# can I see how much download a certain IP does?

## taskara

I have an adsl connection shared, and squid runnning.

I can get a whole lot of info out of the logs, but what I want to know is the following (it may not be related to squid at all):

I want to see how much download a certain IP address uses over a month.

is this possible, either with squid, or some other way ?

thanks heaps!

----------

## Sven Vermeulen

Not really what you want, but here every pc has a static IP. Upon deactivating the network it saves information gathered from ifconfig into the logs of the server. With that info we know fi how much data has been send/received:

```

eth1      Link encap:Ethernet  HWaddr 00:20:18:57:80:C6  

          inet addr:213.224.137.219  Bcast:213.224.137.255    

                                                                Mask:255.255.255.0

          inet6 addr: fe80::220:18ff:fe57:80c6/10 Scope:Link

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  

                                                                Metric:1

          RX packets:3028 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2835 errors:0 dropped:0 overruns:0 carrier:0

          collisions:160 txqueuelen:100 

          RX bytes:2596733 (2.4 Mb)  TX bytes:323870 (316.2 Kb)

          Interrupt:12 Base address:0xe400

```

Fi the "RX bytes" contains how much data has been received, and "TX bytes" is the same for transmitted data.

----------

## mglauche

The easiest way would be to set up an iptables filter with that ip, and check the output of iptables -l -v monthly ... there are some packages that do this automatic (ipacct or so)

----------

## taskara

ok.. thanks for the tips..

are there any ebuilds for such a thing?

can u think of any other way of doing it?

thanks again

----------

## psp

What about calamari and other squid log analyzers?

Just a thought... (I know iptables will pickup all traffic, but if you want FTP, HTTP only...)

----------

## taskara

yeah there is one called webalizer.. I'm going to check that out.

didn't know about calamari, thanks.

they basically spit out what's in the logs and make them into pretty grafs and stuff...

cheers!

----------

## elfarto

You may want to try cacti and/or cricket, cacti is available as a ebuid as

net-analyzer/cacti, you should implement iptables filters to allow counting the traffic for a given ip, search around in the cacti web site for a pre made script that does the trick, a word of warning thou, i found several bugs in cacti, and the interface could be improved.!

----------

## Crg

 *taskara wrote:*   

> yeah there is one called webalizer.. I'm going to check that out.
> 
> didn't know about calamari, thanks.
> 
> they basically spit out what's in the logs and make them into pretty grafs and stuff...
> ...

 

That will only show you what traffic has gone through squid, so not kazaa etc..

The best solution is "emerge ntop" on your gateway machine.

Run it something like "ntop -m x.x.x.x/x -i ppp0 -i eth0"

where x.x.x.x/x is your local network.  Give it a couple of minutes to collect data then point your browser at port 3000 of that machine and look at the numbers and pretty graphs of whats going on.

(Once you have it working properly you can then run it as daemon - I don't suggest doing that the first time as you need to set a password so it won't work).

----------

## taskara

thanks guys.

Crg, that sounds like what I am after. Can you give me an example where my router is 10.0.0.1 and the pc I want to check usage on is 10.0.0.50 ?

what would that be:

ntop -m 10.0.0.50/ ?? -i ppp0 -i eth0

hope you can clarify for me!

thanks

----------

## Crg

 *taskara wrote:*   

> thanks guys.
> 
> Crg, that sounds like what I am after. Can you give me an example where my router is 10.0.0.1 and the pc I want to check usage on is 10.0.0.50 ?
> 
> what would that be:
> ...

 

A made a mistake with the above example the interfaces are supposed to be separated by ",", so if you have an linux box setup with 1 ethernet card and dialup/adsl it would be:

```
ntop -m 10.0.0.0/24 -i pppo,eth0
```

----------

## taskara

what's the "/24" ?

----------

## Crg

 *taskara wrote:*   

> what's the "/24" ?

 

Subnet mask... its assuming you have a 24bit subnet mask otherwise written as 255.255.255.0, the "-m x.x.x.x/x" isn't that important it just lets ntop know what IPs are local for display/stats purposes.

----------

## taskara

ahhh ofcourse  :Wink: 

thanks.. I'll give it a go! and let you know my results.

ta

----------

