Bandwidth Accounting With Unix?

LegoB writes: "I am a student at a small, under-connected college. Despite our bandwidth woes, the administration is hesitant at buying a larger pipe, feeling that our current connection is being overly taxed by things like Napster, streaming media, and other non-educational (and non-constructive) traffic. Rather than have them start limiting certain applications, I would like to propose another alternative: bandwidth accounting. I'm hoping to find that Unix, in addition to being used as a router, can also be used as a bandwdith meter. What software packages do I need to track bandwidth by time, IP, and hopefully MAC address without massive kernel hacking?"

IPaudit is nice

[Brazilian+Geek]

I have IPAudit running on two of my servers to keep tabs on internet usage. It sniffs the network and generates a dump text file with all the TCP/IP connections made during the program's runtime. It's files are easy to understand and parse and the processor usage isn't that high (on my 100Mb intranet, with 50% usage the process never goes beyond 25% on a PII 266MHz).

A link to the Freshmeat page is here. I scoured Freshmeat for a userspace/rootspace solution for a bandwidth meter and IPAudit was the best because of it's simplicity. I personally prefer piping data into a perl program to parse the data than to let it become "Someone Else's Problem". The overhead is low and a parsing script isn't that hard to work out, the one I use (actually it's a suite of 2 programs) took 2 days to code and another week to tweak the filtering rules.

I also made a cute little web interface for the higher ups (computer illiterate) to browse through the user's usage - and it wasn't that hard to make. Oh, I don't release it 'cause it's a mess, one day I'll document it and release it, until then - sorry... :)

On a side note

[rjamestaylor]

I don't know the direct answer to your question (what tools, etc, to use for "bandwidth accounting") but I can sense that you doubt the administration's fear that the bandwidth crunch is attributable to network traffic irrelevant to the Univeristy's charter. Or, you think it might not be valid...perhaps you hope it is not valid? My friend:

Don't bet against the dark side of human nature.

Really. If "legitimate uses" (that is, things the University would gladly announce, such as--"95% of our students' bandwidth usage is spent acheiving a solution to gobal warming in our lifetime") were truly the lion's share of your institution's bandwith, why would the most popular sites on the Internet be news, entertainment, music-swapping, shopping, auctioning, petrifying sites?

Give up the idea of bandwidth accounting--you'll just give numbers to the fears.

Now hiring experienced client- & server-side developers

Cisco, ipacct and device cloning

[Cato]

If you have Cisco routers, you can enable something called NetFlow in IOS 12.0 or higher, which does this sort of accounting - search for cflowd, which is an open source data collection tool. But be careful, NetFlow can easily overload a Cisco router's CPU, and you need to have admin access to your Cisco router anyway.

If you have a spare PC that can have Linux installed and be connected to the ethernet segment serving your Internet access router, something like ipaudit may be enough. It can monitor TCP/UDP ports, which you can't do with ipac.

If you have an ethernet switch serving the access router (quite likely), you will need to set up the switch to 'span' or 'mirror' the port serving the router to another port (serving your monitoring box). This just replicates (broadcasts) the traffic seen in and outbound on the access router's switch port, into the monitoring port.

Alternatively you could put a hub between the switch and the router, but your network manager is unlikely to be happy about this.

Commercial tools to do this are astonishingly expensive, by the way - there are things called RMON2 probes that do more or less what ipacct does, but with more features and SNMP-accessible MIBs for the results. Bandwidth management boxes such as Packeteer do something similar, but these are also quite expensive.

If any entrepreneur out there feels like doing embedded Linux or BSD boxes that monitor and maybe shape traffic (Linux's queuing features in 2.2 or later are very comprehensive), you would have quite a market. Even more so if you worked on cish (an open source emulation of the Cisco command line interface) so that standard QoS management tools could configure your box just like a Cisco router. Another useful standard to look at is RTFM (real-time traffic flow management) from the IETF, implemented by Netramet, which is supported by ipmeter.

Of course, I have an ulterior motive ;) My company (Orchestream) does QoS-management tools, as do others, which talk to Cisco routers. However, it's tough to justify modifying our product to talk to the Linux QoS stuff until there's enough volume of Linux routers out there. I would like to see us configuring Linux QoS-enabled routers, though.

Some useful links:

- cish - http://freshmeat.net/projects/cish/

- IPaudit - http://freshmeat.net/projects/ipaudit/

- IPmeter - http://www.ipmeter.com/

- NetraMet - http://www.auckland.ac.nz/net/NeTraMet/

- RTFM and other tools - http://www.mathematik.uni-stuttgart.de/~floeff/sli des/97-indenst97-diplom/stuttg97/tsld001 .htm

- RTFM home - http://www.auckland.ac.nz/net/Internet/rtfm/