# Monitoring Network Usage

## friction

I'm running Gentoo on a box that just sits in another room and does masquerading/firewall - I'd like to have a way to know how much data gets sent to what internal IP addresses to identify where our download limit is going - is there a way to do this?

----------

## TheQuickBrownFox

One way to do this, is to run a squid proxy on the masq box and force people to use the proxy. This will also save some bandwidth.

There are plenty of tools to analyse squid logs to see exactly who surfed what and how much.

A

----------

## psp

If you are doing a simple MASQ for all your ip's you'll have to set this up...

Create a new iptables chain in the PREROUTING/POSTROUTING chain for each of the internal addresses. The target (-j) for this chain can be ACCEPT. Like this:

```
# For incoming traffic - check _your_ interfaces

iptables -t mangle -A PREROUTING -i eth0 -s 192.168.1.2 -j ACCEPT

# For outgoing traffic

iptables -t mangle -A PREROUTING -i eth1 -s 192.168.1.2 -j ACCEPT

```

This will create a chain which packets will traverse for each host. The ouput from a iptables -t mangle -nvL will show you the total packets and total bytes traversed over this chain.

Hope this helps....

----------

## friction

So I would set up a chain for each of the 253 possible addresses?

Guess that wouldn't be too hard to script.

I guess I figured there would be some kind of SNMP daemon that you could run. 

 *psp wrote:*   

> If you are doing a simple MASQ for all your ip's you'll have to set this up...
> 
> Create a new iptables chain in the PREROUTING/POSTROUTING chain for each of the internal addresses. The target (-j) for this chain can be ACCEPT. Like this:
> 
> ```
> ...

 

----------

## nh8as

Does'nt mrtg have an option for this?

----------

## antik

 *friction wrote:*   

> I'm running Gentoo on a box that just sits in another room and does masquerading/firewall - I'd like to have a way to know how much data gets sent to what internal IP addresses to identify where our download limit is going - is there a way to do this?

 

Here is utility called iptraf.

----------

## antik

And if you want more advanced stuff go with Nagios.

----------

## friction

 *antik wrote:*   

>  *friction wrote:*   I'm running Gentoo on a box that just sits in another room and does masquerading/firewall - I'd like to have a way to know how much data gets sent to what internal IP addresses to identify where our download limit is going - is there a way to do this? 
> 
> Here is utility called iptraf.

 

Nice clean tool, but not much good over SSH because it artificially inflates the amounts (ssh client being updated as fast as it can), and there doesn't seem to be a way to get it to log summary info to disk.

I'll give nagios a shot and see how it goes

----------

## antik

Here goes again ntop.

----------

## friction

I went with the iptables method, and modified my script to make a rule for each IP a la:

```

ipnum=2

while [ "$ipnum" -lt 255 ]

do

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \

-d 192.168.0.$ipnum -j ACCEPT

ipnum=`expr $ipnum + 1`

done

```

And then used this command to strip unused ips:

```

iptables -L FORWARD -v | grep " 0\|--  eth1" -v

```

Just make sure when you zero your table to start the bit counts again you use -Z for ZERO, not -F for FLUSH, which kills your ssh session  :Smile: 

----------

