[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPTraffic and IPTables / IPTraffic and logging

To: iptraf-users@seul.org
Subject: IPTraffic and IPTables / IPTraffic and logging
From: msimon@adartis.de
Date: Wed, 8 Jan 2003 16:48:57 +0100
Delivered-to: archiver@seul.org
Delivered-to: iptraf-users-outgoing@seul.org
Delivered-to: iptraf-users@seul.org
Delivery-date: Wed, 08 Jan 2003 09:53:14 -0500
Reply-to: iptraf-users@seul.org
Sender: owner-iptraf-users@seul.org

Hi List,

I've got two questions:

1) I want to use the IPTraffic - logging possibities for generating
reports for our "pay by byte" customers, and for having an
overview who of our customers creates how much traffic on
our line (we are hosting some web-sites). IPTraffic gives me
a log which looks something like this:

Wed Jan 8 13:47:58 2003; TCP; eth1; 680 bytes; from 62.208.64.173:http to 213.20.240.167:60252; FIN sent; 6 packets, 3844 bytes
Wed Jan 8 13:47:58 2003; TCP; eth1; 1045 bytes; from 62.208.64.173:http to 213.20.240.167:60250; FIN sent; 7 packets, 5709 bytes
Wed Jan 8 13:47:58 2003; TCP; eth1; 60 bytes; from 62.208.64.173:http to 213.20.240.167:60252; first packet (SYN)
Wed Jan 8 13:47:58 2003; TCP; eth1; 680 bytes; from 62.208.64.173:http to 213.20.240.167:60252; FIN sent; 6 packets, 3844 bytes
Wed Jan 8 13:47:90 2003; TCP; eth1; 1045 bytes; from 62.208.64.173:http to 213.20.240.167:60250; FIN sent; 7 packets, 5709 bytes

Now my question:
There are often serveral fields which show me byte-sizes, one is following directly the interface-field (e.g. "680 bytes"), and one is
at the end of the logging-line (e.g. "3844 bytes"). Could someone tell me what this two field mean ? Which of those must be
added to the traffic-sum for the customer with the IP 62.208.64.173 ??

2) Our network is protected by a iptables firewall which does DNAT. Every external ip of our network is natted 1:1 to the correspondig internal one.
But when I had a look at the IPTraffic log, I could see that there where entries with the internal address as destignation as well as
enties with the external address as source. Often it seems as if the one entry would be the response-package of the other entry.

Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 217.85.196.193:64466 to 10.100.0.3:http; first packet (SYN)
Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 217.85.196.193:64467 to 10.100.0.3:http; first packet (SYN)
Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 62.208.64.173:http to 217.85.196.193:64466; first packet (SYN)
Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 62.208.64.173:http to 217.85.196.193:64467; first packet (SYN)

What I like to know is, how do IPTraffic and IPTables work together ? At what point of the IPTables - Chains does IPTraffic log the package ?

Thanks for any information.

Greetings
Marco Simon

Follow-Ups:
- Re: IPTraffic and IPTables / IPTraffic and logging
  - From: Gerard Paul Java <riker@seul.org>

Prev by Date: Re: IP address and Byte Usage
Next by Date: Patch for avg flow rate logging problem
Previous by thread: Re: IP address and Byte Usage
Next by thread: Re: IPTraffic and IPTables / IPTraffic and logging
Index(es):
- Date
- Thread