Re: Logging bandwidth usage with PF
On Mon, Nov 12, 2007 at 11:52:08PM -0500, Jason Dixon scribbled: # On Nov 12, 2007, at 10:31 AM, Joel Gudknecht wrote: # # Misc list: # # I'm trying to figure out a way to log and analyze bandwidth usage # passing through my PF gateway. It's doing NAT for ~60 users. # How about argus? http://qosient.com/argus/ It reads netflow data; but also has its own powerful processing/storage engine. It does bidirectional flow analysis, where netflow only does it unidirectional. You may or may not want that, but I encourage you to look anyway. It's quite a bit easier to script. -- Jonathan Towne
Logging bandwidth usage with PF
Misc list: I'm trying to figure out a way to log and analyze bandwidth usage passing through my PF gateway. It's doing NAT for ~60 users. Here are the pertinent logging rules; rdr pass log on $ext_if proto tcp to port smtp - $host rdr pass log on $ext_if proto tcp to port www - $host rdr pass log on $ext_if proto tcp to port pop3 - $host rdr pass log on $ext_if proto tcp to port 1494 - $host rdr pass log on $ext_if proto tcp to port 3389 - $host pass out log keep state I've tried analyzing pflogs using ethereal/wireshark but could not get specifics about IP's and connection rates from it. I've also looked at ntop and pftop, which looks good for real-time monitoring but I don't think they apply for what I'm trying to do. I'd like to generate a sorted list of top bandwidth hogs and their IP addresses. Thanks. Joel
Re: Logging bandwidth usage with PF
Joel Gudknecht [EMAIL PROTECTED] writes: rdr pass log on $ext_if proto tcp to port smtp - $host this only gives you the initial packet. for tracking traffic you probably want to look at log (all). I've tried analyzing pflogs using ethereal/wireshark but could not get specifics about IP's and connection rates from it. I've also looked at ntop and pftop, which looks good for real-time monitoring but I don't think they apply for what I'm trying to do. the output of something like tcpdump -n -e -ttt -v -i pflog0 gives you quite a bit of data to play with if you want to do your own parsing, but I'd like to generate a sorted list of top bandwidth hogs and their IP addresses. for that purpose, the more promising path is probably to use labels with the $srcaddr macro in them, and collect your statistics at regular intervals for processing. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Logging bandwidth usage with PF
--- Joel Gudknecht [EMAIL PROTECTED] wrote: Misc list: I'm trying to figure out a way to log and analyze bandwidth usage passing through my PF gateway. It's doing NAT for ~60 users. Here are the pertinent logging rules; rdr pass log on $ext_if proto tcp to port smtp - $host rdr pass log on $ext_if proto tcp to port www - $host rdr pass log on $ext_if proto tcp to port pop3 - $host rdr pass log on $ext_if proto tcp to port 1494 - $host rdr pass log on $ext_if proto tcp to port 3389 - $host pass out log keep state I've tried analyzing pflogs using ethereal/wireshark but could not get specifics about IP's and connection rates from it. I've also looked at ntop and pftop, which looks good for real-time monitoring but I don't think they apply for what I'm trying to do. I'd like to generate a sorted list of top bandwidth hogs and their IP addresses. I don't think there is any built-in way of doing this. What I did was write a shell script that interacts with labels contained in pf.conf. The script runs every five minutes and processes the data. I used to have it according to IP and protocol but eventually got rid of the IP side as my pf.conf was getting really messy. // juan Ask a question on any topic and get answers from real people. Go to Yahoo! Answers and share what you know at http://ca.answers.yahoo.com
Re: Logging bandwidth usage with PF
Joel, Check out pfflowd. This site has a how to. Configuration of NetFlow, Flowtools, pfflowd on OpenBSD Have you ever wanted to keep track of every packet going through your firewall? How about getting some stats on the hosts using your network. Stats like most bandwidth used or most popular ports or ip's. Well NetFlow is what your looking for. NetFlow is an open but proprietary network protocol developed by Cisco Systems to run on Cisco IOS-enabled equipment for collecting IP traffic information. http://www.pantz.org/software/flowtools/configflowtoolspfflow.html -- Calomel @ http://calomel.org Open Source Research and Reference On Mon, Nov 12, 2007 at 09:31:08AM -0600, Joel Gudknecht wrote: Misc list: I'm trying to figure out a way to log and analyze bandwidth usage passing through my PF gateway. It's doing NAT for ~60 users. Here are the pertinent logging rules; rdr pass log on $ext_if proto tcp to port smtp - $host rdr pass log on $ext_if proto tcp to port www - $host rdr pass log on $ext_if proto tcp to port pop3 - $host rdr pass log on $ext_if proto tcp to port 1494 - $host rdr pass log on $ext_if proto tcp to port 3389 - $host pass out log keep state I've tried analyzing pflogs using ethereal/wireshark but could not get specifics about IP's and connection rates from it. I've also looked at ntop and pftop, which looks good for real-time monitoring but I don't think they apply for what I'm trying to do. I'd like to generate a sorted list of top bandwidth hogs and their IP addresses. Thanks. Joel
Re: Logging bandwidth usage with PF
On Nov 12, 2007, at 10:31 AM, Joel Gudknecht wrote: Misc list: I'm trying to figure out a way to log and analyze bandwidth usage passing through my PF gateway. It's doing NAT for ~60 users. Here are the pertinent logging rules; rdr pass log on $ext_if proto tcp to port smtp - $host rdr pass log on $ext_if proto tcp to port www - $host rdr pass log on $ext_if proto tcp to port pop3 - $host rdr pass log on $ext_if proto tcp to port 1494 - $host rdr pass log on $ext_if proto tcp to port 3389 - $host pass out log keep state I've tried analyzing pflogs using ethereal/wireshark but could not get specifics about IP's and connection rates from it. I've also looked at ntop and pftop, which looks good for real-time monitoring but I don't think they apply for what I'm trying to do. I'd like to generate a sorted list of top bandwidth hogs and their IP addresses. You've gotten some good suggestions. For no particular reason at all, I figured I would mention this related project. I don't know the author, but it looks vaguely interesting. Rumors are it will have a port for OpenBSD when it's ready for testing. It's designed to read in data from flowd (via fifo). The examples are live NetFlow streams generated by pfflowd. http://www.netflowdashboard.com/demo/ user = guest pass = guest --- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
