Last modified on 3 January 2010, at 03:39

Linux Networking/IP Accounting (for Linux-2.0)

IP Accounting (for Linux-2.0)Edit

The IP accounting features of the Linux kernel allow you to collect and analyze some network usage data. The data collected comprises the number of packets and the number of bytes accumulated since the figures were last reset. You may specify a variety of rules to categorize the figures to suit whatever purpose you may have. This option has been removed in kernel 2.1.102, because the old ipfwadm- based firewalling was replaced by ``ipfwchains.

Kernel Compile Options:

            Networking options  --->
                [*] IP: accounting

After you have compiled and installed the kernel you need to use the ipfwadm command to configure IP accounting. There are many different ways of breaking down the accounting information that you might choose. I've picked a simple example of what might be useful to use, you should read the ipfwadm man page for more information. Scenario: You have a ethernet network that is linked to the internet via a PPP link. On the ethernet you have a machine that offers a number of services and that you are interested in knowing how much traffic is generated by each of ftp and world wide web traffic, as well as total tcp and udp traffic.

You might use a command set that looks like the following, which is shown as a shell script:

            #!/bin/sh
            #
            # Flush the accounting rules
            ipfwadm -A -f
            #
            # Set shortcuts
            localnet=44.136.8.96/29
            any=0/0
            # Add rules for local ethernet segment
            ipfwadm -A in  -a -P tcp -D $localnet ftp-data
            ipfwadm -A out -a -P tcp -S $localnet ftp-data
            ipfwadm -A in  -a -P tcp -D $localnet www
            ipfwadm -A out -a -P tcp -S $localnet www
            ipfwadm -A in  -a -P tcp -D $localnet
            ipfwadm -A out -a -P tcp -S $localnet
            ipfwadm -A in  -a -P udp -D $localnet
            ipfwadm -A out -a -P udp -S $localnet
            #
            # Rules for default
            ipfwadm -A in  -a -P tcp -D $any ftp-data
            ipfwadm -A out -a -P tcp -S $any ftp-data
            ipfwadm -A in  -a -P tcp -D $any www
            ipfwadm -A out -a -P tcp -S $any www
            ipfwadm -A in  -a -P tcp -D $any
            ipfwadm -A out -a -P tcp -S $any
            ipfwadm -A in  -a -P udp -D $any
            ipfwadm -A out -a -P udp -S $any
            #
            # List the rules
            ipfwadm -A -l -n
            #

The names ``ftp-data and ``www refer to lines in /etc/services. The last command lists each of the Accounting rules and displays the collected totals.

An important point to note when analyzing IP accounting is that totals for all rules that match will be incremented so that to obtain differential figures you need to perform appropriate maths. For example if I wanted to know how much data was not ftp nor www I would substract the individual totals from the rule that matches all ports.

root# ipfwadm -A -l -n
IP accounting rules
pkts bytes dir prot source               destination          ports
   0     0 in  tcp  0.0.0.0/0            44.136.8.96/29       * -> 20
   0     0 out tcp  44.136.8.96/29       0.0.0.0/0            20 -> *
  10  1166 in  tcp  0.0.0.0/0            44.136.8.96/29       * -> 80
  10   572 out tcp  44.136.8.96/29       0.0.0.0/0            80 -> *
 252 10943 in  tcp  0.0.0.0/0            44.136.8.96/29       * -> *
 231 18831 out tcp  44.136.8.96/29       0.0.0.0/0             * -> *
   0     0 in  udp  0.0.0.0/0            44.136.8.96/29       * -> *
   0     0 out udp  44.136.8.96/29       0.0.0.0/0            * -> *
   0     0 in  tcp  0.0.0.0/0            0.0.0.0/0            * -> 20
   0     0 out tcp  0.0.0.0/0            0.0.0.0/0            20 -> *
  10  1166 in  tcp  0.0.0.0/0            0.0.0.0/0            * -> 80
  10   572 out tcp  0.0.0.0/0            0.0.0.0/0            80 -> *
 253 10983 in  tcp  0.0.0.0/0            0.0.0.0/0            * -> *
 231 18831 out tcp  0.0.0.0/0            0.0.0.0/0            * -> *
   0     0 in  udp  0.0.0.0/0            0.0.0.0/0            * -> *
   0     0 out udp  0.0.0.0/0            0.0.0.0/0            * -> *