logging linux-router traffic

A pc with Slackware 9.1 with 2 ethernet cards will be the gateway to the
internet.

ip forward works, but what I would like to learn is how to make him keep
trace of the traffic in some log files, and how to configure them.

and possibly how to monitor them with some log analyser.

the pc, in principle, should not run squid, as the internet connection has
enough bandwidth.

I know it must be written in some man page somewhere, but right now I don't
know how to start...

"fil" <(E-Mail Removed)> wrote in message
news:c22ani$1maqmg$(E-Mail Removed)...
> ip forward works, but what I would like to learn is how to make him keep
> trace of the traffic in some log files, and how to configure them.
>
> and possibly how to monitor them with some log analyser.

http://www.mrtg.org

Hi -

On Tue, 2 Mar 2004 17:56:15 +0200, "fil" <(E-Mail Removed)>
wrote:

>ip forward works, but what I would like to learn is how to make him keep
>trace of the traffic in some log files, and how to configure them.

iptables can log; see -j LOG and associated logging parameters, but if
you log every packet you are going to have huge log files.

--
Ken
http://www.ke9nr.net/

fil <(E-Mail Removed)> wrote:
> A pc with Slackware 9.1 with 2 ethernet cards will be the gateway to the
> internet.
>
> ip forward works, but what I would like to learn is how to make him keep
> trace of the traffic in some log files, and how to configure them.
>
> and possibly how to monitor them with some log analyser.

Sounds like you want to use IP accounting. ipac-ng is kind of nice, but
lacks some features I would like to see, such as the ability to filter
national/international traffic (given suitable information to so). Also,
if you're getting information from ppp0, and its doing NAT, you'll only
see the packets AFTER they go through the firewall code (and after they
get NAT'd), which means you only see packets coming to/from the public
interface.

I've been meaning to look at ulog-acctd, which doesn't have the problem
with NAT.

Otherwise, you might just want to use tcpdump to capture the headers
(lots of data to contend with), which you can analyse using various
tools such as nsteams, tcptrace, ethereal etc.

TCPSpy may offer what you are after as well (available on Debian Sid,
and possibly Sarge)

Package: tcpspy
Description: Incoming and Outgoing TCP/IP connections logger
tcpspy is an administrator's tool that logs information
about incoming and outgoing TCP/IP connections. It's
written in C and uses no libpcap functions, unlike tcpdump.