[Fwd: Re: Per Protocol Traffic Accounting]

Max Laier max at love2party.net
Tue Oct 18 09:02:15 PDT 2005 

Take a look at net/pfflowd - it converts pf-states to Cisco NetFlow datagrams.  
There are plenty of tools to graph the result.  Alternatively, you can just 
put a bpf-consumer to pfsync0 and interpret the state changes accordingly.

On Tuesday 18 October 2005 08:59, Tyler wrote:
> Hi Travis,
>
> > Thanks for the reply.  However I want to capture data for each
> > protocol.  So, I'd like to have data for HTTP, SMTP, POP3, etc.  I've
> > done this before with ipfilter using the "count" command.  (Eg.  count
> > in on de0 from any to any proto http )
> >
> > However PF doesn't have the count command.  I've set labels on my ACL
> > entries, however when a new TCP session is established, the flow stays
> > with the "IN" rule because I'm keeping state on the connection.  So
> > the IN counters show all the bytes Tx'd and Rx'd, and the OUT rule is
> > 0 because the flow never hits that rule due to keeping the state.
> >
> > (Hmm... confusing?)
> >
> > I was hoping someone out there has done per protocol accounting with
> > PF because I can't figure it out.  :(
> >
> > I've also looked at ntop from a suggestion earlier in this thread.
> > However I was hoping to find a solution using just PF.
> >
> > Tyler
> >
> > On Mon, 2005-10-17 at 23:23 -0500, Travis H. wrote:
> > > "set loginterface interface
> > >
> > > Sets the interface for which PF should gather statistics such as bytes
> > > in/out and packets passed/blocked. Statistics can only be gathered for
> > > one interface at a time. Note that the match, bad-offset, etc.,
> > > counters and the state table counters are recorded regardless of
> > > whether loginterface is set or not. To turn this option off, set it to
> > > none. The default is none."
> > >
> > >
> > > Otherwise, couldn't you just use the ifconfig stats?  I think there's
> > > a package for exporting this via SNMP, which could be queried using
> > > ifgraph or rrdtool.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20051018/0d981a25/attachment.bin

More information about the freebsd-pf mailing list