From owner-freebsd-questions Wed Mar 13 13:27: 5 2002 Delivered-To: freebsd-questions@freebsd.org Received: from lion.com.ua (lion.com.ua [213.133.161.130]) by hub.freebsd.org (Postfix) with ESMTP id F423D37B404 for ; Wed, 13 Mar 2002 13:26:55 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by lion.com.ua (8.11.6/8.11.6) with ESMTP id g2DLQY908367; Wed, 13 Mar 2002 23:26:36 +0200 (EET) (envelope-from sa@simon.org.ua) Date: Wed, 13 Mar 2002 23:26:34 +0200 (EET) From: Andrey Simonenko X-X-Sender: sa@lion.com.ua To: Florian Nigsch Cc: freebsd-questions@freebsd.org Subject: Re: network traffic accounting Message-ID: <20020313225556.C8227-100000@lion.com.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002-02-20 12:52:15 PST you wrote: >I am looking for a program that does network traffic accounting. There are several such tools for FreeBSD: $ cd /usr/ports $ make search key=accounting $ make search key=traffic >I've already tried ipa but I am not very content with it, because >it simply parses the counters of the ipfw-firewall. What I dislike IPA doesn't parse ipfw rules. When we say "parse", we mean that something runs external program and parses its output. IPA doesn't run any external program, instead it reads needed information directly from the kernel data structures (exacty as FreeBSD ipfw, ipfstat or OpenBSD pfctl do). I think that it is correct, because i doesn't make a big overhead. >particulary using this method, is that when you for some reason >must restart your firewall, the accounting statistics of this day >are not usable any more. It is not correct and it is depends on traffic accounting software. IPA has not such problems at all. But I have to say there is one pitfall. If the maxchunk parameter (ipa(8) configuration file ipa.conf(5)) is not used and firewall was restarted, the IPA thinks that some firewall rules counters were overflowed. Of course I suppose that one doesn't specify update_db_time=24h in the configuration file (default value of database updates is 5 minutes). Unfortunatelly there is not a better solution with IP Firewall, IP Filter and Packet Filter (at current moment), but with the maxchunk parameter one can lose ~50% of accounting information from the last database update (i.e. during update_db_time seconds). >The program I am looking for, is something which operates with bpf >and runs in the background, and gathers its information directly >from the network, not from the ipfw counters. There is trafd, I suppose that it is the most used software for traffic accounting via BPF. BPF support is in the IPA TODO file. And it is not implemented, just because a good solution hasn't been found. That is, if IPA supports BPF, it also should support all features which it has now: several accounting rules at the same time, limits and (in future) worktime parameter support. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message