Network accounting
Andrew Seguin
asegu at borgtech.ca
Mon Jan 17 13:55:25 PST 2005
Much clearer! Thank you very much and sorry for my ignorance.
Hadn't caught on to the "mask" feature ;) This could be very well what I'm
in need of... but any other suggestions from the list are still welcome!
-----Original Message-----
From: Jon Simola [mailto:jsimola at gmail.com]
Sent: Monday, January 17, 2005 10:49 PM
To: Andrew Seguin; freebsd-net at freebsd.org
Subject: Re: Network accounting
On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin <asegu at borgtech.ca> wrote:
> >What I was doing with the same setup:
> >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512
> >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512
> >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged
> >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged
> I don't understand how this system will allow me to log traffic by-ip
> without addition of 256 rules?
from ipfw(8):
mask mask-specifier
Packets sent to a given pipe or queue by an ipfw rule can be fur-
ther classified into multiple flows, each of which is then sent
to
a different dynamic pipe or queue. A flow identifier is con-
structed by masking the IP addresses, ports and protocol types as
specified with the mask options in the configuration of the pipe
or
queue. For each different flow identifier, a new pipe or queue
is
created with the same parameters as the original object, and
match-
ing packets are sent to it.
# ipfw pipe 1 show | head
00001: unlimited 0 ms 50 sl. 246 queues (512 buckets) droptail
mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
0 ip 192.168.110.225/0 0.0.0.0/0 161697 12895342 0 0
0
2 ip 192.168.110.224/0 0.0.0.0/0 1 60 0 0
0
4 ip 192.168.110.227/0 0.0.0.0/0 150062 13695821 0 0
0
6 ip 192.168.110.226/0 0.0.0.0/0 168531 17030284 0 0
0
8 ip 192.168.110.229/0 0.0.0.0/0 4 240 0 0
0
10 ip 192.168.110.228/0 0.0.0.0/0 115875 10482197 0 0
0
12 ip 192.168.110.231/0 0.0.0.0/0 155357 14797338 0 0
0
# ipfw pipe 2 show | head
00002: unlimited 0 ms 50 sl. 256 queues (512 buckets) droptail
mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
256 ip 0.0.0.0/0 192.168.110.132/0 505 30828 0 0
0
257 ip 0.0.0.0/0 192.168.110.133/0 507 30962 0 0
0
258 ip 0.0.0.0/0 192.168.110.134/0 475 28994 0 0
0
259 ip 0.0.0.0/0 192.168.110.135/0 499 30426 0 0
0
260 ip 0.0.0.0/0 192.168.110.128/0 39852609
35479316635 0 0 0
261 ip 0.0.0.0/0 192.168.110.129/0 503 30732 0 0
0
262 ip 0.0.0.0/0 192.168.110.130/0 527 32134 0 0
0
> server maintains a csv of in/out/abnormal (in+out). But I criticaly need
> per-ip and highly need per-protocol (major ones at least).
The above shows per-ip. Per protocol can be done similar. Hope these
sample outputs explain a bit better.
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.13 - Release Date: 1/16/2005
More information about the freebsd-net
mailing list