On 2022-12-25, Jonathan Thornburg <[email protected]> wrote: > I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems, > an Android phone or two, and a VoIP phone) all connected to the internet > through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon). > I'm trying to track down which client(s) is/are responsible for a 5-fold > increase in my overall data usage last month (and, I suspect, a similar > ongoing data usage). > > So, I'd like to modify the firewall to somehow record the per-IP-address > number of bytes passed by the firewall (I can then match up the IP addresses > with the dhcpd logs to find the offending client(s)). This StackExchange > question-and-answer > > https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf > gives a possible solution >> export netflow data for all your traffic, grab it with Flow-Tools, >> and feed it to something like JKFlow to parse (and graph/report on). > but that was as of 2011. > > Is this still the most straightforward way to get per-IP traffic stats? > If so, can anyone point me to any reasonably up-to-date "big picture" > tutorials/documentation? The closest I've come so far is this discussion > https://www.pantz.org/software/flowtools/configflowtoolspfflow.html > but it's from 2006. > > Thanks,
netflow is good if you want to see what the actual traffic is over a longer period of time. There is also ntopng which shows a lot more info (looks at flows and does a bit of dpi) but it's quite heavy on cpu use. Netflow is good as part of a more custom toolkit, ntopng if you want to run something quickly with a nice ui. Both are probably overkill if you just want per-IP statistics. For that, you can either just use pf labels + statistics (though watch out for ruleset reloads clearing them), or darkstat (in packages) is easy to use and perfect for this. -- Please keep replies on the mailing list.
