What does faq mean and where do I get the current version?
faq means Frequently Asked Questions and those who say "here is a faq list" mean that there are the answers, too. You can get the ipac mini faq list in its current version from http://www.daneben.de/ipacfaq.html. ipac is a linux ip accounting tool whose home page is http://www.daneben.de/ipac.html.
Does ipac support kernel 2.4.x systems?
Not really. Porting ipac to 2.4 is going on, but nobody knows when it will be finished.
One option is to use the ipchains.o kernel module. This means that you cannot have iptables support in the kernel because those two conflict. Also, because of an incompatibility between 2.2 and 2.4 ipchains support, you need to add a command - quoting Sumit Pandya sumit(at)elitecore.com:
In Kernel 2.4 after running "fetchipac" you have to manually zero all
ipchains counter. That can be done with "/sbin/ipchains -Z". Ya result will
not be exect, but who cares for approx(< 1K) in say 5 minutes of intervel of
running "fetchipac".
Where can I find mktemp? My distribution seems not to include it.
Grab it here. Most Linux distributions include it, but some dont (it's source from Rad Hat 6.0).
How do I uninstall ipac?
Assuming all paths in the config file had been unchanged on installation:
First of all, you should read the ipchains manual page ipchains(8) (If you have a ipfwadm system, it's ipfwadm(8)).
It is essential to understand the different meanings of the fields "interface", "source" and "destination". With the linux ip accounting system, you always count the traffic on either one or all interfaces. Most of the times, you will want to count on one interface only. So you should ask yourself, "on which interface do the packets I want to measure pass?". The name of this interface is the right thing to put into the "interface" field.
The source and destination (and protocol) fields can be left blank to count everything that passes through that interface. If you fill in information there, you can tell ipac only to measure certain packets that pass through the interface. If you specify a certain protocol (udp, tcp or icmp), ipac counts only packets belonging to that protocol.
The source and destination fields consist of two parts: An address and an optional port specification. The port specification may only be given if a protocol is specified. The addresses here mean the source and the final destination of the packet. For the exact syntax see in the ipchains(8) / ipfwadm(8) manual page.
Assuming your gateway is named "one" and has the interfaces eth0 and isdn0. eth0 is connected to the LAN. isdn0 is the interface to the world (ISP). eth0 has the ip address X.0.0.1. You have three clients with the addresses X.0.0.4 to X.0.0.6 which are called "four", "five" and "six". By the way: It doesn't matter wheather or not your ISP assigns you a dynamic ip number and of which type the interfaces are.
# ipac.conf for example site # Format: # Name of rule|direction|interface|protocol|source|destination # probably includes more stuff than neccessary # count all traffic, in and out seperately, to and from the internet internet in all|in|isdn0||| internet out all|out|isdn0||| # count clients separately, in and out in one counter. internet client four|in|isdn0|||X.0.0.4 internet client four|out|isdn0||X.0.0.4| internet client five|in|isdn0|||X.0.0.5 internet client five|out|isdn0||X.0.0.5| internet client six|in|isdn0|||X.0.0.6 internet client six|out|isdn0||X.0.0.6|
This way, the traffic is counted on interface isdn0, so local traffic from and to the gateway machine won't count.
We use ip masquerading. Does the above still work?
No. Since on interface isdn0 all clients have the same ip number, the kernel can no longer distinguish them. There are two possible solutions.
If you have a ipfwadm system: You have to count on interface eth0, but this will include local traffic from and to the gateway. An approach to solve this problem would be to count local traffic explicitly (source/destination = the gateway) and to substract this manually. Unfortunally, this means you won't have any proper images.
If you have an ipchains system, read this:
From: Matthijs Sypkens Smit <matthijs@helena.tux.nu> To: moritz@daneben.de Subject: From the faq: "We use ip masquerading. Does the above still work?" Date: Mon, 29 May 2000 21:22:37 +0200 [...] I'm using a masquerading firewall with a ADSL-connection. We have a traffic-limit however which prevents me and my neighbours (we share the LAN) of unlimited traffic per month. Your faq states that if would be impossible to count the traffic in our case, save by subtracting some values by hand. I managed to setup rules however which do count the Internet-traffic in this case on a per ip-address basis by using the ! (not) operator in the source and destination addresses. See the following extract from my ipac.conf: ---ipac.conf extract--- Bernie Internet|in|eth0|all|192.168.79.12|! 192.168.79.30 Bernie Internet|out|eth0|all|! 192.168.79.30|192.168.79.12 Matthijs Internet|in|eth0|all|192.168.79.13|! 192.168.79.30 Matthijs Internet|out|eth0|all|! 192.168.79.30|192.168.79.13 Paul Internet|in|eth0|all|192.168.79.33|! 192.168.79.30 Paul Internet|out|eth0|all|! 192.168.79.30|192.168.79.33 # total: Internet Totaal|in|ppp0|all|| Internet Totaal|out|ppp0|all|| ---end ipac.conf extract--- ppp0 is my ppp link via eth1 to the ADSL-modem. It's probably possible as well to use ppp0 where I used eth1 and the other way around, but this was the way I set it up and it works ... 192.168.79.30 is the server ip. As you can see, I'm logging all the traffic which has to do with a certain node and _not_ with the server. I've tested this setup quite extensively and it works perfectly in my environment.
ipac seems not to see a difference between "eth0" and "eth0:0". Aliased interfaces count as one. Why?
This is a linux kernel limitation.
But I want to measure the traffic on different virtual web servers. Cant I do that?
You have two options: You might want to check out the old "dummy" interface trick. A simpler way would be to use the plain un-aliased interface and use the source and destination ip address fields of each packet going through that interface.
After downloading a file at 30 KByte/s, ipacsum says the maximum throughput was 10 KByte/s only. How comes?
ipacsum's output shows you the *average* speed of a given period, not the *maximum*. The key for the problem is what ipacsum puts into the index.html page in the header as "Resolution:" - this is the exact time one pixel of the image on the x axis represents. If this is, for example, three minutes, and you transfer a file at 30 KBit/s for one minute, the corresponding y value will be 10 KBit/s.
The "max" value shown in the image (and possibly in the html page) is the maximum of all values shown in the image (= the maximum of all n seconds average values), not the maximum throughput.