On Thu, Jul 19, 2001 at 03:05:25AM +0200, Martin F. Krafft wrote: > i need to get a semi-exact idea of the traffic through one of our > servers, in and out. i understand that netstat -s gives me interface > statistics, but there are two problems with it: > > (a) it lists packets only. as i understand, a packet is not always the > same size. so that's no big use. > > (b) i absolutely need to cope with the disaster case in which the > server goes down - netstat would loose all data...
Use ipchains. It counts both packets and bytes. It makes tracking traffic by type simple, just create rules that match those connections without a jump target. Then setup a cron job that lists and resets the counters and mails the data to a collector address. You get all the robustness of the smtp mail system for free, if it is already there. Set the job interval appropriate for the amount of data loss is tolerable in case of an uncontrolled outage. Possibly, you can also get the stats data every minute and queue them up for an hourly mail sending. If you have this in place, then adding kernel logging from ipchains is a simple extension. On the receiver side, setup a dedicated user account that receives the stats mails and archives, indexes, processes and crossreferences the data. Write a reporting system that can publish reports on the web or by email. If you have it working, let the other hosts in your network send their data for processing. If you like this, then look into the "lire" package and see how much of this is already implemented. The lire people are happy with your patches, I'm sure. > there is iptables/ipchains, but (b) still applies. i figure that there > has to be a way to record these data without going higher up the > provider hierarchy, right? any ideas? i don't like daily ipchains > accounting mails and subsequent counter flushes... Why not? It would be the most straightforward implementation of what you're asking for. I can see that you don't like to create all the overhead yourself, so look into the lire package. Cheers, Joost
