iptraf -----Original Message----- From: Antony Stone [mailto:Antony@xxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, June 30, 2004 9:41 AM To: netfilter Subject: Re: track bandwith used On Wednesday 30 June 2004 2:07 pm, Peter Marshall wrote: > Hi again, > > I was also wondering if anyone knows a way to track bandwith being used > through the firewall ....... Well, there are plenty of network monitoring tools which will give you this sort of information as an aggregate figure for an interface, or broken down by source/destination address, port number etc - iptraf is not a bad start to see what can be done. Other than that you can use netfilter rules to count the packets & bytes, and then use a cron job to record the counts at whatever intervals you want (every minute, every hour, every day...), and then process them yourself. Things I would mention if you're going to try the latter option: 1. Most packets do not match against rules in the nat table, so don't try counting those - the only packets which match these are the first of each connection - all the rest are processed invisibly by netfilter in the background, and your rules don't see them (this is also the reason why you should never set a default DROP policy on a nat table!) 2. If you are using a standard -m state --state ESTABLISHED,RELATED rule in your FORWARD chain, remember that nearly all packets will match that, no matter which direction they're going through the machine, and which port/s they're going to or from. Again, most of the rules in your FORWARD chain will only match the first packet of a given connection, so you won't see much traffic on these rules either (although they can give you a useful indication of the number of connections of that type which get created). 3. The FORWARD mangle table can be a good place to put rules which will see all traffic going through the system. 4. For accounting purposes, you can quite readily use rules with no target (eg: iptables -A FORWARD -p tcp --dport 25); these will make no difference to whether the packets are ACCEPTed, DROPped, LOGged, REJECTed, or whatever (obviously you need separate rules to do that somewhere else), but the packet & byte counters from iptables -L -nvx will show you how many of that type of packet were seen. You can make the rules as specific as you like if you want to count certain connections in minute detail (eg: iptables -A FORWARD -p tcp --dport 25 -s my.mail.ser.ver -d ISP.mail.ser.ver) 5. Don't overlook the raw packet & byte counts available from ifconfig if all you want to do is monitor traffic in & out of an interface. Hope this give you some ideas. Regards, Antony. -- "The future is already here. It's just not evenly distributed yet." - William Gibson Please reply to the list; please don't CC me.
