[ale] Monitor Internet Traffic

Chris Fowler cfowler at outpostsentinel.com
Wed Aug 12 16:41:55 EDT 2015 

----- Original Message -----

> From: "Jim Kinney" <jim.kinney at gmail.com>
> To: "Chris Fowler" <cfowler at outpostsentinel.com>
> Cc: "Atlanta Linux Enthusiasts - Yes! We run Linux!" <ale at ale.org>
> Sent: Wednesday, August 12, 2015 3:36:48 PM
> Subject: Re: [ale] Monitor Internet Traffic

> It used markers. So each source has it's own marker. Then each marker gets
> counted.

> Ah! This looks familiar:

> http://www.catonmat.net/blog/traffic-accounting-with-iptables/

On a Pi2 I am trying to count addresses on ap0 (hostapd access point). I'm getting counts, but not by IP. I'm using the link above as an example 

Here is iptables output: 

pi at raspberrypi ~/MyPass $ sudo iptables -L -n -v -x 

Chain INPUT (policy ACCEPT 1451 packets, 150225 bytes) 
pkts bytes target prot opt in out source destination 
0 0 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 
0 0 REJECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 reject-with tcp-reset 

Traffic is going to this chain 

Chain FORWARD (policy ACCEPT 688 packets, 397481 bytes) 
pkts bytes target prot opt in out source destination 
552 521140 TRAFFIC_ACCT_OUT all -- * ap0 0.0.0.0/0 0.0.0.0/0 
811 268100 TRAFFIC_ACCT_IN all -- ap0 * 0.0.0.0/0 0.0.0.0/0 

Chain OUTPUT (policy ACCEPT 793 packets, 78250 bytes) 
pkts bytes target prot opt in out source destination 

Chain TRAFFIC_ACCT (0 references) 
pkts bytes target prot opt in out source destination 

Traffic here too, but only counting by protocol. Not IP. 

Chain TRAFFIC_ACCT_IN (1 references) 
pkts bytes target prot opt in out source destination 
0 0 all -- * * 0.0.0.0/0 192.168.42.2 
0 0 all -- * * 0.0.0.0/0 192.168.42.3 
0 0 all -- * * 0.0.0.0/0 192.168.42.4 
0 0 all -- * * 0.0.0.0/0 192.168.42.5 
0 0 all -- * * 0.0.0.0/0 192.168.42.6 
410 133756 tcp -- * * 0.0.0.0/0 0.0.0.0/0 
0 0 udp -- * * 0.0.0.0/0 0.0.0.0/0 
0 0 icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Not by IP here either. 

Chain TRAFFIC_ACCT_OUT (1 references) 
pkts bytes target prot opt in out source destination 
0 0 all -- * * 192.168.42.2 0.0.0.0/0 
0 0 all -- * * 192.168.42.3 0.0.0.0/0 
0 0 all -- * * 192.168.42.4 0.0.0.0/0 
0 0 all -- * * 192.168.42.5 0.0.0.0/0 
0 0 all -- * * 192.168.42.6 0.0.0.0/0 

Here is iptables-save 

pi at raspberrypi ~/MyPass $ sudo iptables-save 
# Generated by iptables-save v1.4.14 on Wed Aug 12 16:34:20 2015 
*filter 
:INPUT ACCEPT [1574:161219] 
:FORWARD ACCEPT [688:397481] 
:OUTPUT ACCEPT [863:88166] 
:TRAFFIC_ACCT - [0:0] 
:TRAFFIC_ACCT_IN - [0:0] 
:TRAFFIC_ACCT_OUT - [0:0] 
-A INPUT -i eth0 -p udp -m udp --dport 53 -j DROP 
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j REJECT --reject-with tcp-reset 
-A FORWARD -o ap0 -j TRAFFIC_ACCT_OUT 
-A FORWARD -i ap0 -j TRAFFIC_ACCT_IN 
-A TRAFFIC_ACCT_IN -d 192.168.42.2/32 
-A TRAFFIC_ACCT_IN -d 192.168.42.3/32 
-A TRAFFIC_ACCT_IN -d 192.168.42.4/32 
-A TRAFFIC_ACCT_IN -d 192.168.42.5/32 
-A TRAFFIC_ACCT_IN -d 192.168.42.6/32 
-A TRAFFIC_ACCT_IN -p tcp 
-A TRAFFIC_ACCT_IN -p udp 
-A TRAFFIC_ACCT_IN -p icmp 
-A TRAFFIC_ACCT_OUT -s 192.168.42.2/32 
-A TRAFFIC_ACCT_OUT -s 192.168.42.3/32 
-A TRAFFIC_ACCT_OUT -s 192.168.42.4/32 
-A TRAFFIC_ACCT_OUT -s 192.168.42.5/32 
-A TRAFFIC_ACCT_OUT -s 192.168.42.6/32 
COMMIT 
# Completed on Wed Aug 12 16:34:20 2015 
# Generated by iptables-save v1.4.14 on Wed Aug 12 16:34:20 2015 
*nat 
:PREROUTING ACCEPT [890:216321] 
:INPUT ACCEPT [173:24437] 
:OUTPUT ACCEPT [24:1596] 
:POSTROUTING ACCEPT [2:96] 
-A POSTROUTING -o eth0 -j MASQUERADE 
-A POSTROUTING -o sta0 -j MASQUERADE 
COMMIT 
# Completed on Wed Aug 12 16:34:20 2015 

sta0 is a USB wifi dongle as a station. This device is not connected via Ethernet to my network. Only wireless. It serves up DHCP to a few devices. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20150812/1149e58d/attachment.html>

More information about the Ale mailing list