Firewall Wizards mailing list archives

Re: Open Source Port Tracking

From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 5 Feb 2003 23:41:36 +1100 (EST)

In some email I received from Small, Jim, sie wrote:

Right now on my network, everything goes in and out through my IPFilter
firewall running on FreeBSD.  I would like to implement a good Open Source
package that keeps track of the total amount of packets and bytes including
on a per port basis.

So a report might be something (text or gui) like this:
12,048,219 packets for a total of 5975916624 bytes
Port  Packets Bytes
9     12              2496
20    800190  ...
21    129900  ...
22    (etc...)

The idea being, I would like to see which ports are being used and how much
traffic is going over/through them.  I've been trying ntop, but it doesn't
track all ports.  I know IPFilter has a count option, but it would be
tedious to set up 65,535x2 rules for all TCP/UDP ports.  Could someone
recommend something else?


The state table generates log entries like this:

Feb  5 23:39:15 firewall ipmon[112]: 23:39:14.774738 STATE:CLOSE 20.20.20.20,51457 -> 10.10.10.10,3128 PR tcp Pkts 277 
Bytes 163611

and NAT like this:

Feb  5 23:40:01 firewall ipmon[112]: 23:40:00.266522 @2 NAT:EXPIRE 192.168.1.1,1252 <- -> 20.20.20.20,12301 
[27.27.27.27,80] Pkts 12 Bytes 1704

Everything you need should be there, already...

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Open Source Port Tracking Small, Jim (Feb 04)
- Re: Open Source Port Tracking R. DuFresne (Feb 04)
- Re: Open Source Port Tracking Darren Reed (Feb 05)
- Re: Open Source Port Tracking Richard Gadsden (Feb 05)
- <Possible follow-ups>
- Re: Open Source Port Tracking Marcus J. Ranum (Feb 04)
- RE: Open Source Port Tracking Loomis, Rip (Feb 05)