ip user accounting

i use a linux box as a router to the internet. since
international traffic is limited by our provider, i need
to know who creates how much traffic. i found the program
ipacct in the version 0.7b which should be a kernel patch
to 2.0.21. i've installed kernel 2.0.29 and tried to apply
this patch to my kernel-source, but it didn't work. so i
downloaded a 2.0.21 kernel, applied the patch, which worked,
but it didn't compile.
does anyone know a version of ipacct that really works with
a newer kernel (2.0.29 would be great) or a simulair
product. the minimum of information i need is how much
traffic was produced by which ip-address. if i also could
see, where this traffic was routed to, it would be wonderful, but i don't really need that.
afuerstAsked:
Who is Participating?
 
sauronConnect With a Mentor Commented:
You need to do something like :-

ipfwadm -A -f
ipfwadm -A -a -S192.168.1.1/32 -D0.0.0.0/0

The first rule flushes the IP-accounting tables. The second appends a rule that counts all packets from 192.168.1.1 to anywhere. If you also want stuff going to this address, you can specify the -b switch for bidirectional.

From man ipfw:-

Accounting

The  accounting rules are used for all IP packets that are sent or received via one of the local network interfaces. Every packet will be compared with all rules in this list, and every match will cause an increment of the packet and byte counters associated with that rule.

This should do what you want ???
0
 
sauronCommented:
In recent kernels, IP accounting is a standard kernel option. IP accounting information is written to /proc/net/ip_acct, so you obviously need a proc filesystem.

Administration is managed in much the same way as firewalling - the ipfwadm tool allows you to set policies which govern which packets are counted. The options available are extremely flexible, you can count stuff from specific IP addresses, you can split this into destination nets if you like.

Check man ipfwadm for more details....
0
 
afuerstAuthor Commented:
i have a /proc filesystem and ip_accounting enabled, but
cat /proc/net/ip_acct gives the following information:

------------------------------
IP accounting rules
AC100000/FFFFFF00->00000000/00000000 - 00000000 0 0 0 248662    22064985  0 0 0
0 0 0 0 0 0 0 AFF X00
AACDF500/FFFFFF80->00000000/00000000 - 00000000 0 0 0 21831     1586300   0 0 0
0 0 0 0 0 0 0 AFF X00
------------------------------

but - as i mentioned in my question - i need the information
who produced how much traffic. i don't want to limit any
ip-address, i just need to know who i have to charge for
how much traffic. in man ipfwadm i only found the possibility
to limit an ip-address. (perhaps i misunderstand the
man-pages?)
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
afuerstAuthor Commented:
thank you, you are absolutley right, this is about what
i wanted. but there are 2 questions now:

* if i add first of all the total network and then each
ip-address seperately, do both counters increment?

* the counters automatically reset when it is rebooted.
what is the best way of saving this information? this
point is important for me, because it changes my charges
to my customers...
0
 
sauronCommented:
The important thing to note is that packet and byte counters are not kept for addresses per se, they are kept for accounting rules.

So, if a packet matches two rules, then the counters associated with both those rules will be incremented.

For the second part, well, if we assume that your machine will
only be rebooted or halted intentionally (and to make this assumption you should have a UPS on it), then it will be switching to runlevel 6 or 0 when it shuts down.

Put a K script in the appropriate /etc/rc.d/rcn.d directory, that copies /proc/net/ipacct to a holding area on a real filesystem. That should handle it, albeit in a crude way. Unfortunately, if you ever get a kernel panic, you will lose some data - it might be wise to have a cron job that copies /proc/net/ip_acct somewhere each hour/day - that way you can limit the amount of data that is vulnerable at any given time.
0
 
afuerstAuthor Commented:
well, perhaps you don't have bad experience with the
cleaning stuff...
the idea of regularily saving the data is good, i'll
do it that way.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.