Hi Ricardo/list, You could also use pfflowd (which exports netflow compatible datagrams). Then you could set up ntop as a receiver, to give you long term stats.
Cheers, Simon. On Thu Jan 15 15:24 , "Ricardo Augusto de Souza" sent: Hi list, i have an openBSD 4.3 with PF as a gateway/router. My users go to the internet and to other networks through this server. I am still have no bw control, but i will implement it asap. I am used to monitoring bw using this tool: bwm-ng v0.6 (probing every 0.500s), press 'h' for help input: getifaddrs type: rate / iface Rx Tx Total =========================================================================== === lo0: 0.00 KB/s 0.00 KB/s 0.00 KB/s bge0: 117.30 KB/s 16.26 KB/s 133.56 KB/s bge1: 40.39 KB/s 2.91 KB/s 43.30 KB/s xl0: 16.76 KB/s 159.42 KB/s 176.17 KB/s xl1: 0.00 KB/s 0.00 KB/s 0.00 KB/s tun0: 0.00 KB/s 0.00 KB/s 0.00 KB/s pflog0: 0.00 KB/s 0.00 KB/s 0.00 KB/s tun1: 0.00 KB/s 0.00 KB/s 0.00 KB/s --------------------------------------------------------------------------- --- total: 174.44 KB/s 178.59 KB/s 353.03 KB/s bge1 = internet A xl1 = internet B ( backup ) bge0 = mpls ( network 10.100.0.0/25 ) xl0 = lan bge0 is a 1 mbits/s link to my DataCenter. As you can see its with a high traffic right now. When this happens, i use tcpdump to try identify what is the IP with this high traffic. I read a lot about tcpdump advanced filtering but i couldn4t get it yet. # tcpdump -i xl0 dst net 10.100.0 tcpdump: listening on xl0, link-type EN10MB 11:58:13.444535 10.10.0.85.3686 > 10.100.0.20.1521: P 1718388167:1718388351(184) ack 3906805828 win 64674 (DF) 11:58:13.445633 10.10.0.37.4240 > 10.100.0.20.1521: P 4245905889:4245905926(37) ack 739870590 win 65350 (DF) 11:58:13.455229 10.10.0.59.3748 > 10.100.0.20.1521: P 3266944936:3266945123(187) ack 1986329831 win 65535 (DF) 11:58:13.463196 10.10.0.33.4449 > 10.100.0.20.1521: P 2765663668:2765663713(45) ack 3349351703 win 65535 (DF) 11:58:13.463314 10.10.0.85.3686 > 10.100.0.20.1521: P 184:229(45) ack 71 win 64604 (DF) 11:58:13.465625 10.10.0.37.4240 > 10.100.0.20.1521: P 37:163(126) ack 70 win 65281 (DF) 11:58:13.478123 10.10.0.101.1362 > 10.100.0.4.5900: . ack 2761513569 win 65535 (DF) 11:58:13.478949 10.10.0.101.1362 > 10.100.0.4.5900: P 0:10(10) ack 1 win 65535 (DF) 11:58:13.481370 10.10.0.59.3748 > 10.100.0.20.1521: P 187:1114(927) ack 166 win 65370 (DF) 11:58:13.485886 10.10.0.33.4449 > 10.100.0.20.1521: P 45:82(37) ack 862 win 64674 (DF) 11:58:13.495067 10.10.0.85.3686 > 10.100.0.20.1521: P 229:274(45) ack 1159 win 65535 (DF) 11:58:13.498905 10.10.20.200.3555 > 10.100.0.30.5900: . ack 3093581142 win 64760 (DF) 11:58:13.499287 10.10.20.200.3555 > 10.100.0.30.5900: P 0:10(10) ack 1 win 64760 (DF) 11:58:13.499671 10.10.0.37.4240 > 10.100.0.20.1521: P 163:347(184) ack 215 win 65136 (DF) 11:58:13.503325 10.10.0.33.4449 > 10.100.0.20.1521: P 82:864(782) ack 931 win 64605 (DF) 11:58:13.509570 10.10.0.85.3686 > 10.100.0.20.1521: P 274:311(37) ack 2020 win 64674 (DF) 11:58:13.511985 10.10.0.101.1362 > 10.100.0.4.5900: . ack 163 win 65373 (DF) 11:58:13.512286 10.10.0.32.1271 > 10.100.0.20.1521: P 66502839:66503932(1093) ack 1747230381 win 64931 (DF) 11:58:13.512293 10.10.0.101.1362 > 10.100.0.4.5900: P 10:20(10) ack 163 win 65373 (DF) Today i was not able to find who is fuck*** the mpls link. Can you help/teach me how to identify heavy users? Thanks ------------------------------------------------------------------------- Fe din egen, gratis e-postadresse pe Start.no