Re: Advice for an IP accounting program
On Tue, Oct 19, 2004 at 06:13:03PM +0200, Hilko Bengen wrote:
> "Francesco P. Lovergine" <firstname.lastname@example.org> writes:
> > The main purpose is identify periodically boxes on an internal
> > private network which cause very high traffic, due to worms, virus
> > and so. A per-IP simple report a la mrtg could be nice.
> <plug mode="shameless"> My ulog-acctd, installed on the border router
> using Netfilter, has put much less load on the routers as compared to
> net-acct and any libpcap-based tool in tests at the ISP for which I
> wrote it.</plug>
sounds like a good tool.
> With a little know-how in shell-scripting, it should be trivial to
> generate statistics and graphs from its output.
if you modified it to produce Netflow output (same as cisco and other routers),
then there's a good range of tools which already exist to do this. and, it's
always a good idea to use an existing standard rather than reinvent the wheel.
e.g. these are already in debian:
flow-tools - collects and processes NetFlow data
flowscan - flow-based IP traffic analysis and visualization tool
libcflow-perl - Perl module for analyzing raw IP flow files written by cflowd
btw, there are also two libpcap-based netflow capturers already debianised - a
netfilter/ulog alternative would be a good thing.
fprobe - exports NetFlow V5 datagrams to a remote collector
pmacct - promiscuous mode traffic accountant
craig sanders <email@example.com>