Re: Traffic monitoring

[Geoff Crompton <geoff.crompton@bjhcontrols.com.au>]

On Sat, Mar 15, 2003 at 12:22:11AM +0100, Stefan Neufeind wrote:
> While we're still in the field of counting and monitoring traffic:
> Is there any good way to account traffic on one computer by user? I 
> searched several times for this but didn't find any good solution. 
> Some people said it should be do-able with kernel-modules but nobody 
> knew who had already done it.
> 
> I have several users generating traffic over the network interface 
> (eth0). What I would need is monitor incoming and outgoing traffic 
> accounted by the uid the process is running to or from which the 
> packets are received / sent. Hmm - did I at least make it a bit 
> clear? Even if I have somebody running an "ftp" for getting or 
> putting files ... or if I have someone using wget on the shell or 
> getting remote-files via PHP or whatever I need to account this 
> traffic to the uid - all on the local machine. And if I have someone 
> opening a listening-port (this also appears with ftp-transfers) and 
> waits for an incoming connection I would also like to bill the 
> incoming connection to the same uid.
> 
> That's my problem. Any good solutions out there? I'm stuck with this 
> :-((
> 

  Try ipac-ng:
  Description: IP Accounting for iptables( kernel >=2.4)

  Can do accounting on any iptable rule (as I understand it). iptables
  have the capability to match on owner:
  iptables -A INPUT -m owner --uid-owner 2

  Cheers
  Geoff Crompton