26/05/2005
Linux IP accounting
Time for some more statistics. Say your box runs as a router and you want to monitor which pc of your lans talks to whom from the outside world…how many bytes, packets, flows, etc…or say you use your box at home for p2p applications and want to monitor what’s going on…more than just keeping track of your traffic. That’s where IP accounting comes handy.
I applied IP accounting at my gentoo box at home. What I needed was inside this excellent documentation. Basically one needs fprobe, to export flows from linux in netflow format, flow-tools to collect those netflows, and FlowScan to process the flow files. Most tools are easily emerged…but remember NOT to emerge flow-tools. If you do that you will have problems with Cflow. Do as the documentation says, download flow-tools from their site, ‘make install’ it and go inside the contrib dir, untar Cflow-1.051.tar.gz and do as the documentation says for it. Most other things are rather straightforward.
One usefull shell script I wrote with the help of Angelos was this:
showtop.sh
#!/bin/bash
echo "<pre>" > /var/netflow/scoreboard/stats.html
/usr/local/netflow/bin/flow-cat -p /var/netflow/ft/ | /usr/local/netflow/bin/flow-stat -f10 -S4 -n | head -n 50 >> /var/netflow/scoreboard/stats.html /usr/local/netflow/bin/flow-cat -p /var/netflow/ft/ | /usr/local/netflow/bin/flow-stat -f8 -S3 -n| head -n 50 >> /var/netflow/scoreboard/stats.html echo "</pre>" >> /var/netflow/scoreboard/stats.html
It creates an html file with 2 top-X lists…
The first one is: a report on top source/destination IP pairs sorted by octets
and the second one is: a top destination IP address report by sorted by outbound traffic
I find it really usefull and I’ve added it to my crontab to run every 5 minutes.
It works for me…try it if you wish and comment with your results…
P.S. I think flow-tools was the first package I had to install manually in my gentoo box since the day I’ve installed it. I think it is possible to create an ebuild to overcome the problems with Cflow…but I was too bored…anyway…have fun with IP accounting.
Filed by kargig at 00:31 under General,Linux
No Comments | 4,600 views