Hello everyone, I'm trying to capture and analyze *all* traffic (not just web traffic, which I can use Wusage for) coming to and from my server. I've recently been introduced to iptraf and am wondering about how I'm to use it's statistics. I'm thinking of having it run in the background for all interfaces (iptraf -i all -B) and capturing it a day at a time and summarizing and storing each days traffic in a flat file db. Here's a sample of the data I get when I capture some traffic: Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.233:80 to 172.16.1.180:41664; FIN sent; 7 packets, 4712 bytes, avg flow rate 0.00 kbits/s Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664 to 172.16.1.233:80; FIN acknowleged Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664 to 172.16.1.233:80; FIN sent; 8 packets, 864 bytes, avg flow rate 0.00 kbits/s Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.233:80 to 172.16.1.180:41664; FIN acknowleged Thu Jun 24 12:21:53 2004; UDP; eth0; 68 bytes; from 172.16.8.7:4135 to 255.255.255.255:7100 In the Perl script I write to analyze this data, I'm going to separate the traffic by TCP and UDP, but I was confused at what "bytes" I'm suppose to add and subtract? For instance, this line is the request (I think): Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664 to 172.16.1.233:80; FIN acknowleged And this, is the reponse (I think): Thu Jun 24 12:21:50 2004; TCP; eth0; 52 bytes; from 172.16.1.180:41664 to 172.16.1.233:80; FIN sent; 8 packets, 864 bytes, avg flow rate 0.00 kbits/s You'll notice that the 52 bytes is in both lines. Should I only "add up" the traffic on the "FIN sent" lines to avoid reporting a higher amount of traffic that is actually coming through? Any help is appreciated, -- Kevin Old kevinold@xxxxxxxxx
