Bandwidth Accounting With Unix?

LegoB writes: "I am a student at a small, under-connected college. Despite our bandwidth woes, the administration is hesitant at buying a larger pipe, feeling that our current connection is being overly taxed by things like Napster, streaming media, and other non-educational (and non-constructive) traffic. Rather than have them start limiting certain applications, I would like to propose another alternative: bandwidth accounting. I'm hoping to find that Unix, in addition to being used as a router, can also be used as a bandwdith meter. What software packages do I need to track bandwidth by time, IP, and hopefully MAC address without massive kernel hacking?"

IPaudit is nice

[Brazilian Geek]

I have IPAudit running on two of my servers to keep tabs on internet usage. It sniffs the network and generates a dump text file with all the TCP/IP connections made during the program's runtime. It's files are easy to understand and parse and the processor usage isn't that high (on my 100Mb intranet, with 50% usage the process never goes beyond 25% on a PII 266MHz).

A link to the Freshmeat page is here [freshmeat.net]. I scoured Freshmeat for a userspace/rootspace solution for a bandwidth meter and IPAudit was the best because of it's simplicity. I personally prefer piping data into a perl program to parse the data than to let it become "Someone Else's Problem". The overhead is low and a parsing script isn't that hard to work out, the one I use (actually it's a suite of 2 programs) took 2 days to code and another week to tweak the filtering rules.

I also made a cute little web interface for the higher ups (computer illiterate) to browse through the user's usage - and it wasn't that hard to make. Oh, I don't release it 'cause it's a mess, one day I'll document it and release it, until then - sorry... :)

Google

[Malk-a-mite]

From Napster [napster.com] themselves, a series of links (not all Unix).

Some more links:
http://www.aspfree.co m/a uthors/chrisk/monitorsunnyline.asp [aspfree.com]
Old Slashdot story on Packet shaping....
http://slashdot.org/asksl ash dot/99/07/06/1433234.shtml [slashdot.org]

The joys of a search engine...
Malk-a-mite

On a side note

[rjamestaylor]

I don't know the direct answer to your question (what tools, etc, to use for "bandwidth accounting") but I can sense that you doubt the administration's fear that the bandwidth crunch is attributable to network traffic irrelevant to the Univeristy's charter. Or, you think it might not be valid...perhaps you hope it is not valid? My friend:

Don't bet against the dark side of human nature.

Really. If "legitimate uses" (that is, things the University would gladly announce, such as--"95% of our students' bandwidth usage is spent acheiving a solution to gobal warming in our lifetime") were truly the lion's share of your institution's bandwith, why would the most popular sites on the Internet be news, entertainment, music-swapping, shopping, auctioning, petrifying sites?

Give up the idea of bandwidth accounting--you'll just give numbers to the fears.

Now hiring experienced client- & server-side developers

IPMeter

[danpbrowning]

http://www.ipmeter.com [ipmeter.com] IP Meter. I haven't used it, but looks good.

i've used ipac

[toast0]

the url is http://www.comlink.apc.org/~moritz/ipac.html

at a former employeer we replaced a firewall appliance w/ a linux box in one of those cute mini cases (not rackmountable though) and set up ipac to gather stats every so often, and another box to periodically get those and graph them.... it mysteriously stopped working since i last checked, but it was working fine before hand, i probably screwed up something or other.

toast

When Linux 2.4 comes out...

[infodragon]

the firewall/NAT functionality of the kernel and iptables utility will allow you to track the number of packets and nuber of bytes traveling across each port that you are monitoring.

You can also use the logging module to log particular firewall/NAT ruels to gain more detailed info.

For more info check out the netfilter home page [kernelnotes.org].

Linux 2.2 does this, but not as nicely and without the logging functionality.

IPac works great for me

[BigJim.fr]

Ask it for totals according to address, port or protocol. Very simple to install : one package and one kernel compile option. The Debian package installs the couple of IPchains rules needed to make it work. No noticeable overhead on a DSL connection. And the new version even seems to build graphs ! It does not do user related accounting, but if your addressing policy links IPs to persons, the problem is solved ! IPac's homepage : http://www.comlink.apc.org/~moritz/ipac.html [apc.org]

Re:When Linux 2.4 comes out...

[Anonymous Coward]

check out http://www.ds9a.nl/2.4Routing/HOWTO//cvs/2.4routin g/2.4routing.txt

"Linux 2.2 comes with everything to manage bandwidth in ways comparable to high-end dedicated bandwidth management systems."

Cisco, ipacct and device cloning

[Cato]

If you have Cisco routers, you can enable something called NetFlow in IOS 12.0 or higher, which does this sort of accounting - search for cflowd, which is an open source data collection tool. But be careful, NetFlow can easily overload a Cisco router's CPU, and you need to have admin access to your Cisco router anyway.

If you have a spare PC that can have Linux installed and be connected to the ethernet segment serving your Internet access router, something like ipaudit may be enough. It can monitor TCP/UDP ports, which you can't do with ipac.

