DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 14th December 2015
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Smile Internal Interface Stats of PF

Hi,

I'm using OpenBSD 5.3 . I wan't to get the stats of the top talkers in my LAN using the internal interface of my PF. Is there any command for that?

currently I used pfctl -s info to get the information of the external interface. It show in and out traffic as a total value.

Thanks
Reply With Quote
  #2   (View Single Post)  
Old 14th December 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,505
Default

You can get statistics for each rule if you use labels. Two examples:
Code:
# --- allow outgoing UDP 
pass out     quick on egress inet proto udp from any    to any port domain  label "$nr:$proto:DOMAIN"
pass out     quick on egress inet proto udp from any      to any port ntp     label "$nr:$proto:NTP"
The counters/stats:
Code:
#  pfctl -s labels
28:udp:DOMAIN 809265 1576581 192284486 784239 138767275 792342 53517211 792176
29:udp:NTP 14519 105540 8021040 52704 4005504 52836 4015536 12337
Those numbers are described in pfctl(8):
Quote:
Show per-rule statistics (label, evaluations, packets total, bytes total, packets in, bytes in, packets out, bytes out, state creations) of filter rules with labels, useful for accounting.
But this gives only the total stats, not for each user. To have stats by IP address you could add rules like
Code:
pass in quick on internal inet proto tcp from 10.0.0.1 label "$nr:$proto:John"
pass in quick on internal inet proto tcp from 10.0.0.2 to any flags S/SA label "1:tcp:Mary"
pass in quick on internal inet proto tcp from 10.0.0.3 to any flags S/SA label "2:tcp:10.0.0.3"
I never used any of the network stats packages which produces nice graphs. So I don't know if there is something that would give you the stats you want
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 14th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

Hello, and welcome!

Everyone has their preferences. I'm partial to collecting Netflow statistics, which on OpenBSD are managed via pflow(4). I use net/nfsen as my monitoring tool, combining Netflow statistics from multiple routers. NFSen can be used with a single router, too.

Here are some screenshots from NfSen's website.

FYI: support for OpenBSD 5.3 ended on May 1, 2014. Only the two most recent releases are supported, which are 5.7 and 5.8. Support for 5.7 will end on or about May 1, 2016, with the release of 5.9.

Last edited by jggimi; 14th December 2015 at 11:38 AM. Reason: added screenshot link
Reply With Quote
  #4   (View Single Post)  
Old 14th December 2015
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi Both,

Many thanks for your valuable information.


Thanks

Amitha
Reply With Quote
  #5   (View Single Post)  
Old 14th December 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

I just used NfSen, even though I'm away from my network.

I'd received an Email from a shipping company to tell me a package had been delivered. I logged in to my home NfSen webserver (protected with client certificates) to arm an alert: I directed it to send me an Email when my son wakes up and begins to use his Windows workstation. I'll call him and ask him to take the package in from the front door where it was dropped.

Yes, I could have the alert send him a text message to his phone, so that I'm not even involved. But I like the personal touch of reaching him directly.
Reply With Quote
  #6   (View Single Post)  
Old 14th December 2015
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

Quote:
Originally Posted by jggimi View Post
I logged in to my home NfSen webserver (protected with client certificates) to arm an alert: I directed it to send me an Email when my son wakes up and begins to use his Windows workstation.
I've done similar, such as setting pf anchors to shut down internet connectivity to my daughter's vlan at a certain time, or watching traffic to tell her to get off of youtube and get back to her studies.

Parenting just isn't what it used to be =)
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice.
Reply With Quote
  #7   (View Single Post)  
Old 14th December 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by rocket357 View Post
I've done similar, such as setting pf anchors to shut down internet connectivity to my daughter's vlan at a certain time, or watching traffic to tell her to get off of youtube and get back to her studies.

Parenting just isn't what it used to be =)
+1

I am doing the same to my Irish twins (girls)
Reply With Quote
  #8   (View Single Post)  
Old 27th January 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Hi,

Could I know the following code for PF in detail please?

Quote:
table <usage> const { 192.168.1.1 }
pass on $ext_if from any to <usage> label "accounting"
In my OpenBSD firewall the /var partition is getting low in free disk capacity frequently. If I add this command to my PF will it become worst? I want to know what this command does?

Thanks
Reply With Quote
  #9   (View Single Post)  
Old 27th January 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,292
Default

Neither of these two rules cause any disk I/O. They add 90 bytes to your pf.conf file's length.

The first rule creates a table in memory, containing one IP address. The second rule passes traffic destined for the single IP address, and adds a PF label to the rule. This label is only usable with pfctl(8) status reporting of in-kernel packet statstics, unrelated to process accounting records you might record in /var/accounts.

Last edited by jggimi; 27th January 2016 at 11:01 AM.
Reply With Quote
Old 29th January 2016
Amithapr Amithapr is offline
Fdisk Soldier
 
Join Date: Dec 2015
Posts: 69
Default

Thanks a lot Jggimi.

Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing Which Interface Is Assigned To Network Interface (physical) Port EverydayDiesel OpenBSD General 2 18th July 2014 10:25 AM
Oracle tucks R stats language into database J65nko News 0 10th February 2012 11:19 PM
How do I troubleshoot an internal interface BinarySpike OpenBSD General 3 1st September 2011 04:11 AM
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM
2 external NIC + 1 internal NIC AlexV FreeBSD General 7 4th June 2008 08:18 AM


All times are GMT. The time now is 08:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick