|
Учет трафика по всем портам ipcad + LightSquid
или "Преобразование IP адресов в доменные имена в отчетах LightSquid"
По настройке связки squid+lightsquid+ipcad написана достаточно статей. Есть неприятный нюанс при просмотре статистики.
ipcad собирает статистику по IP адресам, а Squid по доменным именам.
В итоге в отчетах LightSquid мы видим:
Дабы ipcad считал все порты, надо описать их в конфиге /usr/local/etc/ipcad.conf
Я описал все открытые порты так:
aggregate 3128 into 0;
aggregate 80-81 into 0;
aggregate 20-21 into 21;
aggregate 22-23 into 22;
aggregate 25 into 25;
aggregate 26-109 into 26;
aggregate 110 into 110;
aggregate 111-142 into 111;
aggregate 143 into 143;
aggregate 144-442 into 144;
aggregate 443 into 443;
aggregate 444-992 into 444;
aggregate 993 into 993;
aggregate 994 into 994;
aggregate 995 into 995;
aggregate 996-65535 into 65535; |
Мой /usr/local/etc/ipcad.conf для сети 192.168.0.0/24
#
# Configuration file for ipcad - Cisco IP accounting simulator daemon.
# Copyright (c) 2001, 2002, 2003, 2004, 2005
# Lev Walkin <
Данный адрес e-mail защищен от спам-ботов, Вам необходимо включить Javascript для его просмотра.
>.
#
# Please see ipcad.conf(5) for additional explanations.
# Please contact me if you have troubles configuring ipcad. My goal is to make
# initial configuration easier for new users, so your input is valuable.
#
##################
# GLOBAL OPTIONS #
##################
#
# Enable or disable capturing UDP and TCP port numbers, IP protocol and
# ICMP types for RSH output.
#
# capture-ports {enable|disable} ;
#
# Enabling this will BREAK Cisco RSH output format compatibility,
# increase memory requirements and may slow down traffic processing.
# This option takes effect IMMEDIATELY, that is, it can be specified
# multiple times, even between interfaces configuration.
# This option has NO effect on NetFlow operation (NetFlow always captures
# port information).
#
capture-ports enable;
