Whats the best way in Debian to monitor IP packets sent/received over an
external (ie. volume charged) connection? ie. How many bytes did host A
receive on what port? Which internal host received the most external
I have looked at the following:
* pretty good, but only works on squid traffic.
* very friendly user interface, can do just about anything with
statistics in an easy way.
* doesn't work to well on ISDN adaptor, seems to get all these
Ethernet addresses which ISDN simply doesn't have.
* I have had problems with it consuming too much memory, almost
to the extent of crashing the computer as it thrashes
constantly (see bug #123003 and #136627). This might be
related to other problems described here.
* If you run it on an internal adapter, it doesn't distinguish
local vs remote traffic. Local traffic is free, remote traffic
isn't (at least here in Australia).
* If you run it on an external adaptor, it appears to consider
all external hosts as local.
* Appears pretty good, but the interface is very low level
compared with say NTOP, and it seems pretty easy to mistake,
eg incoming packets counted for outgoing packets for instance
(since argus records everything differently depending on which
side initiated the connection).
* Maybe something like argus with cricket could be used, however
I am not aware of how this can be done very efficiently (eg.
without rerunning racount with lots of different rules with a
custom script and extracting the data to put into cricket).
* Due to lack of documentation, I might be confused ;-).
NSTREAMS (looks interesting, but I suspect it cant solve this problem)
Ideally, any program should also work with masquerading, although that
might be difficult (last I tried, tcpdump showed incoming and outgoing
packets with different IP addresses).
Brian May <firstname.lastname@example.org>
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org