-Jake
Luigi Rizzo wrote:
let me understand, you basically want something that puts flow statistics
in the bucket identified by the of the first SYN
packet you see (the assumption being that connections are
initiated by clients towards a well known port, which appears
as dst-port in the first syn packet ?
Or if you are just happy to aggregate by IP, one solution i often
use is the following (based on dummynet's dynamic pipes):
# do not expire pipes even if they have no pending traffic
sysctl net.inet.ip.dummynet.expire=0
# create separate pipes for src and dst masks
ipfw pipe 20 config mask src-ip 0xffffffff buckets 256
ipfw pipe 21 config mask dst-ip 0xffffffff buckets 256
ipfw add pipe 20 ip from $my_subnet to any
ipfw add pipe 21 ip from any to $my subnet
cheers
luigi
On Tue, Oct 22, 2002 at 02:47:36PM -0300, Marc G. Fournier wrote:
>I've got FreeBSD setup as a firewall to our campus network, and its doing
>a great job of it, but we want to be able log statistics on traffic going
>in and out ...
>
>I have trafd running on the server, with it dumping its data to a
>PostgreSQL database, but for every ~8min "segment", it is logging ~12 000
>records ... so ~90k/hr, or 2.16 million per day ...
>
>Now, I'm figuring that if I could determine direction of flow (did we
>originate the connection, or did someone off campus originate it), I could
>shrink that greatly, as right now I have stuff like:
>
>216.158.133.242 80 131.162.158.24 3914 6 2356 4
>216.158.133.242 80 131.162.158.24 3915 6 47767 34
>216.158.133.242 80 131.162.158.24 3916 6 78962 56
>216.158.133.242 80 131.162.158.24 3917 6 330141 224
>216.158.133.242 80 131.162.158.24 3918 6 118862 89
>216.158.133.242 80 131.162.158.24 3919 6 264139 185
>216.158.133.242 80 131.162.158.24 3920 6 259543 179
>216.158.133.242 80 131.162.158.24 3921 6 98014 73
>216.158.133.242 80 131.162.158.24 3922 6 267772 186
>216.158.133.242 80 131.162.158.24 3923 6 148879 109
>216.158.133.242 80 131.162.158.24 3924 6 6406 8
>216.158.133.242 80 131.162.158.24 3925 6 2486 5
>216.158.133.242 80 131.162.158.24 3928 6 109584 75
>216.158.133.242 80 131.162.158.24 3929 6 92435 62
>216.158.133.242 80 131.162.158.24 3936 6 13059 9
>216.158.133.242 80 131.162.158.24 3937 6 22641 17
>
>where I don't care about the source port, only the dest port ... except,
>in the above, trafd is writing it as 'source port == 80' and 'dest port'
>is arbitray ...
>
>while later in the results, I'll get something like:
>
> 130.94.4.7 40072 131.162.138.193 25 6 2976 10
> 130.94.4.7 58562 131.162.138.193 25 6 5249 16
>
>which does make sense (ie. source port -> dest port) ...
>
>is there something that i can do with libpcap that will give me better
>information then trafd does? is there a 'tag' in the IP headers that can
>be used to determine the originator of the connection?
>
>thanks ...
>
>
>
>To Unsubscribe: send mail to [EMAIL PROTECTED]
>with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
-- Jacob S. Barrett [EMAIL PROTECTED] www.amduat.net
"I don't suffer from insanity, I enjoy every minute of it." To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
