just to add contribute to this discussion, I am developing for a local ISP a solution for accounting traffic per IP. Then a collector aggregates the various IP in order to have a per-client accouting solution. I have not decided to use ntop because ntop is for me a general tool whereas for these kind of problems we need simple solutions that solve this problem, well, crash-less and with very little resource usage.
So my solution (currently under test) is the following:
1. Linux-based solution
2. Kernel module for traffic accounting
3. userland RRD-based (it is activated periodically, e.g. every 5 minutes) traffic accounting that gathers data and aggregates them.
How does the solution work. See below.
[EMAIL PROTECTED] kntop]# insmod kntop.o homeNet="172.22.0.0/255.255.0.0;131.114.0.0/255.255.0.0"
[EMAIL PROTECTED] kntop]# ls /proc/kntop/
172.22.5.110 172.22.5.84
[EMAIL PROTECTED] kntop]# cat /proc/kntop/172.22.5.110
Packets Sent : 26
IP Bytes Sent : 3744
Packets Rcvd : 0
IP Bytes Rcvd : 0
[EMAIL PROTECTED] kntop]# ls /proc/kntop/
172.22.4.107 172.22.4.16 172.22.4.3 172.22.4.42 172.22.5.114 172.22.5.162 172.22.5.5 172.22.5.84 172.22.6.10
172.22.4.11 172.22.4.18 172.22.4.32 172.22.4.47 172.22.5.118 172.22.5.163 172.22.5.51 172.22.5.95 172.22.7.255
172.22.4.118 172.22.4.209 172.22.4.36 172.22.5.110 172.22.5.14 172.22.5.25 172.22.5.78 172.22.5.99
1. homeNet is the list of networks where the hosts to account belong
2. the module creates on the fly a new entry in /proc/nprobe for each host as soon as the kernel sees some traffic for the host
3. If you do cat /proc/kntop/<host> you'll see what the host did
4. the RRD collector simply reads the /proc/kntop/ directory a cat and stores data into RRD.
I'm currently adding new info (e.g. TCP/UDP/ICMP traffic and local vs remote traffic) into the module but this has to remain simple and reliable. As soon as this solution is stable I'll announce it.
Feedback?
Cheers, Luca
Burton M. Strauss III wrote:
Sure, anything can be added subject to reasonability - Luca won't tolerate pushing ntop too far a field.
Contact me off list for programming rates (sponsored development)...
-----Burton
US-based commercial support for ntop: http://www.ntopsupport.com mailto:[EMAIL PROTECTED]
Search the ntop mailing lists at gmane: http://search.gmane.org
HowTo Ask for Help at http://snapshot.ntop.org/faq.php#83
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dzevad Hadzic Sent: Tuesday, July 29, 2003 5:57 PM To: [EMAIL PROTECTED] Subject: Re: [Ntop] Bandwith Measurement per User (IP)
Could that feature be added to some future version of ntop ?
----- Original Message ----- From: "Burton M. Strauss III" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 29, 2003 9:55 PM Subject: RE: [Ntop] Bandwith Measurement per User (IP)
usingOff hand, nothing obvious. However, the raw data you want is in the RRDs, if you enable the plugin. The default is 300s resolution, but you could push that to say 15s without too much trouble unless it's a huge network.
Once the data is in the rrd, you would have to extract it and graph it
something external.
For example, there are RRDs like these:
/usr/share/ntop/rrd/interfaces/eth2/hosts/64/154/81/15/bytesSent.rrd /usr/share/ntop/rrd/interfaces/eth2/hosts/64/154/81/15/bytesRcvd.rrd
one per host.
_______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
-- Luca Deri <[EMAIL PROTECTED]> http://luca.ntop.org/ Hacker: someone who loves to program and enjoys being clever about it - Richard Stallman
_______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
