Bandwidth monitoring summary

Sun Oct 7 08:25:47 EST 2001

On Sat, 6 Oct 2001, Darrell Burkey wrote:

[...]
> Unfortunately, I'm
> not as interested in monitoring flow as I am in capturing the volume over a
> period of time such as ipac does.

If that's *all* you want, then you can just use iptables (or ipchains).
They both keep a count of the number of packets/bytes that match each
rule.   I have no experience with any of the other packages suggested to
you, as I have never needed more than ipchains (and one of these days I'll
switch to iptables, but what I have works, so why try to break it?)

I have a connection throuch TransACT here (nominally a 256kbit/s pipe, but
I get get about twice that to sufficiently well-connected sites), which I
share with the rest of the house, and I just use the firewall rules to
monitor usage.

(In case anyone is curious, I now connect through WebOne - when I rang
netspeed last week and spoke with the manager concerning my problems with
them, he flat-out refused to say that it would be fixed by next week, or
even by next month - just "as soon as possible, we're woking on it now".
When I asked if they had been working on it for the past 3 months, he got
a little annoyed, and said I was welcome to terminate my contract.  I did
that.)

Back on topic, I just added the following to ip-down.local:

-----
echo -n "link down at " >> /var/log/ip-accounting
date >> /var/log/ip-accounting
echo -e "usage for this session:\n\n" >> /var/log/ip-accounting
/sbin/ipchains -v -L acctout >> /var/log/ip-accounting
echo -e "\n\n" >> /var/log/ip-accounting
-----

The link doesn't go down that often, so that's really just there so I
don't miss anything.  I also have a cron job that fires at the beginning
of each month to log and zero the counts.

The rules that do the accounting are set up as below (this in
ip-up.local):

-----
echo -n "link up at " >> /var/log/ip-accounting
date >> /var/log/ip-accounting

/sbin/ipchains -N acctout

/sbin/ipchains -I output 1 -s ! 10.17.0.0/16 -j acctout
/sbin/ipchains -I output 2 -p tcp -s 10.17.2.1 3128 -j acctout
/sbin/ipchains -I output 3 -p tcp -s 10.17.3.1 3128 -j acctout

for i in <list of machines to account for>; do
/sbin/ipchains -A acctout -d $i
done
-----

You have to do the accounting on the output rule, so it gets the packets
after they've been de-masquraded.  I have 2 internal interfaces (one is a
wireless link to upstairs), and count packets from my squid proxy as well.
If I were more interested in correctness (i.e. didn't want to bill people
for requesting something that I had cached), I'd use squid's logs for that
side of things, but in practice, every time we go over our quota, it's all
my fault anyway :)

Andrew