Network accounting

Jon Simola jsimola at gmail.com
Mon Jan 17 13:48:53 PST 2005 

On Mon, 17 Jan 2005 22:41:16 +0100, Andrew Seguin <asegu at borgtech.ca> wrote:

> >What I was doing with the same setup:
> >$IPFW pipe 1 config mask src-ip 0xffffffff buckets 512
> >$IPFW pipe 2 config mask dst-ip 0xffffffff buckets 512
> >$IPFW add 32001 pipe 1 src-ip 192.168.110.0/24 bridged
> >$IPFW add 32002 pipe 2 dst-ip 192.168.110.0/24 bridged

> I don't understand how this system will allow me to log traffic by-ip
> without addition of 256 rules?

from ipfw(8):
     mask mask-specifier
           Packets sent to a given pipe or queue by an ipfw rule can be fur-
           ther classified into multiple flows, each of which is then sent to
           a different dynamic pipe or queue.  A flow identifier is con-
           structed by masking the IP addresses, ports and protocol types as
           specified with the mask options in the configuration of the pipe or
           queue.  For each different flow identifier, a new pipe or queue is
           created with the same parameters as the original object, and match-
           ing packets are sent to it.

# ipfw pipe 1 show | head
00001: unlimited    0 ms   50 sl. 246 queues (512 buckets) droptail
    mask: 0x00 0xffffffff/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 ip   192.168.110.225/0             0.0.0.0/0     161697 12895342  0    0   0
  2 ip   192.168.110.224/0             0.0.0.0/0        1       60  0    0   0
  4 ip   192.168.110.227/0             0.0.0.0/0     150062 13695821  0    0   0
  6 ip   192.168.110.226/0             0.0.0.0/0     168531 17030284  0    0   0
  8 ip   192.168.110.229/0             0.0.0.0/0        4      240  0    0   0
 10 ip   192.168.110.228/0             0.0.0.0/0     115875 10482197  0    0   0
 12 ip   192.168.110.231/0             0.0.0.0/0     155357 14797338  0    0   0

# ipfw pipe 2 show | head
00002: unlimited    0 ms   50 sl. 256 queues (512 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0xffffffff/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
256 ip           0.0.0.0/0     192.168.110.132/0      505    30828  0    0   0
257 ip           0.0.0.0/0     192.168.110.133/0      507    30962  0    0   0
258 ip           0.0.0.0/0     192.168.110.134/0      475    28994  0    0   0
259 ip           0.0.0.0/0     192.168.110.135/0      499    30426  0    0   0
260 ip           0.0.0.0/0     192.168.110.128/0     39852609
35479316635  0    0   0
261 ip           0.0.0.0/0     192.168.110.129/0      503    30732  0    0   0
262 ip           0.0.0.0/0     192.168.110.130/0      527    32134  0    0   0

> server maintains a csv of in/out/abnormal (in+out). But I criticaly need
> per-ip and highly need per-protocol (major ones at least).

The above shows per-ip. Per protocol can be done similar. Hope these
sample outputs explain a bit better.

More information about the freebsd-net mailing list