El miÃ, 05 de 01 de 2005 a las 17:48, Jeroen van den Hoed escribiÃ: > Hello all, > > I'm working on a script to monitor all traffic that passes my colocated > server. My first thought was to use ifconfig to monitor the RX and TX > counters repeatedly and calculate my (monthly) traffic. Later I decided to > use iptables since it can monitor the traffic seperately, for multiple ip > aliases, where ifconfig can not. > > I now have both scripts running at the same time, and I came accross > inconsistencies in the reported traffic. Ifconfig reports more traffic than > iptables does. For example; yesterday, iptables reported that my received > traffic was 230mb, whereas ifconfig reported 259mb. (the transmitted traffic > has similar inconsistencies, ifconfig reports 10 to 15% more traffic than > iptables does) > The problem, of course, is that I now don't know which counter to trust. > > Setup > My external interface is eth0 which is checked with "ifconfig eth0" every 5 > minutes. The RX and TX values are then written to a log file and at the end > of the day these values are added up and reported to me by mail. (The script > handles the overflow of the 32bit counter values correctly.) > > For iptables I've a couple of rules to measure my incoming and outgoing > traffic in the mangle table; as follows: > iptables -t mangle -N incomingtraffic > itpables -t mangle -A incomingtraffic -j RETURN > iptables -t mangle -A PREROUTING -i eth0 -j incomingtraffic > iptables -t mangle -N outgoingtraffic > itpables -t mangle -A outgoingtraffic -j RETURN > iptables -t mangle -A POSTROUTING -o eth0 -j outgoingtraffic > At the end of the day these values are read out and the counters are reset > to zero (iptables -L -n -v -x -t mangle -Z). > > Shouldn't the iptable rules above count ALL the traffic coming in and going > out of eth0? And if these rules are correct, then why is this report lower > than the report of ifconfig? > > Hope someone can enlighten me. > > > Thanks in advance, > Jeroen van den Hoed You can try if you want our GPL software bastion-firewall with it's bastion-firewall-stats addon, it does more or less what you want, and can generate independent scripts that you can use without having to use the bastion-firewall software. The software uses a daemon programmed with libiptc to check the counters of the interfaces, rules, etc and then some scripts to save the data in a Rrdtool database. It generates then graphical stats in HTML and GIF with this data. You can download it at: http://www.bgsec.com Hope it help. Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
