Per user network accounting

Posted on 2005-04-22
Last Modified: 2010-08-05
Is there a way to keep count of the bandwidth used on a per-user basis in Linux?

Nothing to do with websites or anything... I run a server and users use rsync to send data to it.  Unfortuntaely, rsync doesn't have good enough logging capabilities, and even if it did it wouldn't be able to account for overheads.

So is there some other package out there that can keep track of network/bandwidth activity, but break it down on a per-user basis?

The rsync rides on an ssh session, so that might be a possibility too... measuring the data flowing through the ssh session.

I don't know... I've tried various things but I haven't even come close.

Question by:s_mack
    LVL 7

    Expert Comment

    I would say you'll either need to break things down by source/destination IP address (e.g. iptables rules which match specific IP's, just to take advantage of packet counters), or use a proxy that can monitor bandwidth.

    In the case of the proxy, I'd suggest looking on for something that does bandwidth shaping/limiting, as it will probably include abilities for accounting.  The other approach would be a SOCKS proxy, as you can usually use a wrapper library on the client side for applications that don't support SOCKS by default.

    Unique (and static) source IP's are going to be the best bet, for iptables-based accounting.

    Author Comment

    Found dozens of monitors that are IP based...but that does me no good really, because then I have to keep track of which user belongs to which IP, and that changes all the time.

    It amazes me that there isn't an easy way to do this.  Users need to log in and I can measure every other resource imaginable... why not bandwidth?

    It must be on a per-user basis, not IP.

    In case there is confusion.... these are users belonging to this local machine... not just random unknown hits from throughout the world (like a website).  Each user has an account on the server and logs in via openssh.
    LVL 7

    Expert Comment

    There is software that can track users from the network side, and audit their activity, but this is usually part of high-end corporate firewall software.  E.g. in the case of CheckPoint FW-1 / NG, user sessions are established, but this is tied into a PDC and other Windows-esque stuff.

    Packets are not processed with user ownership in mind; TCP doesn't offer a "UID" field... hence, there is no "simple" ways of doing this.  There might be some iptables-based NAT / QoS features that can take part here, and/or if you can control a DHCP server and do static IP assignments for the users that need to be accounted.

    If you can't get static IP's setup, then you may have to look to a system of custom scripts to do the IP->user mappings for you, to make the reports useful.
    LVL 7

    Accepted Solution

    Also worth noting here is that often times the application itself is running as root, rather than a user, and it's the application that understands the correlation between a specific user, and the permissions on the disk... the kernel may not see the user-level associations, unless the application changes effective UID and drops root privs, but again, this can be very complicated for the kernel to try and spend time figuring something out for accounting purposes; lots of overhead for data of questionable accuracy.

    Author Comment

    aww crud.

    Maybe its just not useful to anyone but me, but I would think that sshd would log this stuff.  

    Thanks for your reply.  I'll wait and see if anyone else knows of anything.
    LVL 5

    Expert Comment

    Well , bandwidth control have to be address/proto/port based .
    So , I think the only sollution is to write a little daemon to bind the user authentication to the sorce ip address of the connection and after to bring that addresses dynamicaly to some ip based traffic shapper .

    May be this question have to be plased in 'Linux Programming' too .
    LVL 3

    Expert Comment

    This is from redhat mailing list.. but..


    LVL 25

    Expert Comment

    No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
    I will leave the following recommendation for this question in the Cleanup topic area:
    Split Points:  macker- & joju

    Any objections should be posted here in the next 4 days. After that time, the question will be closed.

    EE Cleanup Volunteer

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now