# Traffic monitoring

## chrism

Hallo everyone,

we have a server, which is acting as a samba-server, as a web-server and as a gateway. The workgroup consists of approximately 25 clients. 

The problem I have, is that I have to keep track of the amount of traffic each client sends via the gateway, and each client produces with the server itself. 

I tried vnstat, which doesn't seem suitably since it only records the total amount of traffic. I also tried to get IPTables to do the job (https://forums.gentoo.org/viewtopic-t-617960.html), since the IP-Addresses  are issued by a dhcp-server which is not under my control, it didn't work, though. 

Anonther problem is, that due to legal reasons I am not allowed to sniff the traffic, so ethereal and wireshark are no good either.

It would be great if someone had a solution.

Thanks,

Chris

----------

## octanez

Have you taken a look at ntop?

I am not sure what kind of reports you need to generate but it might be a good place to start.

----------

## chrism

I tried ntop, but unfortunally it logs too much. I am not allowed to even use a program which as the capability to trace the users actions. Only the amount of traffic they produce.  :Sad: 

I was thinking of something like vnstat, but instead of only having the network interfaces, having a list of all clients:

eg:

 *Quote:*   

> 
> 
>                       rx      /     tx      /    total    /  estimated
> 
>  eth1-total:
> ...

 

More like this, it doesn't have to be fancy... thanks,

Chris

----------

## Hu

You could abuse iptables for this.  I think the last time I suggested this, someone else almost immediately posted a more elegant solution.  However, I do not recall what that solution was, and a quick search of old posts does not reveal it.

```
for octet in $(seq 1 25); do iptables -A FORWARD -s 192.168.0.${octet}; iptables -A FORWARD -d 192.168.0.${octet}; iptables -A INPUT -s 192.168.0.${octet}; done
```

This adds three rules for each of the 25 hosts.  The first FORWARD rule counts traffic originating from the host, which is presumably bound for the Internet.  The second FORWARD rule counts traffic going to the host, which is presumably from the Internet.  The INPUT rule counts traffic coming from the host to the local machine.  If you also need to count traffic going from the local machine to the host, add a rule to OUTPUT as well.

These rules only count packets and bytes, but do not store any contents.  As written, it does not even store port numbers, so you cannot tell whether the host was using ssh, http, rsync, or a p2p client.

----------

## DarKRaveR

1.) Use Iptables ... which is quite cumbersome, if you have dynamic IPs

2.) Use tcpdump and snap only the header (snaplen=20 - ip header only)

3.) Write something yourself?

All other Options are more or less derivates of the same thing, you will have to look into the packets, no matter what ...

----------

## bradp_84

If you want to use the iptables approach, you could always configure dhcp to give out static IP's. I.e. map an IP to a MAC in the dhcp configuration.

----------

## tutaepaki

take a look at ipaudit

----------

## theotherjoe

another tool you may want to have a look at

is iptraf; it's in portage.

http://iptraf.seul.org/

----------

## -Craig-

iptraf is not an option.

I'd recommend to use iptables -nvxZL & some bash/sed/awk & a mysql backup.

You'd have to write that on your own, of course...

----------

