No matter what type of traffic it is, if it hits the eth1 (adsl) interface, either incomming or outgoing, it is logged, before the packet his any other rules in the firewall.
As the packet traverses the firewall it gets logged again depending, so each packet is logged at least twice, once when it hits eth1, and second when it hits a matching rule, so there's a lot of redundency. But when I query the database I don't query for all logged packets, only the ones which are either input or output of eth1 and no packets which were logged by other rules in the firewall. Anyway, I spoke to the people of the ulogd mailing list and they said that because ulog only logs packets at the third layer, they are missing bits of information which the ISP is most likely accounting. They suggested I use 'libpcap' type application to log the data. Thanks heaps for everyones help. -----Original Message----- From: Michael Collins [mailto:[EMAIL PROTECTED] Sent: Thursday, 20 November 2003 11:09 AM To: 'Terry Collins'; 'Chris Barnes' Cc: 'SLUG' Subject: RE: [SLUG] Calamaris/Webalizer download count versus Netfilter byte countversus ISP byte count > > UDP packets? > > Who gets billed for DNS, NTP, etc packets? > What about SMTP, IMAP/POP3 traffic... Is this being counted somewhere? 750Mb HTTP traffic and 1.4Gb in email traffic is a fairly believable ratio... Especially if your users send/receive attachments (be they work related or only the daily 'Dilbert' type traffic) Cheers Michael -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
