I'd like to be able to measure the bandwidth used by each user by their inbound ssh connections, into a linux box.

I measure most other traffic using iptables and user-matching, but inbound ssh sockets seem to be owned by root, so I can't use that approach here.

Ben Clifford
  • 256
  • 1
  • 6

1 Answers1


Sadly, I think you're going to be chasing your own tail. The socket is owned by root... because sshd is running as root. The user is not established until AFTER the user has authenticated... but since the connection is never closed, the socket is still owned by root. Short of trying to do some sort of reverse-matching between the socket ID and the current user after the fact... I don't know how you would accomplish this. I have seen custom hacks directly into the openssh src that add some level of Traffic Accounting... but they are highly version specific, and I doubt you'll see one ever make it into the standard repository.

I found a hack-ish example of accounting after-the-fact. I question it's reliability, and accuracy... but it's better than nothing. Basically, it relies on your auth.log reporting on users' connection states. (i.e. connects/disconnects) and tail running continuously. Unfortunately, tail has a limit of 1-2 seconds minimum between updates... and there is a margin of error when it comes to monitoring the auth.log. (especially during log-rotates)


  • 7,349
  • 16
  • 23