From owner-freebsd-isp  Wed Jun  2  7: 6:27 1999
Delivered-To: freebsd-isp@freebsd.org
Received: from carme.eclipse.net.uk (carme.eclipse.net.uk [195.188.32.33])
	by hub.freebsd.org (Postfix) with ESMTP id DFF5414D04
	for <freebsd-isp@FreeBSD.ORG>; Wed,  2 Jun 1999 07:06:22 -0700 (PDT)
	(envelope-from stuart@eclipse.net.uk)
Received: from eclipse.net.uk (elara.eclipse.net.uk [195.188.32.31])
	by carme.eclipse.net.uk (8.9.3/8.9.3) with ESMTP id PAA97596;
	Wed, 2 Jun 1999 15:06:07 +0100 (BST)
Message-ID: <37553A66.2D1F0502@eclipse.net.uk>
Date: Wed, 02 Jun 1999 15:06:30 +0100
From: Stuart Henderson <stuart@eclipse.net.uk>
Organization: Eclipse Networking Ltd.
X-Mailer: Mozilla 4.6 [en] (WinNT; U)
X-Accept-Language: en-GB
MIME-Version: 1.0
To: Rowan Crowe <rowan@sensation.net.au>
Cc: freebsd-isp@FreeBSD.ORG
Subject: Re: monitoring at the packet level
References: <Pine.BSF.4.01.9906022024580.2604-100000@velvet.sensation.net.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> I am currently working on a monitoring system which does more 
> than simple byte counting, it instead monitors connections. Output 
> can be sorted by most popular source host, most popular destination 
> host, most popular source port, most popular destination port.

If you're on a shared ethernet (non-switched) then the easiest
way at the moment is probably to use a separate machine to do the
monitoring, running in promiscuous mode to watch all the traffic?

There was a network analyser program distributed as a dd image
based on FreeBSD mentioned in a FreeBSD list or newsgroup a year
or two ago, I can't find a copy at the moment, maybe someone else
remembers it? (btw I think the way to be most easily portable to 
other OS is to use libpcap - man pcap should be at least a bit 
informative :)

man ipfw on 3.2-release has this to say about tee sockets:
"This feature is not yet implemeted."

You might be able to use a normal (non-tee) divert socket and 
a modified copy of natd to do what you are thinking of...presumably 
without translation rules, just extract whatever information you need
from the packet and forward it onwards.

HTH  Stuart


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message