On Fri, Mar 14, 2003 at 08:03:17PM +0100, Nils wrote:
>We have two computer labs, with its respective ISP-connections, both with
>volume based rates. These two sites are also connected to each other
>through a VPN. The volume between the two sites should really be marginal.
>Due to what we get charge by the ISP, we suspect a lot of non-sanctioned
>material (mp3..) being transported over smb. I would like to at least be
>able to monitor the volume from respective computer going through the
>firewall (and the VPN).
Here is a quick and dirty method. I wanted to see what ICMP types where
being used so I created a rule on my firewall for each type. The rule just
returns, but the statistics (iptables -vnL) reveal the frequency of
each type:
# Not sure about these, start logging them...
# find them in stats...
iptables -N icmpwach
for n in `seq 0 255`; do echo -n "."
iptables -I icmpwach -p icmp --icmp-type $n -j RETURN
done ; echo
iptables -I INPUT -j icmpwach
iptables -I FORWARD -j icmpwach
i="iptables -I INPUT -p icmp"
you might modify the loop to generate a return rule for each ip
iptables -I bandwatch -s $n -p all -j RETURN
iptables -I bandwatch -d $n -p all -j RETURN
Then you could look at the iptable stats and see which ip is using the
gateway. This might be more politically desirable than knowing the IP
and the port ;)
On the other hand you could come up with some ports and port ranges to
monitor too.
There are tons of software to calculate and make presentations of this
kind of info.
http://ipaudit.sourceforge.net/ipaudit-web/
Would you like to summarize and/or log network activity down to the ip
address and port level of detail, but not record every packet?
http://freshmeat.net/projects/traffacct/
www.hughes.com.au/products/traffacct/
TraffAcct is a network traffic accounting package designed
to simplify the process of tracking and billing network usage.
http://bubba.sourceforge.net/
Bandwidth Utilization Billing and Basic Accounting
http://netacct-mysql.sourceforge.net/
bandwidth utilization, accounting
Netacct-mySQL is a monitor which can log traffic generated by a specific network
(incoming/outgoing). In fact it works like sniffer, puts network
interface in PROMISC mode and collects traffic.
http://torus.lnet.lut.fi/vnstat/
vnStat is a network traffic monitor for Linux that keeps a log of daily
network traffic for the selected interface.
http://ifmonitor.preteritoimperfeito.com/
ifmonitor is a simple network interface traffic logger and grapher for linux.
gkrellm
mrtg
The list goes on, let us know what you come up with.
// George
--
GEORGE GEORGALIS, System Admin/Architect cell: 347-451-8229
Security Services, Web, Mail, mailto:[EMAIL PROTECTED]
Multimedia, DB, DNS and Metrics. http://www.galis.org/george
