Getting per-ip traffic stats from PF

bandwidthloggingmonitoringpf

Is there a way to get per-ip traffic stats from PF on OpenBSD 4.9? pfctl can give me the total traffic (bytes) for a given label, and pfstats for a given interface, and pftop can give me a "live" view of traffic, but I'm looking for a historical view- i.e. something I can look at and say "yesterday this IP used x bytes"

Best Answer

You can do this through a slightly convoluted (but very easy to manage long-term, and pretty well-understood) adaptation of Netflow traffic monitoring (using OpenBSD's pflow support).

Basically export netflow data for all your traffic, grab it with Flow-Tools, and feed it to something like JKFlow to parse (and graph/report on). There are also many other NetFlow crunching/graphing programs, and a number of real-time monitoring systems available.
The upside is that exporting in NetFlow format opens up a huge array of tools for you to use -- The downside is the overhead and complexity of running all that extra code.

You may also be able to magic something up using MRTG, but I'm not as familiar with that.

Related Solutions

Dynamic traffic-shaping

You should be able to do this using something like Shorewall. Check out the section on traffic shaping. Look at the "Using builtin traffic shaping/control" section and then RATE. You should be able to give each LAN a minimum and maximum rate then prioritize each. If the pipe is idle everyone will get what they want but as it fills up the higher priority LANs will push out the lower priority LANs.

Router – Monitoring router bandwidth usage via Nagios and SNMP

I did this with a cron script, stores current value in a temp file then next time uses it to calculate bandwidth utilization since last run.

#!/bin/bash

email_address=""
router_ip=""

# 80% BANDWIDTH [ (384000bps) 48,000Bps ] - 20% = 38,400 Bps
alertBW="76800"

lastBWFile="/var/log/ciscoGW.log"
lastBW=`cat $lastBWFile | awk '{print$2}'`
lastTime=`cat $lastBWFile | awk '{print$1}'`

curBW=` snmpget  -c snmap_name -v 1 $router_ip IF-MIB::ifOutOctets.2  | awk '{print$4}'`

let diffBW=$curBW-$lastBW
#echo "Diff BW: $diffBW"
timeNow=`date +%s`
let diffTime=$timeNow-$lastTime
let alertBW=$alertBW*$diffTime

echo "$timeNow $curBW" > $lastBWFile

if [ $diffBW -gt $alertBW ]; then
#       echo "Over limit!"
        echo "Bandwith used over $diffTime seconds: $diffBW" | mail -s "BANDWIDTH OVER LIMIT!!!!" $email_address
fi

Since I was more interested in actual peaks I've since moved to using rrdtool:

#start 15 minutes ago
#end 5 minutes ago since rrdtool queries every 5 minutes 
rrdtool fetch $FROM MAX -s -900 -e -300

Best Answer

Related Solutions

Dynamic traffic-shaping

Router – Monitoring router bandwidth usage via Nagios and SNMP

Related Topic