Simple LAN IP accounting

Phil Regnauld regnauld at catpipe.net
Sun Jun 18 18:21:57 UTC 2006


Brian Candler (B.Candler) writes:
> 
> Another approach is to capture absolutely everything using libpcap into a
> userland process, and then post-process afterwards.

	ports/net/ipfm - been using it for some years now.


> Another approach is to use statistical sampling - pick packets at random, so
> that overall you capture, say, 1 packet in 128, and analyse those. This is
> the approach used by sflow.

	One can also achieve this using good old netflow -- there's a boatload
	of netflow collectors -- and probes as well, see ng_netflow.

> very efficient way of doing this analysis. You can turn the sflow data into
> simple CSV records using 'sflowtool', or ntop has an sflow module.

	Ntop just seems very unreliable and bloated to me, at least after
	version 1.  Has it changed ?

> This assumes that taking the sampled data and multiplying it by 128 will be
> sufficiently accurate for your purposes, of course.

	+/- 2% according to some large ISPs who use it, which is apparently
	considers acceptable.



More information about the freebsd-net mailing list