I have a centOS box set up as a gateway with IPTables (among many things such as proxy cache using Squid). My LAN consists of ~30 machines, all connect to the internet through the gateway's eth0 (which is the only computer connected to the DSL modem – via eth1).
Facing a monthyl download quota, I installed bandwidthd on the gateway to monitor the PC's bandwidth use, and set to monitor eth0.
All the network traffic coming to the gateway is forwarded to port 3128 for Squid to handle, but on bandwidthd it doesnt seem to be accurate. For instance, a 3.3 MB download on one of the computers after starting bandwidthd states 4.8 M for that computer under HTTP. I understand that by monitoring eth0 I'm monitoring all network activity and not just internet usage (port 80, etc..), but isn't the HTTP tab in bandwidthd relevant to packets on port 80 or internet usage?
I need to know how much of the internet download quota each IP used on a daily basis.
What to do 🙂 ?
Best Answer
The problem I find with counter applications is that once you have usage counts, or graphs, the inevitable question becomes "what is that" (when pointing at a total or peak on a graph).
I find the best way to investigate these things is through netflows and nfsen. A netflow is a record of a conversation: source, destination, ports, bytecounts, time. Think a wire capture where you don't care about the actual bytes transferred, just the aggregate information. By using something like nfsen to do analysis on a netflow collection, you can see who is talking to who, and by looking at ports, can usually make good guesses as to what they were doing. And best of all, you can go back in time to look at old conversations.
Here are my notes for installing nfsen on CentOS.