On 04/15/2014 05:34 PM, Peter N. M. Hansteen wrote:
> lilit-aibolit<[email protected]> writes:
>
>> table<lan> { 192.168.5.0/24 }
>> match out on $ext_if inet proto tcp from<lan> to any nat-to em1
>> pass in on $int_if inet proto tcp from<lan> to any port
>> pass out on $ext_if inet proto tcp from em1 to any
>>
>> I'd like to know how many traffic does specific IPs from<lan> consumed.
> export flow data via pflow, collect and make per IP address statistics
> from the collected flow data. See eg [1] to get started and add some
> minimal scriptery, you'll have just what you're looking for.
>
> [1] http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html
>
Thank you and others for pointing to pflow+nfsend.
What I actually did is:
1) modify pf.conf:
set state-defaults pflow
table <lan> { 192.168.5.0/24 }
match out on $ext_if inet proto tcp from <lan> to any nat-to em1
pass in log on $int_if inet proto tcp from <lan> to any port
pass out on $ext_if inet proto tcp from em1 to any
2) add pflow if:
pflow0: flags=41<UP,RUNNING> mtu 1492
priority: 0
pflow: sender: 127.0.0.1 receiver: 127.0.0.1:9999 version: 5
groups: pflow
3) install and configure nfsend:
# pkg_add -i php nfsend
# grep -n1 upstream1 /etc/nfsen.conf
163-%sources = (
164: 'upstream1' => { 'port' => '9999', 'IP' => '127.0.0.1', 'col'
=> '#0000ff', 'type' => 'netflow' },
165-);
4) restart Apache and finally I got nfsend web page with content
But I still didn't find filter expression to get statistics only for my
LAN's IPs:
> ** nfdump -M /var/db/nfsen/profiles-data/live/upstream1 -T -R
> 2014/04/16/nfcapd.201404161420:2014/04/16/nfcapd.201404161455 -n 20 -s
> srcip/bytes
> nfdump filter:
> NET 192.168.5.0/24
> Top 20 Src IP Addr ordered by bytes:
> Date first seen Duration Proto Src IP Addr Flows(%)
> Packets(%) Bytes(%) pps bps bpp
> 2014-04-16 13:50:26.098 4076.001 any192.168.5.78
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 271( 0.8) 116309( 9.3)
> 141.3 M(23.2) 28 277268 1214
> 2014-04-16 14:21:58.098 1175.000 any8.20.213.65
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 9( 0.0) 29265( 2.3)
> 43.9 M( 7.2) 24 298620 1498
> 2014-04-16 14:30:20.098 809.000 any54.230.94.189
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 1( 0.0) 25283( 2.0)
> 37.4 M( 6.1) 31 369475 1477
> 2014-04-16 14:25:33.098 1289.000 any8.20.213.38
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 6( 0.0) 23279( 1.9)
> 34.9 M( 5.7) 18 216542 1498
> 2014-04-16 14:25:40.098 287.000 any54.230.94.94
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 2( 0.0) 22579( 1.8)
> 33.5 M( 5.5) 78 933758 1483
> 2014-04-16 14:20:26.098 2276.001 any192.168.2.245
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 241( 0.7) 86438( 6.9)
> 32.2 M( 5.3) 37 113079 372
> 2014-04-16 14:25:32.098 1184.000 any8.19.240.41
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 2( 0.0) 16211( 1.3)
> 24.3 M( 4.0) 13 164228 1499
> 2014-04-16 14:00:46.098 2275.000 any176.103.207.168
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 1( 0.0) 129597(10.4)
> 16.6 M( 2.7) 56 58232 127
> 2014-04-16 14:00:46.098 3456.001 any192.168.5.14
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 110( 0.3) 132729(10.6)
> 16.1 M( 2.6) 38 37265 121
> 2014-04-16 14:43:06.098 704.000 any178.63.72.144
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 38( 0.1) 10683( 0.9)
> 13.6 M( 2.2) 15 154907 1276
> 2014-04-16 14:21:01.098 2008.000 any8.20.213.95
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 2( 0.0) 7481( 0.6)
> 11.2 M( 1.8) 3 44665 1498
> 2014-04-16 14:32:57.098 345.000 any46.33.68.171
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 4( 0.0) 6014( 0.5)
> 8.9 M( 1.5) 17 206844 1483
> 2014-04-16 14:47:24.098 31.000 any8.20.213.37
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 1( 0.0) 5945( 0.5)
> 8.9 M( 1.5) 191 2.3 M 1499
> 2014-04-16 13:50:38.098 4127.001 any192.168.5.15
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 1593( 4.7) 79268( 6.3)
> 8.6 M( 1.4) 19 16727 108
> 2014-04-16 13:54:37.098 3825.001 any46.118.77.60
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 74( 0.2) 61866( 4.9)
> 8.5 M( 1.4) 16 17689 136
> 2014-04-16 14:24:53.098 1041.000 any46.149.185.47
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 2( 0.0) 37694( 3.0)
> 6.8 M( 1.1) 36 52527 181
> 2014-04-16 13:56:20.098 3785.001 any192.168.5.254
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 6520(19.1) 12670( 1.0)
> 6.0 M( 1.0) 3 12672 473
> 2014-04-16 14:06:38.098 3052.001 any68.232.35.139
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 132( 0.4) 5033( 0.4)
> 5.5 M( 0.9) 1 14292 1083
> 2014-04-16 14:14:12.098 1155.000 any195.95.206.13
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 1( 0.0) 7084( 0.6)
> 5.3 M( 0.9) 6 36905 752
> 2014-04-16 14:05:47.098 3207.001 any192.168.5.45
> <http://gw.kh.ektos/nfsen/nfsen.php#null> 848( 2.5) 36129( 2.9)
> 5.1 M( 0.8) 11 12683 140
>
> Summary: total flows: 34112, total bytes: 608.6 M, total packets: 1.3 M, avg
> bps: 1132, avg pps: 0, avg bpp: 486
> Time window: 2014-02-25 20:23:02 - 2014-04-16 14:59:25
> Total flows processed: 62190, Blocks skipped: 0, Bytes read: 3234104
> Sys: 0.030s flows/second: 2073000.0 Wall: 0.021s flows/second: 2958892.4
