Solved

ip user accounting

Posted on 1997-08-29
6
304 Views
Last Modified: 2010-03-18
i use a linux box as a router to the internet. since
international traffic is limited by our provider, i need
to know who creates how much traffic. i found the program
ipacct in the version 0.7b which should be a kernel patch
to 2.0.21. i've installed kernel 2.0.29 and tried to apply
this patch to my kernel-source, but it didn't work. so i
downloaded a 2.0.21 kernel, applied the patch, which worked,
but it didn't compile.
does anyone know a version of ipacct that really works with
a newer kernel (2.0.29 would be great) or a simulair
product. the minimum of information i need is how much
traffic was produced by which ip-address. if i also could
see, where this traffic was routed to, it would be wonderful, but i don't really need that.
0
Comment
Question by:afuerst
  • 3
  • 3
6 Comments
 
LVL 3

Expert Comment

by:sauron
Comment Utility
In recent kernels, IP accounting is a standard kernel option. IP accounting information is written to /proc/net/ip_acct, so you obviously need a proc filesystem.

Administration is managed in much the same way as firewalling - the ipfwadm tool allows you to set policies which govern which packets are counted. The options available are extremely flexible, you can count stuff from specific IP addresses, you can split this into destination nets if you like.

Check man ipfwadm for more details....
0
 

Author Comment

by:afuerst
Comment Utility
i have a /proc filesystem and ip_accounting enabled, but
cat /proc/net/ip_acct gives the following information:

------------------------------
IP accounting rules
AC100000/FFFFFF00->00000000/00000000 - 00000000 0 0 0 248662    22064985  0 0 0
0 0 0 0 0 0 0 AFF X00
AACDF500/FFFFFF80->00000000/00000000 - 00000000 0 0 0 21831     1586300   0 0 0
0 0 0 0 0 0 0 AFF X00
------------------------------

but - as i mentioned in my question - i need the information
who produced how much traffic. i don't want to limit any
ip-address, i just need to know who i have to charge for
how much traffic. in man ipfwadm i only found the possibility
to limit an ip-address. (perhaps i misunderstand the
man-pages?)
0
 
LVL 3

Accepted Solution

by:
sauron earned 150 total points
Comment Utility
You need to do something like :-

ipfwadm -A -f
ipfwadm -A -a -S192.168.1.1/32 -D0.0.0.0/0

The first rule flushes the IP-accounting tables. The second appends a rule that counts all packets from 192.168.1.1 to anywhere. If you also want stuff going to this address, you can specify the -b switch for bidirectional.

From man ipfw:-

Accounting

The  accounting rules are used for all IP packets that are sent or received via one of the local network interfaces. Every packet will be compared with all rules in this list, and every match will cause an increment of the packet and byte counters associated with that rule.

This should do what you want ???
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:afuerst
Comment Utility
thank you, you are absolutley right, this is about what
i wanted. but there are 2 questions now:

* if i add first of all the total network and then each
ip-address seperately, do both counters increment?

* the counters automatically reset when it is rebooted.
what is the best way of saving this information? this
point is important for me, because it changes my charges
to my customers...
0
 
LVL 3

Expert Comment

by:sauron
Comment Utility
The important thing to note is that packet and byte counters are not kept for addresses per se, they are kept for accounting rules.

So, if a packet matches two rules, then the counters associated with both those rules will be incremented.

For the second part, well, if we assume that your machine will
only be rebooted or halted intentionally (and to make this assumption you should have a UPS on it), then it will be switching to runlevel 6 or 0 when it shuts down.

Put a K script in the appropriate /etc/rc.d/rcn.d directory, that copies /proc/net/ipacct to a holding area on a real filesystem. That should handle it, albeit in a crude way. Unfortunately, if you ever get a kernel panic, you will lose some data - it might be wise to have a cron job that copies /proc/net/ip_acct somewhere each hour/day - that way you can limit the amount of data that is vulnerable at any given time.
0
 

Author Comment

by:afuerst
Comment Utility
well, perhaps you don't have bad experience with the
cleaning stuff...
the idea of regularily saving the data is good, i'll
do it that way.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now