NAME

ipacctd —

IP accounting using divert socket

SYNOPSIS

ipacctd [-cdhstvwV] [-b size] [-f file] [-m recs] [-r file] -p port

DESCRIPTION

The ipacctd is intended for IP accounting. divert(4) and corresponding ipfw(8) rules are used for obtaining IP packets.

The following options are available:

-b size: Set both input and output buffer size of divert(4) socket to size. When number of packets per second is too great it is recommended to set buffer size equal to maximum value (equal to value of sysctl(8) variable kern.ipc.maxsockbuf).
-c: cisco-like accounting output format. In this case the columns packets and bytes are swapped and space symbol are inserted before ip_src.
-d: Do not detach from the controlling terminal (do not call daemon(3) ). Useful for debugging.
-f file: Dump accounting to the file. The filename string may contain any of the conversion specifications described in the strftime(3).
-h: Display help information (list of supported options).
-m recs: Set maximum number of records in hash table (by default equal to 30000). The record is a unique combination of ip_src/ip_dst for standard accounting mode and ip_src/ip_dst/s_port/d_port/ip_proto for extended accounting mode. Using this option prevents DoS attacks because for each record in the hash table some amount of operating memory is required.
-p port: Required option. Set the port number related to correspond divert/tee rule.
-r file: Specify the name and path to record the ipacctd 's process ID.
-s: Create unix(4) stream socket which can be used to fetch accounting instead of sending SIGHUP. See also IMPLEMENTATION NOTES.
-t: Use tee ipfw(8) rule for obtaining packets ( divert is used by default).
-v: Extended accounting mode (also output ip protocol and TCP/UDP/ICMP ports).
-w: Output the time of writing the first packet in time_t format in the last column.
-V: Show ipacctd version.

The SIGHUP signal causes ipacctd to dump accounting in the default file or specified in -f option. Accounting format is:

ip_from ip_to bytes packets

When -v option is used the accounting output format is:

ip_from s_port ip_to d_port proto bytes packets

If proto is ICMP then s_port is ICMP type and d_port is ICMP sub-code.

The SIGUSR2 signal causes ipacctd to dump current accounting and debugging information to file /var/tmp/ipacctd_dump.

IMPLEMENTATION NOTES

Since 1.43 version option -s is introduced, which is used to fetch accounting via cat(1):

cat
  /tmp/ipacct/ipacct.<port>

Note that support of unix(4) sockets in cat(1) was introduced in FreeBSD 4.5.

FILES

/tmp/ipacct/ipacct.<port>: unix(8) socket used to obtain accounting when -s option is specified
/var/log/ipacct.<port>: default accounting file
/vsr/run/ipacctd.<port>: default process ID file
/var/tmp/ipacctd_dump: default dump file

EXAMPLES

Typical ipacctd use:

Add ipfw(8) rule
add 2000 divert 10000 ip from any to any via ppp*
Run ipacctd
ipacctd -v -p 10000 -f /var/log/ipacct.%F_%T

After these steps when the SIGHUP is sent ipacctd will dump all accounting for IP packets transmitted via ppp interfaces to the file ipacct.YYYY-MM-DD_HH:MM:SS.

DIAGNOSTICS

All error messages are logged to syslog(3). It is important to pay attention to messages like (port %d) accounting threshold exceeded for %d packet(s) and %d byte(s). They mean that the shown number of packets was received by ipacctd but was not accounted because the number of records in the hash table had been exhausted. The possible solution is to dump accounting more often or to increase the number of records in hash table with option -m.

COMPATIBILITY

The ipacctd should work on all versions of FreeBSD that support divert(4) sockets.

AUTHORS

Roman V. Palagin ⟨romanp@unshadow.net⟩.

English version of this manual page has been written by
Sergey Skvortsov ⟨skv@FreeBSD.org⟩.

BUGS

If you find one - please contact the author.