On Thu, 2005-11-03 at 12:29, Kenneth Porter wrote:
> > If you only want to track the traffic on a few servers, I guess
> > you could run ntop on each of those machines to generate the
> > flow data and send it to a central location for processing.
>
> It depends on the level of detail you need. ntop uses libpcap and does deep
> analysis of packets, so it's good for complex analysis, but is fairly
> heavy-weight and uses lots of memory. If you just want to count bytes going
> through a particular port, use the byte counters in iptables. Create a
> sub-table with a set of match rules but no jump targets so the packets just
> get counted but not accepted or rejected and invoke it from
> INPUT/OUTPUT/FORWARD chains as appropriate. Use the iptables read/clear
> counters feature to periodically collect the data.
Is there a generic way to do this with iptables without knowing
what ports are used? Ntop can group them by port/service but
will find the activity regardless of the ports used.
--
Les Mikesell
lesmikesell@xxxxxxxxx
