Solved

ip user accounting

Posted on 1997-08-29
6
318 Views
Last Modified: 2010-03-18
i use a linux box as a router to the internet. since
international traffic is limited by our provider, i need
to know who creates how much traffic. i found the program
ipacct in the version 0.7b which should be a kernel patch
to 2.0.21. i've installed kernel 2.0.29 and tried to apply
this patch to my kernel-source, but it didn't work. so i
downloaded a 2.0.21 kernel, applied the patch, which worked,
but it didn't compile.
does anyone know a version of ipacct that really works with
a newer kernel (2.0.29 would be great) or a simulair
product. the minimum of information i need is how much
traffic was produced by which ip-address. if i also could
see, where this traffic was routed to, it would be wonderful, but i don't really need that.
0
Comment
Question by:afuerst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 3

Expert Comment

by:sauron
ID: 1586325
In recent kernels, IP accounting is a standard kernel option. IP accounting information is written to /proc/net/ip_acct, so you obviously need a proc filesystem.

Administration is managed in much the same way as firewalling - the ipfwadm tool allows you to set policies which govern which packets are counted. The options available are extremely flexible, you can count stuff from specific IP addresses, you can split this into destination nets if you like.

Check man ipfwadm for more details....
0
 

Author Comment

by:afuerst
ID: 1586326
i have a /proc filesystem and ip_accounting enabled, but
cat /proc/net/ip_acct gives the following information:

------------------------------
IP accounting rules
AC100000/FFFFFF00->00000000/00000000 - 00000000 0 0 0 248662    22064985  0 0 0
0 0 0 0 0 0 0 AFF X00
AACDF500/FFFFFF80->00000000/00000000 - 00000000 0 0 0 21831     1586300   0 0 0
0 0 0 0 0 0 0 AFF X00
------------------------------

but - as i mentioned in my question - i need the information
who produced how much traffic. i don't want to limit any
ip-address, i just need to know who i have to charge for
how much traffic. in man ipfwadm i only found the possibility
to limit an ip-address. (perhaps i misunderstand the
man-pages?)
0
 
LVL 3

Accepted Solution

by:
sauron earned 150 total points
ID: 1586327
You need to do something like :-

ipfwadm -A -f
ipfwadm -A -a -S192.168.1.1/32 -D0.0.0.0/0

The first rule flushes the IP-accounting tables. The second appends a rule that counts all packets from 192.168.1.1 to anywhere. If you also want stuff going to this address, you can specify the -b switch for bidirectional.

From man ipfw:-

Accounting

The  accounting rules are used for all IP packets that are sent or received via one of the local network interfaces. Every packet will be compared with all rules in this list, and every match will cause an increment of the packet and byte counters associated with that rule.

This should do what you want ???
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 

Author Comment

by:afuerst
ID: 1586328
thank you, you are absolutley right, this is about what
i wanted. but there are 2 questions now:

* if i add first of all the total network and then each
ip-address seperately, do both counters increment?

* the counters automatically reset when it is rebooted.
what is the best way of saving this information? this
point is important for me, because it changes my charges
to my customers...
0
 
LVL 3

Expert Comment

by:sauron
ID: 1586329
The important thing to note is that packet and byte counters are not kept for addresses per se, they are kept for accounting rules.

So, if a packet matches two rules, then the counters associated with both those rules will be incremented.

For the second part, well, if we assume that your machine will
only be rebooted or halted intentionally (and to make this assumption you should have a UPS on it), then it will be switching to runlevel 6 or 0 when it shuts down.

Put a K script in the appropriate /etc/rc.d/rcn.d directory, that copies /proc/net/ipacct to a holding area on a real filesystem. That should handle it, albeit in a crude way. Unfortunately, if you ever get a kernel panic, you will lose some data - it might be wise to have a cron job that copies /proc/net/ip_acct somewhere each hour/day - that way you can limit the amount of data that is vulnerable at any given time.
0
 

Author Comment

by:afuerst
ID: 1586330
well, perhaps you don't have bad experience with the
cleaning stuff...
the idea of regularily saving the data is good, i'll
do it that way.
0

Featured Post

The Orion Papers

Are you interested in becoming an AWS Certified Solutions Architect?

Discover a new interactive way of training for the exam.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question