Re: tracking usage by mac address

[Henry Baxter <henrybaxter@xxxxxxx>]

Thank you Jose, I'm going to go with parsing the log with C code which I 
wouldn't mind writing - but if you could point me to your source, that 
would be very helpful. From the sounds of your setup George it should 
work great for us here (a tenth of your bandwidth usage!).

This mailing list rocks

Henry Baxter

George Alexandru Dragoi wrote:

> Well, i don't know if you want to log EVERYTHING.
> Remember ip_conntrackworkson streams, so you can log only NEW packets.
> I have like 90 rules with -m mac like those i said before + several
> port forwarding, on a P2 450Mhz, 100mbit internet connections, used a
> lot, almoust all the time at 11MB/s at upload (exactly where those
> rules aremostly hitted), and top says the sys load is arround 40% at
> most when i have full bandwith in use, but i think it is not because
> of the netfilter, but the PCI usage. Traffic at 50% usually needs much
> less CPU, like 5-10%. I also have many other rules for SYN scan
> limiting, bandwith counting, and so on.
>
> On 30 Aug 2004 20:54:36 +0200, Jose Maria Lopez <jkerouac@xxxxxxxxxxx> wrote:
>  
>
> > El lun, 30 de 08 de 2004 a las 04:42, Henry Baxter escribió:
> >
> >
> >    
> >
> > > Hello,
> > >
> > > I have been reading this list for several months, and I've really
> > > enjoyed learning all that I have, thank you everybody for the
> > > opportunity to listen:)
> > >
> > > Ultimately I am hoping to track the bandwidth usage of about 50 client
> > > computers through my router based on their MAC address. I understand
> > > that by simply writing a rule that does nothing to the packet, such as
> > > 'iptables -A FORWARD -m <mac address>' I can parse the netfilter log and
> > > find out what I need. This seems rather convoluted though - getting
> > > netfilter to create a basically human readable log file, and then
> > > parsing it.
> > >
> > > All of the network traffic is passing through unmanaged switches until
> > > finally hitting the interface on the router.
> > >
> > > I'm sure this must have been done by many others before, so could
> > > anybody give me some idea of what the most common way to handle this
> > > situation would be?
> > >
> > > I appreciate any input.
> > >
> > > Henry Baxter
> > >      
> > If you don't have a big number of users you can do something like this:
> >
> > iptables -N MACSTATS
> > iptables -A INPUT -j MACSTATS
> > iptables -A OUTPUT -j MACSTATS
> > iptables -A FORWARD -j MACSTATS
> > iptables -A MACSTATS -m mac --mac-source $CLIENT1_MAC_ADDRESS -j RETURN
> > iptables -A MACSTATS -m mac --mac-source $CLIENT2_MAC_ADDRESS -j RETURN
> > ...
> >
> > So you can read the data transfered by each client with the command:
> > iptables -L MACSTATS -nv
> >
> > More or less this is what we do in our bastion-firewall-stats module
> > from our bastion-firewall GPL firewall, but we extract the counters with
> > C code to put it in a rrdtool database and then create graphs with the
> > data. If need code you can look at the source code of this addon from
> > our firewall.
> >
> > --
> > Jose Maria Lopez Hernandez
> > Director Tecnico de bgSEC
> > jkerouac@xxxxxxxxx
> > bgSEC Seguridad y Consultoria de Sistemas Informaticos
> > http://www.bgsec.com
> > ESPAÑA
> >
> > The only people for me are the mad ones -- the ones who are mad to live,
> > mad to talk, mad to be saved, desirous of everything at the same time,
> > the ones who never yawn or say a commonplace thing, but burn, burn, burn
> > like fabulous yellow Roman candles.
> >                -- Jack Kerouac, "On the Road"
> >
> >
> >    
>
>
>