Date: Thu, 25 Nov 1999 13:31:43 +0100 (CET) From: Christian Kratzer <ck@toplink.net> To: Bryan Collins <bryan@casper.spirit.net.au> Cc: Tom <tom@sdf.com>, Kurt Jaeger <pi@complx.LF.net>, "Jean M. Vandette" <vandj@securenet.net>, freebsd-isp@FreeBSD.ORG Subject: Re: IP or packet Accounting Software for burst connections. Message-ID: <Pine.BSF.4.10.9911251325570.49651-100000@babylon.toplink.net> In-Reply-To: <199911250505.QAA45460@casper.spirit.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Thu, 25 Nov 1999, Bryan Collins wrote: > > > Do you not require the IP stream to be routed 'thru' the box running ipfw? > > > Another point of failure in a network... > > > > It is logical to do this kind of accounting on the gateway. > > > > If SPOFs are on issue, use multiple gateways. > > > > > ipfw isnt promiscuous, tcpdump is/canbe. > > > > And therefore won't work on switched networks either, unless you > > configure it on a "shared" port, which limits how much traffic you will be > > able to handle. > > you'd still need to pass the IP traffic thru your accounting box on > a switch 'monitoring' port > > I've actually used a few different methods of IP accounting, > ranging from hacked tcpdumps, hacked netramet, a custom BPF perl5 capture, > and what I'm using right now, which is snmp to cisco IP accounting... > > tcpdump worked as an interim, but being promiscuous, we couldnt > guarantee all packets be counted. > > The custom bpf system that we wrote was rather sweet, it had process pools > and so on, so that once a given ammount of traffic was counted, that process > went off to aggregate it, while another capture process started. we ran Kurts hacked tcpdump (ipcount) successfully for several years on our then gated based freebsd border router. We ran it on the external interface going to our bean counting upstream. Never had a problem with it. E1 bandwith at 3 locations. We have since switched to cisco ip accounting now that we have ciscos all over the place and E3 bandwith. > But by far the easiest and cleanest is our snmp queries to cisco's > IP accounting (and checkpoint IP accounting) on > both border routers and access servers. nothing gets missed now. beware of snmp queries of any bulk data (ip accounting, routing tables). This will easily blow the cpu on your cisco. We use a small c programm that grabs the data by telnneting to the cisco and doing a clear ip accounting show ip accounting checkpoint This all goes in one short tcp telnet session and does not require loads of small udp sessions like snmp does. Snmp is again the wrong hammer for bulk transfers... Greetings Christian -- TopLink Internet Services GmbH ck@171.2.195.in-addr.arpa Christian Kratzer http://www.toplink.net/ Phone: +49 7032 2701-0 Fax: +49 7032 2701-19 FreeBSD spoken here! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911251325570.49651-100000>