If you have an ethernet switch serving the access router (quite likely), you will need to set up the switch to 'span' or 'mirror' the port serving the router to another port (serving your monitoring box). This just replicates (broadcasts) the traffic seen in and outbound on the access router's switch port, into the monitoring port.

Alternatively you could put a hub between the switch and the router, but your network manager is unlikely to be happy about this.

Commercial tools to do this are astonishingly expensive, by the way - there are things called RMON2 probes that do more or less what ipacct does, but with more features and SNMP-accessible MIBs for the results. Bandwidth management boxes such as Packeteer do something similar, but these are also quite expensive.

If any entrepreneur out there feels like doing embedded Linux or BSD boxes that monitor and maybe shape traffic (Linux's queuing features in 2.2 or later are very comprehensive), you would have quite a market. Even more so if you worked on cish (an open source emulation of the Cisco command line interface) so that standard QoS management tools could configure your box just like a Cisco router. Another useful standard to look at is RTFM (real-time traffic flow management) from the IETF, implemented by Netramet, which is supported by ipmeter.

Of course, I have an ulterior motive ;) My company (Orchestream) does QoS-management tools, as do others, which talk to Cisco routers. However, it's tough to justify modifying our product to talk to the Linux QoS stuff until there's enough volume of Linux routers out there. I would like to see us configuring Linux QoS-enabled routers, though.

Some useful links:

- cish - http://freshmeat.net/projects/cish/

- IPaudit - http://freshmeat.net/projects/ipaudit/

- IPmeter - http://www.ipmeter.com/

- NetraMet - http://www.auckland.ac.nz/net/NeTraMet/

- RTFM and other tools - http://www.mathematik.uni-stuttgart.de/~floeff/sli des/97-indenst97-diplom/stuttg97/tsld001 .htm

- RTFM home - http://www.auckland.ac.nz/net/Internet/rtfm/

Re:On a side note

[LegoB]

Well, what I hope to do is maintain an environment where we can all surf wherever the hell we want, without censorship, bandwidth shaping, but that we pay for our extravagant usages. I have no other choice for an ISP (I'm on campus), and I don't want my ISP telling me what I can and can't access. Therefore, I'd rather just pay for usage.

What about RADIUS?

[severett]

A RADIUS server might work in this situation as well. There are several free ones including:
Cistron and Livingston

Shawn

Re:On a side note

[rjamestaylor]

Ah. That's different. I read into the story that you were trying to determine current usage patterns (to validate/invalidate administration fears) rather than to hold users responsible for their educationally-irrelevant (the definition of which is what?) usage.

You're saying, "Look. I use it for stuff I want and I'll pay for the privilege." That's commendable.

But it is also a sure way to become persona non grata with the other students!

Now hiring experienced client- & server-side developers

Re:What about RADIUS?

[schnurble]

You do of course understand that RADIUS is for network authentication, mildly similar to NIS, right?

RADIUS has no bandwidth monitoring functionality in it whatsoever.

Put the pretty little buzzwords down and step away from the keyboard.

Packeteer

[shave]

Not cheap, but very effective:
http://www.packeteer.com [packeteer.com]

NTOP and MRTG

[Anonymous Coward]

Here we use two Linux based systems to monitor traffic, NTOP and MRTG

NTOP stands for Network TOP and displays usage broken down by machine and protocol. I have successfully implemented this on RedHat 5.1 running on a 486 with 6 meg of RAM and a 500 meg HDD. I install the NTOP servers between the LAN and the router, connected to a hub where they can look at the traffic. Check out http://www.ntop.org [ntop.org] for screenshots, etc.

MRTG is the Multi-Router Traffic Grapher. MRTG interrogates devices such as routers, switches and servers by using SNMP, and displays the results for a day, week, month and year on a webpage. For MRTG you need a slightly more meaty machine - I'm currently monitoring 12 sites every five minutes, using a P133 with 32M of RAM and a 1Gig HDD. (Mandrake 6.1 for this one). Site for this one is http://ee-staff.ethz.ch /~o etiker/webtools/mrtg/mrtg.html [ee-staff.ethz.ch]

I don't know if the above will be of any use - I think you'll have more luck with MRTG.
Good luck!
Matt (matt_brunton@hotmail.com)

Re:NTOP and MRTG

[Cato]

Unfortunately NTOP only shows hosts, not TCP/UDP port numbers, in its breakdown, so it's not very useful for this application.

MRTG is a nice tool, but limited by what SNMP/RMON2 MIBs are available in typical routers and switches - by far the majority of routers and most low to mid-end switches do not support RMON2, which is the only SNMP MIB that would let you monitor bandwidth by TCP/UDP port.

IPaudit or IPmeter are the best open source options I have found; IPaudit can just sniff the network like ntop.

Re:NTOP and MRTG

[Anonymous Coward]

No, NTOP _will_ show TCP/UDP port numbers, and what's more you can define new services as they appear. Maybe you saw an earlier version? It works well for me, for example, I managed to detect someone port scanning our firewall (from the inside) and subsequently firing up Napster. (Don't get me wrong, I love Napster, just not at work ;-) )

I think I will check out IPaudit; there are some failings in NTOP, admittedly (for example, you can't easily export data you've gathered).

Matt