Re: IP Traffic Accounting

[Michael <mutk@ozemail.com.au>]

Jason R. Martin wrote:

>I think most of the other posts answered your questions with respect to
>netfilter.  I just wanted to offer an alternative for IP accounting.  Check
>out ipaudit (http://ipaudit.sourceforge.net).  Assuming you have the pcap
>libraries installed on your system, it will keep track of all connections
>to/from your system in a nice compact format.  Since it keeps track of
>connections instead of individual packets, it will likely tell you all the
>accounting info you want (packet counts, byte counts, host IPs, ports, etc).
>There's even a nifty web interface that you can use to view the data.
>
>Just a thought.
>
That's a good suggestion , Jason.

I have had experience with similar programs, for example ipmeter 
(http://www.ipmeter.org).

The main problems with this way of doing things are:

- If the host you run the IPaudit program on is also a firewall, by 
virtue of the  fact that the program  requires promiscuous mode on the 
interface it listens on introduces a (theoretical) security risk.

- An alternative to running the IPaudit on the firewalling host is to 
have a seperate standalone machine running IPaudit, to sniff packets 
passing by on an ethernet segment. This requires either a bridge device 
or a non-switch Hub to connect the IPaudit machine to the same ethernet 
segment as the interface you want to audit. So additional costs, and 
additional points of failure.

- If the IPaudit runs on an additional machine as above, and uses a 
plain garden variety non-switched Hub to allow the audit machine to 
"see" the packets going to and from the internal interface of the 
firewall, this introduces a performance bottle neck, especially when you 
consider that there is no such thing as a full duplex non-switching hub. 
So the use of the IPaudit standalone monitoring machine causes less than 
ideal performance.

IPmeter runs on a standalone machine, and I have observed performance 
problems when using a non-switch hub to access the ethernet segment. 
Collisions -many- with as little as 50 users.

IPaudit will probably be quite ok for a Workstation providing Internet 
connections to other home users or small office, if security on the 
Internal interface is not a concern. Also, a standalone machine to 
monitor traffic may be a simple setup, and performance may not be such 
an issue for a small number of hosts when using a no-switch Hub. 
Performance will not be hampered at all if you can get hold of an 
ethernet bridging device.

BTW, I have a complex setup of iptables firewall, a pam_iptables module, 
PHP scripts, C coded programs and  postgressql DB running right now to 
account for Internet access traffic. It's a monstrosity of 
interdependent programs, very messy. But it is currently working, and 
provides Internet access for over 50 users. Users have to loggin to the 
server , this triggers iptables rules to be added to allow them access, 
and starts a process that stores their byte counts in a PostgreSQL DB. 
Users can also access a local web page to check their usage details for 
month etc...

When I get the time, I'll clean it all up, document it and put it on a 
website as an example of how to account for packets/bytecounts using 
iptables, *and* provide access control as well (Thats what pam_iptables 
provides).

I am saying it's a definitive, and good example, just "an example"...

Cheers,
Michael