afuerst
asked on
ip user accounting
i use a linux box as a router to the internet. since
international traffic is limited by our provider, i need
to know who creates how much traffic. i found the program
ipacct in the version 0.7b which should be a kernel patch
to 2.0.21. i've installed kernel 2.0.29 and tried to apply
this patch to my kernel-source, but it didn't work. so i
downloaded a 2.0.21 kernel, applied the patch, which worked,
but it didn't compile.
does anyone know a version of ipacct that really works with
a newer kernel (2.0.29 would be great) or a simulair
product. the minimum of information i need is how much
traffic was produced by which ip-address. if i also could
see, where this traffic was routed to, it would be wonderful, but i don't really need that.
international traffic is limited by our provider, i need
to know who creates how much traffic. i found the program
ipacct in the version 0.7b which should be a kernel patch
to 2.0.21. i've installed kernel 2.0.29 and tried to apply
this patch to my kernel-source, but it didn't work. so i
downloaded a 2.0.21 kernel, applied the patch, which worked,
but it didn't compile.
does anyone know a version of ipacct that really works with
a newer kernel (2.0.29 would be great) or a simulair
product. the minimum of information i need is how much
traffic was produced by which ip-address. if i also could
see, where this traffic was routed to, it would be wonderful, but i don't really need that.
ASKER
i have a /proc filesystem and ip_accounting enabled, but
cat /proc/net/ip_acct gives the following information:
--------------------------
IP accounting rules
AC100000/FFFFFF00->0000000
0 0 0 0 0 0 0 AFF X00
AACDF500/FFFFFF80->0000000
0 0 0 0 0 0 0 AFF X00
--------------------------
but - as i mentioned in my question - i need the information
who produced how much traffic. i don't want to limit any
ip-address, i just need to know who i have to charge for
how much traffic. in man ipfwadm i only found the possibility
to limit an ip-address. (perhaps i misunderstand the
man-pages?)
cat /proc/net/ip_acct gives the following information:
--------------------------
IP accounting rules
AC100000/FFFFFF00->0000000
0 0 0 0 0 0 0 AFF X00
AACDF500/FFFFFF80->0000000
0 0 0 0 0 0 0 AFF X00
--------------------------
but - as i mentioned in my question - i need the information
who produced how much traffic. i don't want to limit any
ip-address, i just need to know who i have to charge for
how much traffic. in man ipfwadm i only found the possibility
to limit an ip-address. (perhaps i misunderstand the
man-pages?)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you, you are absolutley right, this is about what
i wanted. but there are 2 questions now:
* if i add first of all the total network and then each
ip-address seperately, do both counters increment?
* the counters automatically reset when it is rebooted.
what is the best way of saving this information? this
point is important for me, because it changes my charges
to my customers...
i wanted. but there are 2 questions now:
* if i add first of all the total network and then each
ip-address seperately, do both counters increment?
* the counters automatically reset when it is rebooted.
what is the best way of saving this information? this
point is important for me, because it changes my charges
to my customers...
The important thing to note is that packet and byte counters are not kept for addresses per se, they are kept for accounting rules.
So, if a packet matches two rules, then the counters associated with both those rules will be incremented.
For the second part, well, if we assume that your machine will
only be rebooted or halted intentionally (and to make this assumption you should have a UPS on it), then it will be switching to runlevel 6 or 0 when it shuts down.
Put a K script in the appropriate /etc/rc.d/rcn.d directory, that copies /proc/net/ipacct to a holding area on a real filesystem. That should handle it, albeit in a crude way. Unfortunately, if you ever get a kernel panic, you will lose some data - it might be wise to have a cron job that copies /proc/net/ip_acct somewhere each hour/day - that way you can limit the amount of data that is vulnerable at any given time.
So, if a packet matches two rules, then the counters associated with both those rules will be incremented.
For the second part, well, if we assume that your machine will
only be rebooted or halted intentionally (and to make this assumption you should have a UPS on it), then it will be switching to runlevel 6 or 0 when it shuts down.
Put a K script in the appropriate /etc/rc.d/rcn.d directory, that copies /proc/net/ipacct to a holding area on a real filesystem. That should handle it, albeit in a crude way. Unfortunately, if you ever get a kernel panic, you will lose some data - it might be wise to have a cron job that copies /proc/net/ip_acct somewhere each hour/day - that way you can limit the amount of data that is vulnerable at any given time.
ASKER
well, perhaps you don't have bad experience with the
cleaning stuff...
the idea of regularily saving the data is good, i'll
do it that way.
cleaning stuff...
the idea of regularily saving the data is good, i'll
do it that way.
Administration is managed in much the same way as firewalling - the ipfwadm tool allows you to set policies which govern which packets are counted. The options available are extremely flexible, you can count stuff from specific IP addresses, you can split this into destination nets if you like.
Check man ipfwadm for more details....