I recommend running pfflowd and collecting the flows on another box
where you can slice and dice the information to your heart's content. I
have a set of ruby scripts that allow me to build fairly arbitrary
buckets of traffic information from the flows I collect this way. It
keeps my rules clean (no creating random rules just to collect a
particular piece of info) and lets me divide the traffic up in more ways
(how much went to mail, how much by user, etc etc.)
-David
Jonathan Rogers wrote:
OpenBSD 3.8 here.
I'm keeping accounting stats on one subnet (my wireless users). Each
user (about a dozen in all) has a static IP address and there's a
separate, labeled "counting" rule for each one:
pass in quick on $wls_if inet from 192.168.0.123to !
<wls_forbidden_nets> flags S/SA keep state label "wireless .123"
All of these rules are in their own separate anchor, "wlsacct". So far
so good.
Each night I've got a cron job that grabs these stats and dumps them to
a log file for later parsing and totalling:
/sbin/pfctl -s labels -a wlsacct >> /var/log/wireless_stats
Also good. However, after I do the nightly dump, I'm stumped at how to
zero the counters/statistics so we start from scratch. "-z" doesn't do
it, nor does "-F info". The best I can come up with is to entirely
delete the anchor and start over:
pfctl -a wlsacct -F rules
pfctl -a wlsacct -f pf.conf.wlsacct_anchor
Is there an easier way to zero the rule/label counters?
thanks much, oh pf demigods,
--jon--
ps: alternatively...is there any better way to start from scratch to go
about doing what I'm really trying to accomplish, which is to collect
wireless network traffic stats on a per-IP address? for one, I suspect
I could I get rid of the labels entirely and just use the normal
per-rule statistics output from pfctl -v instead...but if so, what's
the whole purpose behind labels at all? Just as an optimization
barrier, or...?
