Posted by Kromey at 3:29pm Sep 16 '11darkstat is up and running, and doing well. Still need to figure out how long it's storing the data it collects, but it's at least something that lets me see per-host traffic, which is awesome. Really wish it had some good reporting, though.
MRTS is also up and running. I've created the following counters for it:
Red Interface Traffic [anything that hits my external interface]
Green Interface Traffic [ditto, but internal interface]
Network Traffic [traffic that goes through my router]
Server Traffic [my servers are within 10.12.0.0/24; all traffic to/from that IP range]
Trusted Clients Traffic [same idea, but 10.42.0.0/24]
Untrusted Clients Traffic [10.200.0.0/24 -- my DHCP range]
Unknown Clients Traffic [anything not in the previous 3; this one should never see any traffic]
TCP Traffic [should be obvious]
UDP Traffic [ditto]
ICMP Traffic [ditto]
HTTP(S) Traffic [only the standard ports (80,443)]
Netflix Traffic (approx.) [port 80 traffic destined for my PS3, where virtually all Netflixing is done]
Pandora Traffic [traffic to/from 208.85.40.0/21, the IP block owned by Pandora]
Minecraft [traffic to/from port 25565 inside my network]
The "red" interface is what my ISP is going to bill me on; the rest is there to help me identify where all the usage is going. I've specifically isolated Netflix and Pandora so that I can see their effects upon my overall network usage. Minecraft is there purely for curiosity -- being a server, it sends far more than it receives, and with an uplink at only 2Mbps there's just no way it can be making a sizable dent in my download cap (upload isn't capped).
So, any of you computer gurus/nerds can think of anything I may have missed in terms of counters for MRTS to monitor? The stats are gathered by the firewall itself, and can be based on any combination of protocol, port (source or destination), or IP (internal or external). With some work, even highly complex counters can be created using sub-chains -- that's how the "not in 10.12.0.0/24 nor in 10.42.0.0/24 nor in 10.200.0.0/24" "unknown traffic" counter works, even though that's really not all that complicated.
MRTS is also up and running. I've created the following counters for it:
Red Interface Traffic [anything that hits my external interface]
Green Interface Traffic [ditto, but internal interface]
Network Traffic [traffic that goes through my router]
Server Traffic [my servers are within 10.12.0.0/24; all traffic to/from that IP range]
Trusted Clients Traffic [same idea, but 10.42.0.0/24]
Untrusted Clients Traffic [10.200.0.0/24 -- my DHCP range]
Unknown Clients Traffic [anything not in the previous 3; this one should never see any traffic]
TCP Traffic [should be obvious]
UDP Traffic [ditto]
ICMP Traffic [ditto]
HTTP(S) Traffic [only the standard ports (80,443)]
Netflix Traffic (approx.) [port 80 traffic destined for my PS3, where virtually all Netflixing is done]
Pandora Traffic [traffic to/from 208.85.40.0/21, the IP block owned by Pandora]
Minecraft [traffic to/from port 25565 inside my network]
The "red" interface is what my ISP is going to bill me on; the rest is there to help me identify where all the usage is going. I've specifically isolated Netflix and Pandora so that I can see their effects upon my overall network usage. Minecraft is there purely for curiosity -- being a server, it sends far more than it receives, and with an uplink at only 2Mbps there's just no way it can be making a sizable dent in my download cap (upload isn't capped).
So, any of you computer gurus/nerds can think of anything I may have missed in terms of counters for MRTS to monitor? The stats are gathered by the firewall itself, and can be based on any combination of protocol, port (source or destination), or IP (internal or external). With some work, even highly complex counters can be created using sub-chains -- that's how the "not in 10.12.0.0/24 nor in 10.42.0.0/24 nor in 10.200.0.0/24" "unknown traffic" counter works, even though that's really not all that complicated.
Here's where I now stand - Kromey