you need a program to proccess the output
thats what im working on time to time :)

it doesnt overload the filter cuz a matching rule is passed once at a time and the unmatched skipped to normal rules. if you get out of ipfw rules limits you might consider to split.. lol

anyone else?

Another approach is to capture absolutely everything using libpcap into a
userland process, and then post-process afterwards. This is how 'ntop'
works. At a very simplistic level you could just use tcpdump -w <file> to
capture the packets (or packet headers) into a file, and then tcpdump -r
<file> to pipe them into a script to analyse them, such as totalising the
sizes of all packets to/from a particular IP address.

Another approach is to use statistical sampling - pick packets at random, so
that overall you capture, say, 1 packet in 128, and analyse those. This is
the approach used by sflow. If you have an sflow-capable switch, this is a
very efficient way of doing this analysis. You can turn the sflow data into
simple CSV records using 'sflowtool', or ntop has an sflow module.

This assumes that taking the sampled data and multiplying it by 128 will be
sufficiently accurate for your purposes, of course.

Regards,

Brian.
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Simple LAN IP accounting
    ... ipfw add 500 divert from any to any in via tun0 #back to normal rules ... thats pretty stupid but works. ... it doesnt overload the filter cuz a matching rule is passed once at a time and the unmatched skipped to normal rules. ... Have it all with the all-new Yahoo! ...
    (freebsd-net)
  • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
    ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
    (freebsd-current)
  • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
    ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
    (freebsd-isp)
  • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
    ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
    (freebsd-net)
  • FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw [REVISED]
    ... included in FreeBSD 4.0 and above. ... based on an old version of ipfw and does not contain as many features. ... Due to overloading of the TCP reserved flags field, ... incorrectly treat all TCP packets with the ECE flag set as being part ...
    (FreeBSD-Security)