[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advice for an IP accounting program



On Tue, Oct 19, 2004 at 06:13:03PM +0200, Hilko Bengen wrote:
> "Francesco P. Lovergine" <frankie@debian.org> writes:
> 
> > The main purpose is identify periodically boxes on an internal
> > private network which cause very high traffic, due to worms, virus
> > and so. A per-IP simple report a la mrtg could be nice.
> 
> <plug mode="shameless"> My ulog-acctd, installed on the border router
> using Netfilter, has put much less load on the routers as compared to
> net-acct and any libpcap-based tool in tests at the ISP for which I
> wrote it.</plug>

sounds like a good tool.
 
> With a little know-how in shell-scripting, it should be trivial to
> generate statistics and graphs from its output.

if you modified it to produce Netflow output (same as cisco and other routers),
then there's a good range of tools which already exist to do this.   and, it's
always a good idea to use an existing standard rather than reinvent the wheel.

e.g. these are already in debian:

flow-tools - collects and processes NetFlow data
flowscan - flow-based IP traffic analysis and visualization tool
libcflow-perl - Perl module for analyzing raw IP flow files written by cflowd


btw, there are also two libpcap-based netflow capturers already debianised - a
netfilter/ulog alternative would be a good thing.

fprobe - exports NetFlow V5 datagrams to a remote collector
pmacct - promiscuous mode traffic accountant


craig

-- 
craig sanders <cas@taz.net.au>



Reply to: