ip user accounting

i use a linux box as a router to the internet. since
international traffic is limited by our provider, i need
to know who creates how much traffic. i found the program
ipacct in the version 0.7b which should be a kernel patch
to 2.0.21. i've installed kernel 2.0.29 and tried to apply
this patch to my kernel-source, but it didn't work. so i
downloaded a 2.0.21 kernel, applied the patch, which worked,
but it didn't compile.
does anyone know a version of ipacct that really works with
a newer kernel (2.0.29 would be great) or a simulair
product. the minimum of information i need is how much
traffic was produced by which ip-address. if i also could
see, where this traffic was routed to, it would be wonderful, but i don't really need that.
afuerstAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sauronCommented:
In recent kernels, IP accounting is a standard kernel option. IP accounting information is written to /proc/net/ip_acct, so you obviously need a proc filesystem.

Administration is managed in much the same way as firewalling - the ipfwadm tool allows you to set policies which govern which packets are counted. The options available are extremely flexible, you can count stuff from specific IP addresses, you can split this into destination nets if you like.

Check man ipfwadm for more details....
0
afuerstAuthor Commented:
i have a /proc filesystem and ip_accounting enabled, but
cat /proc/net/ip_acct gives the following information:

------------------------------
IP accounting rules
AC100000/FFFFFF00->00000000/00000000 - 00000000 0 0 0 248662    22064985  0 0 0
0 0 0 0 0 0 0 AFF X00
AACDF500/FFFFFF80->00000000/00000000 - 00000000 0 0 0 21831     1586300   0 0 0
0 0 0 0 0 0 0 AFF X00
------------------------------

but - as i mentioned in my question - i need the information
who produced how much traffic. i don't want to limit any
ip-address, i just need to know who i have to charge for
how much traffic. in man ipfwadm i only found the possibility
to limit an ip-address. (perhaps i misunderstand the
man-pages?)
0
sauronCommented:
You need to do something like :-

ipfwadm -A -f
ipfwadm -A -a -S192.168.1.1/32 -D0.0.0.0/0

The first rule flushes the IP-accounting tables. The second appends a rule that counts all packets from 192.168.1.1 to anywhere. If you also want stuff going to this address, you can specify the -b switch for bidirectional.

From man ipfw:-

Accounting

The  accounting rules are used for all IP packets that are sent or received via one of the local network interfaces. Every packet will be compared with all rules in this list, and every match will cause an increment of the packet and byte counters associated with that rule.

This should do what you want ???
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

afuerstAuthor Commented:
thank you, you are absolutley right, this is about what
i wanted. but there are 2 questions now:

* if i add first of all the total network and then each
ip-address seperately, do both counters increment?

* the counters automatically reset when it is rebooted.
what is the best way of saving this information? this
point is important for me, because it changes my charges
to my customers...
0
sauronCommented:
The important thing to note is that packet and byte counters are not kept for addresses per se, they are kept for accounting rules.

So, if a packet matches two rules, then the counters associated with both those rules will be incremented.

For the second part, well, if we assume that your machine will
only be rebooted or halted intentionally (and to make this assumption you should have a UPS on it), then it will be switching to runlevel 6 or 0 when it shuts down.

Put a K script in the appropriate /etc/rc.d/rcn.d directory, that copies /proc/net/ipacct to a holding area on a real filesystem. That should handle it, albeit in a crude way. Unfortunately, if you ever get a kernel panic, you will lose some data - it might be wise to have a cron job that copies /proc/net/ip_acct somewhere each hour/day - that way you can limit the amount of data that is vulnerable at any given time.
0
afuerstAuthor Commented:
well, perhaps you don't have bad experience with the
cleaning stuff...
the idea of regularily saving the data is good, i'll
do it that way.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.