| View previous topic :: View next topic |
| Author |
Message |
chrism
Guru
Joined: 15 Jul 2004
Posts: 526
|
 Posted: Thu Apr 17, 2008 1:43 pm Post subject: Traffic monitoring |
 |
|
Hallo everyone,
we have a server, which is acting as a samba-server, as a web-server and as a gateway. The workgroup consists of approximately 25 clients.
The problem I have, is that I have to keep track of the amount of traffic each client sends via the gateway, and each client produces with the server itself.
I tried vnstat, which doesn't seem suitably since it only records the total amount of traffic. I also tried to get IPTables to do the job (https://forums.gentoo.org/viewtopic-t-617960.html), since the IP-Addresses are issued by a dhcp-server which is not under my control, it didn't work, though.
Anonther problem is, that due to legal reasons I am not allowed to sniff the traffic, so ethereal and wireshark are no good either.
It would be great if someone had a solution.
Thanks,
Chris |
|
| Back to top |
|
 |
octanez
Tux's lil' helper
Joined: 18 Apr 2004
Posts: 149
Location: Washington DC Metro, USA, Earth
|
| Posted: Thu Apr 17, 2008 2:55 pm Post subject: |
|
|
Have you taken a look at ntop?
I am not sure what kind of reports you need to generate but it might be a good place to start.
_________________
Adopt an orphan |
|
| Back to top |
|
|
chrism
Guru
Joined: 15 Jul 2004
Posts: 526
|
| Posted: Thu Apr 17, 2008 3:55 pm Post subject: |
|
|
I tried ntop, but unfortunally it logs too much. I am not allowed to even use a program which as the capability to trace the users actions. Only the amount of traffic they produce. 
I was thinking of something like vnstat, but instead of only having the network interfaces, having a list of all clients:
eg:
| Quote: |
rx / tx / total / estimated
eth1-total:
today 203.29 MB / 271.19 MB / 474.49 MB / 634 MB
eth0-total:
today 475.25 MB / 28.40 MB / 503.66 MB / 673 MB
client1:
today 75.25 MB / 28.40 MB / 103.66 MB / 173 MB
client2:
today 75.25 MB / 28.40 MB / 103.66 MB / 173 MB
....
|
More like this, it doesn't have to be fancy... thanks,
Chris |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 20744
|
| Posted: Fri Apr 18, 2008 3:16 am Post subject: |
|
|
You could abuse iptables for this. I think the last time I suggested this, someone else almost immediately posted a more elegant solution. However, I do not recall what that solution was, and a quick search of old posts does not reveal it.
| Code: | | for octet in $(seq 1 25); do iptables -A FORWARD -s 192.168.0.${octet}; iptables -A FORWARD -d 192.168.0.${octet}; iptables -A INPUT -s 192.168.0.${octet}; done |
This adds three rules for each of the 25 hosts. The first FORWARD rule counts traffic originating from the host, which is presumably bound for the Internet. The second FORWARD rule counts traffic going to the host, which is presumably from the Internet. The INPUT rule counts traffic coming from the host to the local machine. If you also need to count traffic going from the local machine to the host, add a rule to OUTPUT as well.
These rules only count packets and bytes, but do not store any contents. As written, it does not even store port numbers, so you cannot tell whether the host was using ssh, http, rsync, or a p2p client. |
|
| Back to top |
|
|
DarKRaveR
Guru
Joined: 11 Oct 2003
Posts: 500
Location: Old Europe/G-Many
|
| Posted: Fri Apr 18, 2008 6:18 am Post subject: |
|
|
1.) Use Iptables ... which is quite cumbersome, if you have dynamic IPs
2.) Use tcpdump and snap only the header (snaplen=20 - ip header only)
3.) Write something yourself?
All other Options are more or less derivates of the same thing, you will have to look into the packets, no matter what ... |
|
| Back to top |
|
|
bradp_84
n00b
Joined: 06 Nov 2004
Posts: 48
Location: Australia
|
| Posted: Fri Apr 18, 2008 2:12 pm Post subject: |
|
|
| If you want to use the iptables approach, you could always configure dhcp to give out static IP's. I.e. map an IP to a MAC in the dhcp configuration. |
|
| Back to top |
|
|
tutaepaki
Apprentice
Joined: 11 Nov 2003
Posts: 279
Location: New Zealand
|
| Posted: Fri Apr 18, 2008 9:45 pm Post subject: |
|
|
| take a look at ipaudit |
|
| Back to top |
|
|
theotherjoe
Guru
Joined: 22 Nov 2003
Posts: 393
|
| Posted: Sat Apr 19, 2008 7:21 am Post subject: |
|
|
another tool you may want to have a look at
is iptraf; it's in portage.
http://iptraf.seul.org/ |
|
| Back to top |
|
|
-Craig-
Guru
Joined: 03 Jun 2004
Posts: 333
|
| Posted: Sun Apr 20, 2008 11:10 pm Post subject: |
|
|
iptraf is not an option.
I'd recommend to use iptables -nvxZL & some bash/sed/awk & a mysql backup.
You'd have to write that on your own, of course... |
|
| Back to top |
|
|
|
Networking & Security
