Promiscuous mode IP Accounting package

http://www.ba.cnr.it/~paolo/pmacct/

"macct is a network tool to gather ip traffic informations (bytes counter and number of packets); aggregation of statistics is done using simple primitives (MAC addresses, source host, destination host, ports and ip protocols) that can be used alone or combined together to form complex and flexible aggregation methods; data is stored in a in-memory table or in a SQL database (currently only MySQL). The content of these tables can be later retrieved by a client program or via a SQL client for simple output or export to other programs, such as MRTG. Gathering packets off the wire is done using pcap library and promiscuous mode of network interfaces."

I'm using this tool to do IP accounting. Nobody seems to know about it yet, but I love it since reporting from SQL is so much easier. --Wim


Debian

When installing on debian, you need these packages: libz-dev libpcap-dev postgresql-dev build-essential


Example 1

To see aggregate summaries by HOST, start the daemon like this:

pmacctd -D -c src_host,dst_host

Then to see what an individual host has been up to, you can use pmaact -s:

pmacct -s | grep 192.168.20.6 | awk '{print $9}' | sort -n |grep -I '^[0-9]' |perl -e '$a=0; while (<>) {$a+= $_ }; print "TOTAL: $a\n"'


Example 2

pmacctd can all be configured to log to mysql, if you compiled that plugin in (./configure --enable-mysql). Run these commands on boot:

ifconfig eth0 promisc
/usr/local/bin/pmacctd -D -c src_host,dst_host,src_port,dst_port -P mysql

Since it's in mysql, it becomes much easier to do aggregate summaries using an SQL client.


TRAFD

Trafd is a similiar daemon that also uses libpcap. However, it doesn't use a database - it just writes to file.

http://www.riss-telecom.ru/dev/trafd/ Link is dead :( Use Google :)


See also Linux, Networking, NetworkTesting