--On Thursday, November 03, 2005 9:56 AM -0600 Les Mikesell
<lesmikesell@xxxxxxxxx> wrote:
If you only want to track the traffic on a few servers, I guess
you could run ntop on each of those machines to generate the
flow data and send it to a central location for processing.
It depends on the level of detail you need. ntop uses libpcap and does deep
analysis of packets, so it's good for complex analysis, but is fairly
heavy-weight and uses lots of memory. If you just want to count bytes going
through a particular port, use the byte counters in iptables. Create a
sub-table with a set of match rules but no jump targets so the packets just
get counted but not accepted or rejected and invoke it from
INPUT/OUTPUT/FORWARD chains as appropriate. Use the iptables read/clear
counters feature to periodically collect the data.
