[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPTraffic and IPTables / IPTraffic and logging




Hi List,

I've got two questions:

1) I want to use the IPTraffic - logging possibities for generating
     reports for our "pay by byte" customers, and for having an
     overview who of our customers creates how much traffic on
     our line (we are hosting some web-sites). IPTraffic gives me
     a log which looks something like this:

Wed Jan  8 13:47:58 2003; TCP; eth1; 680 bytes; from 62.208.64.173:http to 213.20.240.167:60252; FIN sent; 6 packets, 3844 bytes
Wed Jan  8 13:47:58 2003; TCP; eth1; 1045 bytes; from 62.208.64.173:http to 213.20.240.167:60250; FIN sent; 7 packets, 5709 bytes
Wed Jan  8 13:47:58 2003; TCP; eth1; 60 bytes; from 62.208.64.173:http to 213.20.240.167:60252; first packet (SYN)
Wed Jan  8 13:47:58 2003; TCP; eth1; 680 bytes; from 62.208.64.173:http to 213.20.240.167:60252; FIN sent; 6 packets, 3844 bytes
Wed Jan  8 13:47:90 2003; TCP; eth1; 1045 bytes; from 62.208.64.173:http to 213.20.240.167:60250; FIN sent; 7 packets, 5709 bytes

Now my question:
There are often serveral fields which show me byte-sizes, one is following directly the interface-field (e.g. "680 bytes"), and one is
at the end of the logging-line (e.g. "3844 bytes"). Could someone tell me what this two field mean ? Which of those must be
added to the traffic-sum for the customer with the IP 62.208.64.173 ??



2) Our network is protected by a iptables firewall which does DNAT. Every external ip of our network is natted 1:1 to the correspondig internal one.
     But when I had a look at the IPTraffic log, I could see that there where entries with the internal address as destignation as well as
     enties with the external address as source. Often it seems as if the one entry would be the response-package of the other entry.

Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 217.85.196.193:64466 to 10.100.0.3:http; first packet (SYN)
Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 217.85.196.193:64467 to 10.100.0.3:http; first packet (SYN)

Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 62.208.64.173:http to 217.85.196.193:64466; first packet (SYN)
Wed Jan 8 14:04:31 2003; TCP; eth1; 48 bytes; from 62.208.64.173:http to 217.85.196.193:64467; first packet (SYN)


What I like to know is, how do IPTraffic and IPTables work together ? At what point  of the IPTables - Chains does IPTraffic log the package ?


Thanks for any information.

Greetings
    Marco Simon