How to collect figures of traffic used per-host, broken up by time and destination?

Question

We have a relatively small network, all PSs in one subnet. One PC with two NICs and pfSense installed works as a firewall/router. There is an OpenVPN tunnel to a remote location, created as a site-to-site connection to another pfSense box there.

I have an assignment to capture, store and show (via a web interface) information on traffic generated (both incoming and outcoming) by each host on our subnet and present it in several views:

megabytes per calendar hours / days / months / years (that is, not just "one month back", but "in Dec 2010" and so on);
megabytes per destination: VPN to remote location / other destinations / Google Apps servers.

I tried the software packages in pfSense that offer traffic montoring - but it seems they don't store the information fixed by months, instead showing the amounts of traffic generated in periods (days/months/etc) calculated from the present moment.

I'm also interested in understanding what would be the best way for me to break up traffic by hosts and destinations.

I'm open to all suggestions, even if they mean that I will have to understand something new to me.

light up snmp, and use MRTG, Nagios, or Zenoss to capture the data and provide your reporting. — SpacemanSpiff, Jan 11 '11 at 05:39
I've seen a lot of vague directions already... I hoped that someone could share their own experience, or at least point me in a specific direction. — Seishun, Jan 11 '11 at 09:10

score 1 · Answer 1 · answered Jan 11 '11 at 14:04

nfdump/nfsen can do exactly this. You can store data back in time for however long you have disk space -- I can store about 3 months of traffic at our facility in under 60GB. I have written some perl scripts which extract the summaries for each local IP, so I can do general trends analysis going back almost two years now.

score 0 · Answer 2 · answered Jan 11 '11 at 11:25

0

If the router/firewall box is running Windows you can install PRTG on it and set up a packet sniffer sensor for the WAN NIC. If it's running Linux/Unix then I think you can do the same with MRTG.

I tried the software packages in pfSense that offer traffic montoring - but it seems they don't store the information fixed by months, instead showing the amounts of traffic generated in periods (days/months/etc) calculated from the present moment.

What does this mean, exactly?

answered Jan 11 '11 at 11:25

joeqwerty

108,377
6
80
171

It means that I cannot explain myself clearly in english 8-) – Seishun Jan 12 '11 at 03:32
Plugins for pfSense show me the traffic counters for the last x days, not the exact month. I can't just look at the report and see that we had 70gb of inbound traffic in December - I can only see that we had 50gb of inbound traffic in the last 30 days... and that's not the kind of report I need. – Seishun Jan 12 '11 at 03:35

score 0 · Answer 3 · answered Jan 11 '11 at 12:43

I'm not very familiar with pfsense/FreeBSD, but check to see if there's any netflow options available. NFZen and nfcapd should definitely work on BSD, but I don't know what you use to capture the actual samples! These tools only capture a sample of the traffic and then let you see not only what ips and bandwidth are involved, but what ports as well.

How to collect figures of traffic used per-host, broken up by time and destination?

3 Answers3

Linked