On Sat, Dec 24, 2022 at 07:53:09PM -0800, Jonathan Thornburg wrote: > I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems, > an Android phone or two, and a VoIP phone) all connected to the internet > through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon). > I'm trying to track down which client(s) is/are responsible for a 5-fold > increase in my overall data usage last month (and, I suspect, a similar > ongoing data usage). > > So, I'd like to modify the firewall to somehow record the per-IP-address > number of bytes passed by the firewall (I can then match up the IP addresses > with the dhcpd logs to find the offending client(s)). This StackExchange > question-and-answer > > https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf > gives a possible solution > > export netflow data for all your traffic, grab it with Flow-Tools, > > and feed it to something like JKFlow to parse (and graph/report on). > but that was as of 2011.
I would go for a netflow based solution. I did just that for a somewhat similar scenario some years back, as descibed in this 2014 blog post: https://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html. That post has some of the basics for setting up with pflow(4) and the rather minor changes you need in your ruleset to export the traffic metadata. You also need to set up a collector. At the time I did this, nfsen was what looked like the most straightforward one, but that may have changed in the meantime. I would anyway recommend reading Michael Lucas' book which is referenced in the article. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