#
# Buffers to be used for transferring the data from the kernel,
# if applicable (BPF, ULOG).
# Using larger buffers may increase the performance but will
# affect responsiveness.
#
# buffers = <number>[{k|m}] ;
#
# Reasonable defaults are used if this parameter is not set.
#
## buffers = 64k;
#####################
# INTERFACE OPTIONS #
#####################
#
# interface <iface> [ promisc ] [ input-only ]
# [ netflow-disable ] [ filter "<pcap_filter>" ] ;
# OR
# interface ulog group <group> [, group <group> ...]
# [ netflow-disabled ];
# OR
# interface ipq [ netflow-disabled ]; # man libipq(3)
# OR
# interface {divert|tee} port <divert-port> # man divert(4)
# [ input-only ] [ netflow-disabled ];
# OR
# interface file <tcpdump-output.pcap> [ netflow-disabled ];
#
# Options meaning:
#
# promisc:
# Put interface into promiscuous mode.
# This enables listening for the packets which are not destined for
# this host and thus ipcad will count and display all the traffic within
# the local network. Note that the interface might be in promiscuous mode
# for some other reason.
#
# input-only:
# Use kernel feature of counting only incoming packets.
#
# netflow-sampled: (DO NOT ENABLE THIS OPTION, unless you have to!)
# If the NetFlow export mechanism is used, this option instructs
# the interface to supply only one out of N packets to the NetFlow
# accounting code, thus lowering the CPU requirements. The value of N
# is configured explicitly in a NetFlow configuration section.
# NOTE: This option is NOT used to enable NetFlow on the interface,
# it just modifies the NetFlow behavior on this interface.
# DO NOT ENABLE THIS OPTION, UNLESS YOU HAVE TO!
#
# netflow-disable:
# By default, all interfaces are included into NetFlow accounting.
# This option is used to disable NetFlow on a particular interface.
#
# filter:
# Install a custom filter on packets instead of basic
# IP protocol filter. Requires libpcap (even if BPF is being used).
# May be employed to eliminate CPU overhead on passing unnecessary
# data between the kernel and user space (by installing the filter
# directly into the kernel).
#
# NOTES:
# * "input-only" directive must be supported by kernel.
# Probably, you were noticed about it during the compilation process
# if it was not supported.
# FreeBSD 3.x and elder kernels do not support this feature.
# * ULOG packet source (interface ulog) is supported under
# Linux >= 2.4.18-pre8.
# You should configure iptables to dump the packet stream
# into the appropriate group, i.e.:
# iptables -A OUTPUT -j ULOG --ulog-nlgroup <group>
# Given ULOG groups will be OR'ed together.
# * A wildcard (*) may be specified as part of an interface name.
#
interface sk0 filter "ip and dst net 192.168.0.0/24 and not src net 192.168.0.0/24";
##interface sk0;
##interface ed0;
##interface ed1 promisc filter "ip and not dst net 192.168.0.0/16";
##interface sbni0 input-only netflow-disable; # Disable NetFlow.
##interface ppp*; # Dynamically pick up PPP interfaces.
##interface ulog group 3, group 15; # Use ULOG, do not disable NetFlow.
##interface ipq; # Use Linux IPQ (libipq(3))
##interface tee port 123; # Use BSD ipfw(8)'s tee.
##interface divert port 321 netflow-disable; # Use ipfw(8)'s divert(4).
#
# aggregate <ip>/<masklen> strip <maskbits> ;
#
# Aggregate addresses from the specified network (<ip>/<masklen>),
# by AND'ing with specified mask (<maskbits>).
#
#
aggregate 192.168.0.0/24 strip 32; /* Don't aggregate internal range */
aggregate 0.0.0.0/0 strip 32; /* Aggregate external networks */
#
# aggregate <port_range_start>[-<port_range_end>] into <port> ;
#
# Aggregate port numbers. Meaningful only if capture-ports is enabled.
#
aggregate 3128 into 0;
aggregate 80-81 into 0;
aggregate 20-21 into 21;
aggregate 22-23 into 22;
aggregate 25 into 25;
aggregate 26-109 into 26;
aggregate 110 into 110;
aggregate 111-142 into 111;
aggregate 143 into 143;
aggregate 144-442 into 144;
aggregate 443 into 443;
aggregate 444-992 into 444;
aggregate 993 into 993;
aggregate 994 into 994;
aggregate 995 into 995;
aggregate 996-65535 into 65535; /* Aggregate wildly */
##########################
# NetFlow EXPORT OPTIONS #
##########################
#
# Enable Cisco NetFlow export method.
# NetFlow uses UDP to feed flow information to the receiver.
# If the destination is not specified, NetFlow is disabled.
#
# netflow export destination 127.0.0.1 9996;
netflow export version 5; # NetFlow export format version {1|5}
netflow timeout active 30; # Timeout when flow is active, in minutes
netflow timeout inactive 15; # Flow inactivity timeout, in seconds
netflow engine-type 73; # v5 engine_type; 73='I' for "IPCAD"
netflow engine-id 1; # Useful to differentiate multiple ipcads.
# The following option is enabled by the "netflow-sampled" interface flag.
#netflow sampling-mode packet-interval 10; # 1 out of 10 packets accounted
# DO NOT ENABLE THIS UNLESS YOU KNOW WHAT ARE YOU DOING.
#
# NetFlow protocol exports an SNMP id instead of the interface name
# (i.e., "eth0", "ppp32"). The following statements options define
# mapping between the interface names and a set of "SNMP identifiers".
#
netflow ifclass eth mapto 0-99; # i.e., "eth1"->1, "eth3"->3
netflow ifclass fxp mapto 0-99; # i.e., "fxp4"->4, "fxp0"->0
netflow ifclass ppp mapto 100-199; # i.e., "ppp32"->532, "ppp7"->507
netflow ifclass gre mapto 200-299;
