Re: how to get per-IP traffic statistics?
On Sat, Dec 24, 2022 at 07:53:09PM -0800, Jonathan Thornburg wrote: > I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems, > an Android phone or two, and a VoIP phone) all connected to the internet > through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon). > I'm trying to track down which client(s) is/are responsible for a 5-fold > increase in my overall data usage last month (and, I suspect, a similar > ongoing data usage). > > So, I'd like to modify the firewall to somehow record the per-IP-address > number of bytes passed by the firewall (I can then match up the IP addresses > with the dhcpd logs to find the offending client(s)). This StackExchange > question-and-answer > > https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf > gives a possible solution > > export netflow data for all your traffic, grab it with Flow-Tools, > > and feed it to something like JKFlow to parse (and graph/report on). > but that was as of 2011. I would go for a netflow based solution. I did just that for a somewhat similar scenario some years back, as descibed in this 2014 blog post: https://bsdly.blogspot.com/2014/02/yes-you-too-can-be-evil-network.html. That post has some of the basics for setting up with pflow(4) and the rather minor changes you need in your ruleset to export the traffic metadata. You also need to set up a collector. At the time I did this, nfsen was what looked like the most straightforward one, but that may have changed in the meantime. I would anyway recommend reading Michael Lucas' book which is referenced in the article. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: how to get per-IP traffic statistics?
On 2022-12-25, Jonathan Thornburg wrote: > I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems, > an Android phone or two, and a VoIP phone) all connected to the internet > through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon). > I'm trying to track down which client(s) is/are responsible for a 5-fold > increase in my overall data usage last month (and, I suspect, a similar > ongoing data usage). > > So, I'd like to modify the firewall to somehow record the per-IP-address > number of bytes passed by the firewall (I can then match up the IP addresses > with the dhcpd logs to find the offending client(s)). This StackExchange > question-and-answer > > https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf > gives a possible solution >> export netflow data for all your traffic, grab it with Flow-Tools, >> and feed it to something like JKFlow to parse (and graph/report on). > but that was as of 2011. > > Is this still the most straightforward way to get per-IP traffic stats? > If so, can anyone point me to any reasonably up-to-date "big picture" > tutorials/documentation? The closest I've come so far is this discussion > https://www.pantz.org/software/flowtools/configflowtoolspfflow.html > but it's from 2006. > > Thanks, netflow is good if you want to see what the actual traffic is over a longer period of time. There is also ntopng which shows a lot more info (looks at flows and does a bit of dpi) but it's quite heavy on cpu use. Netflow is good as part of a more custom toolkit, ntopng if you want to run something quickly with a nice ui. Both are probably overkill if you just want per-IP statistics. For that, you can either just use pf labels + statistics (though watch out for ruleset reloads clearing them), or darkstat (in packages) is easy to use and perfect for this. -- Please keep replies on the mailing list.
Re: how to get per-IP traffic statistics?
On Sat, Dec 24, 2022 at 07:53:09PM -0800, Jonathan Thornburg wrote: > So, I'd like to modify the firewall to somehow record the per-IP-address > number of bytes passed by the firewall Add match rules to pf.conf for the IPs you're interested in and give them named labels. Then you can view statistics for the packets that matched each label using pfctl -s labels.
how to get per-IP traffic statistics?
I have a number of clients (2 OpenBSD systems, 3 Windows 10 systems, an Android phone or two, and a VoIP phone) all connected to the internet through an OpenBSD firewall (currently 7.1/amd64, will be 7.2 soon). I'm trying to track down which client(s) is/are responsible for a 5-fold increase in my overall data usage last month (and, I suspect, a similar ongoing data usage). So, I'd like to modify the firewall to somehow record the per-IP-address number of bytes passed by the firewall (I can then match up the IP addresses with the dhcpd logs to find the offending client(s)). This StackExchange question-and-answer https://serverfault.com/questions/303931/getting-per-ip-traffic-stats-from-pf gives a possible solution > export netflow data for all your traffic, grab it with Flow-Tools, > and feed it to something like JKFlow to parse (and graph/report on). but that was as of 2011. Is this still the most straightforward way to get per-IP traffic stats? If so, can anyone point me to any reasonably up-to-date "big picture" tutorials/documentation? The closest I've come so far is this discussion https://www.pantz.org/software/flowtools/configflowtoolspfflow.html but it's from 2006. Thanks, -- -- "Jonathan Thornburg [remove -color to reply]" currently on the west coast of Canada "Now back when I worked in banking, if someone went to Barclays, pretended to be me, borrowed UKP10,000 and legged it, that was `impersonation', and it was the bank's money that had been stolen, not my identity. How did things change?" -- Ross Anderson