Per user network accounting

Is there a way to keep count of the bandwidth used on a per-user basis in Linux?

Nothing to do with websites or anything... I run a server and users use rsync to send data to it.  Unfortuntaely, rsync doesn't have good enough logging capabilities, and even if it did it wouldn't be able to account for overheads.

So is there some other package out there that can keep track of network/bandwidth activity, but break it down on a per-user basis?

The rsync rides on an ssh session, so that might be a possibility too... measuring the data flowing through the ssh session.

I don't know... I've tried various things but I haven't even come close.

Who is Participating?
Also worth noting here is that often times the application itself is running as root, rather than a user, and it's the application that understands the correlation between a specific user, and the permissions on the disk... the kernel may not see the user-level associations, unless the application changes effective UID and drops root privs, but again, this can be very complicated for the kernel to try and spend time figuring something out for accounting purposes; lots of overhead for data of questionable accuracy.
I would say you'll either need to break things down by source/destination IP address (e.g. iptables rules which match specific IP's, just to take advantage of packet counters), or use a proxy that can monitor bandwidth.

In the case of the proxy, I'd suggest looking on for something that does bandwidth shaping/limiting, as it will probably include abilities for accounting.  The other approach would be a SOCKS proxy, as you can usually use a wrapper library on the client side for applications that don't support SOCKS by default.

Unique (and static) source IP's are going to be the best bet, for iptables-based accounting.
s_mackAuthor Commented:
Found dozens of monitors that are IP based...but that does me no good really, because then I have to keep track of which user belongs to which IP, and that changes all the time.

It amazes me that there isn't an easy way to do this.  Users need to log in and I can measure every other resource imaginable... why not bandwidth?

It must be on a per-user basis, not IP.

In case there is confusion.... these are users belonging to this local machine... not just random unknown hits from throughout the world (like a website).  Each user has an account on the server and logs in via openssh.
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

There is software that can track users from the network side, and audit their activity, but this is usually part of high-end corporate firewall software.  E.g. in the case of CheckPoint FW-1 / NG, user sessions are established, but this is tied into a PDC and other Windows-esque stuff.

Packets are not processed with user ownership in mind; TCP doesn't offer a "UID" field... hence, there is no "simple" ways of doing this.  There might be some iptables-based NAT / QoS features that can take part here, and/or if you can control a DHCP server and do static IP assignments for the users that need to be accounted.

If you can't get static IP's setup, then you may have to look to a system of custom scripts to do the IP->user mappings for you, to make the reports useful.
s_mackAuthor Commented:
aww crud.

Maybe its just not useful to anyone but me, but I would think that sshd would log this stuff.  

Thanks for your reply.  I'll wait and see if anyone else knows of anything.
Well , bandwidth control have to be address/proto/port based .
So , I think the only sollution is to write a little daemon to bind the user authentication to the sorce ip address of the connection and after to bring that addresses dynamicaly to some ip based traffic shapper .

May be this question have to be plased in 'Linux Programming' too .
This is from redhat mailing list.. but..


No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
Split Points:  macker- & joju

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.