netflow ifclass tun mapto 300-399; # i.e., "tun0"->300
######################
# RSH SERVER OPTIONS #
######################
#
# Enable RSH Server:
#
# rsh {enable|yes|on|disable|no|off} [at <listen_ip>];
#
# If "at <listen_ip>" omitted, rsh server listens on IP address 0.0.0.0,
# which may be undesirable.
#
rsh enable at 127.0.0.1;
#
# RSH access rules:
#
# rsh [<user>@]<host_addr> {admin|backup|[default]|view-only|deny} ;
#
rsh [email protected] admin; /* Can shutdown ipcad */
rsh [email protected] backup; /* Can dump/restore/import accounting table */
rsh [email protected]; /* Can view and modify accounting tables */
/* Note the order! */
####rsh [email protected] deny; /* Deny this user from even viewing tables */
rsh 127.0.0.1 view-only; /* Other users can view current tables */
# Keep IP packet time to live reasonably low to avoid remote attacks.
# (The rsh client must reside no more than three hops away from the
# router running ipcad.)
rsh ttl = 3;
# Set rsh timeout for the same purpose.
rsh timeout = 30;
#
# Dump active IP accounting table to this file on exit and read on startup.
# (read about -s and -r options in ipcad(8) manual page)
# NOTE: This setting has no effect on NetFlow operation. The flow cache
# contents are flushed to the collector upon ipcad termination.
#
dumpfile = ipcad.dump; # The file is inside chroot(), see below...
#################
# OTHER OPTIONS #
#################
#
# Chroot to this directory before processing.
#
# Of course, you could disable chroot()'ing by commenting it out,
# but it is not recommended, so I left this confusing default
# to encourage you to change it.
#
##chroot = /adm/tmp;
chroot = /var/log/ipcad;
#
# File to keep getpid() in it. ipcad will also hold a lock.
#
# WARNING: Pidfile is created AFTER chroot()'ing, so if you're using
# chroot statement above, make sure the path to the pidfile exists
# inside chrooted environment.
#
pidfile = ipcad.pid;
#
# UID/GID privileges dropping
# Please note: RSH service will be UNAVAILABLE when uid is not zero.
# Use it only when you know what are you doing (i.e., NetFlow without RSH).
#
# uid = 65534;
# gid = 65534;
#
# Few useful settings.
#
#
# Memory usage limit for storing per-stream entries.
#
# memory_limit = <number>[{k|m|e}] ;
# Where k, m and g are for kilobytes, megabytes or table "entries".
#
memory_limit = 10m;
|
Для преобразования IP адресов в доменные имена, используем изменим файл tolog.sh
Скрипт написал forestman99 и выложил на форуме
http://forum.pfsense.org/index.php/topic,21394.msg168129.html#msg168129
Новое содержимое файл tolog.sh
#!/bin/sh
rez2=""
#REZ="q"
iptoname ()
{
rez2=$1
REZ=$(/usr/bin/dig -x $1 +short)
# echo "REZ - $REZ - $1"
if [ -z $REZ]
then
{
# echo
}
else
{
rez2=$REZ
}
fi
}
net="192.168.0"
ttime=`/usr/bin/rsh localhost sh ip acco | /usr/bin/grep 'Accounting data saved' | /usr/bin/awk '{print ($4)}'`
/usr/bin/rsh localhost clear ip accounting
/usr/bin/rsh localhost show ip accounting checkpoint | /usr/bin/grep $net > /root/tolog.txt
while read p1 p2 p3 p4 p5 p6 p7 p8
do
#
if [ "$p5" != "0" ]
then
rez2=""
iptoname "$p1"
echo "$ttime.000" 1 $p2 "TCP_MISS/200" $p4 "CONNECT" $rez2:"$p5 "-" "DIRECT/"$p1" -"" >>/var/squid/log/access.log
# echo "$vtime.000" 1 $p2 "TCP_MISS/200" $p4 "CONNECT" $rez2:"$p5 "-" "DIRECT/"$p1" -"" >>/var/squid/log/access.log
else
fi
done < /root/tolog.txt
exit 0
|
После замены содержимого tolog.sh вы получите в отчетах LightSquid вот такое:
Легкой настройки!
ссылка на материал: http://thin.kiev.ua/router-os/50-pfsense/681-ipcad-lightsquid.html
{jcomments on} |
