On Wed, 13 Aug 2003, Nick Barnes wrote: > I have written a small utility for traffic volume monitoring on an > Ethernet segment. It uses libpcap to capture the ethernet header of > every packet and counts traffic volume by source and destination MAC. A > bit like a lobotomized tcpdump (and indeed that is what I started with).
The easiest way would actually be to expand your tool to also look at the IP header and track usage at the IP level in the first place. Converting MAC addresses back to IPs is hard in the world of IPv4 (it's a lot easier in IPv6 but that probably won't help you :-). One nice thing about the tracking at capture time model is that it will allow you to handle MAC<->IP mapping changes in more flexible ways. Since you only need the source/dest IP addresses, you don't even have to deal with IP option parsing, just check the frame type for IP, then look for the 'struct ip' after the ethernet frame header. The usual reference source code I toss out for this sort of thing is: http://www.watson.org/~robert/freebsd/bpfmon.tgz I recently received patches to make it distinguish source/dest address as well, so I guess I should stick it in a CVS tree sometime. > > Currently the report looks like this: > > Per-MAC: out out in in > packets bytes packets bytes > ff:ff:ff:ff:ff:ff: 0 0 4 240 > 00:07:e9:db:2a:26: 71 5435 127 70958 > 00:02:b3:33:37:0f: 389 290734 331 38761 > 00:90:27:ed:3c:70: 33 15909 30 4105 > 00:50:fc:01:f4:0e: 7 1648 5 717 > 00:d0:b7:ac:99:87: 142 15184 153 105835 > 00:03:47:fa:fb:5b: 105 15832 98 115895 > 00:07:e9:92:c0:76: 28 3221 27 11452 > > Per-header: packets bytes > 00:90:27:ed:3c:70 -> 00:d0:b7:ac:99:87: 7 4798 > 00:d0:b7:ac:99:87 -> 00:90:27:ed:3c:70: 6 689 > 00:90:27:ed:3c:70 -> 00:02:b3:33:37:0f: 6 513 > 00:02:b3:33:37:0f -> 00:90:27:ed:3c:70: 6 1273 > 00:02:b3:33:37:0f -> 00:07:e9:92:c0:76: 7 854 > 00:07:e9:92:c0:76 -> 00:02:b3:33:37:0f: 8 958 > 00:02:b3:33:37:0f -> 00:07:e9:db:2a:26: 127 70958 > 00:07:e9:db:2a:26 -> 00:02:b3:33:37:0f: 71 5435 > 00:d0:b7:ac:99:87 -> ff:ff:ff:ff:ff:ff: 2 120 > 00:50:fc:01:f4:0e -> 00:02:b3:33:37:0f: 7 1648 > 00:02:b3:33:37:0f -> 00:50:fc:01:f4:0e: 5 717 > 00:02:b3:33:37:0f -> 00:d0:b7:ac:99:87: 146 101037 > 00:d0:b7:ac:99:87 -> 00:02:b3:33:37:0f: 134 14375 > 00:07:e9:92:c0:76 -> ff:ff:ff:ff:ff:ff: 2 120 > 00:90:27:ed:3c:70 -> 00:07:e9:92:c0:76: 20 10598 > 00:07:e9:92:c0:76 -> 00:90:27:ed:3c:70: 18 2143 > 00:03:47:fa:fb:5b -> 00:02:b3:33:37:0f: 105 15832 > 00:02:b3:33:37:0f -> 00:03:47:fa:fb:5b: 98 115895 > > total: 775 347963 > > I would like to be able to report by IP address. > > Yours, > > Nick Barnes > Ravenbrook Limited > _______________________________________________ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
