Distinguish internal/external traffic

  • James

    James - 2005-04-25

    I'd like to be able to monitor both internal traffic (src and dst both on subnet and also external traffic (either src or dst not on subnet).

    I see that I can put filter strings in the config file - is there a syntax so I can specify stuff about either the source or destination (not just host).

    Secondly, can I run two instances of bandwidthd so that I can run one to monitor internal traffic, and one for external traffic (our ISP chaged by the GB and I'd like to know who's eating it up but don't want internal traffic to distort the stats.



    • James

      James - 2005-04-27

      Solved part of my problem - using Ethereal to test the filter strings.

      I can collect only external traffic (ie internet and no internal stuff) with the filter string:

      filter "not((src net 192.168.1) and (dst net 192.168.1))"

      The filter below will trap only internal traffic:

      filter "(src net 192.168.1) and (dst net 192.168.1) and not (host"

      (the bit about not host is optional - it removes all the DNS lookup traffic which although internal is clearly in relation to external traffic)  There's probably a smarter way of doing this with protocol filtering.

      My second question about running two instances still stands - I could run the database version and set up two 'sensors' one to look for internal and one to look for external traffic but can they be on the same machine?

      • David

        David - 2006-01-03

        Has a solution for the "two instances" been found yet?

        • James

          James - 2006-01-04

          Not so much a solution but an affective workaround: I've been running it for several months using 3 separate sensors (internal traffic, external traffic, all traffic).  The way I run it is to have 3 difference bandwidthd.conf files and start bandwidthd instances one by one (by hand at the moment) with the appropriate config file.  I've modified my bandwithd.c to take a $2 parameter for the name of the config file (if you run it with the -c option it looks for $2 as the config file name).

          I'd be happy to hear from anyone else who can do it differently.  If I had the time and inclination to learn how to do it I'd try to write a shell script to automate this (eg keep your config files in a sub-directory of /bandwidthd/etc/ and then loop through starting them in turn).  Any volunteers?

          A more elegant solution would be to modify the bandwithd code to read in multiple sensors and sensor filters into an array.


Log in to post a comment.