Simple LAN IP accounting
Phil Regnauld
regnauld at catpipe.net
Sun Jun 18 18:21:57 UTC 2006
Brian Candler (B.Candler) writes:
>
> Another approach is to capture absolutely everything using libpcap into a
> userland process, and then post-process afterwards.
ports/net/ipfm - been using it for some years now.
> Another approach is to use statistical sampling - pick packets at random, so
> that overall you capture, say, 1 packet in 128, and analyse those. This is
> the approach used by sflow.
One can also achieve this using good old netflow -- there's a boatload
of netflow collectors -- and probes as well, see ng_netflow.
> very efficient way of doing this analysis. You can turn the sflow data into
> simple CSV records using 'sflowtool', or ntop has an sflow module.
Ntop just seems very unreliable and bloated to me, at least after
version 1. Has it changed ?
> This assumes that taking the sampled data and multiplying it by 128 will be
> sufficiently accurate for your purposes, of course.
+/- 2% according to some large ISPs who use it, which is apparently
considers acceptable.
More information about the freebsd-net
mailing list