INET accounting for Linux
=========================

This patch logs internet traffic and accumulates it for each
process run. This includes both incoming and outgoing TCP and UDP
data. Only outgoing ICMP data is logged. Data going over RAW
sockets is not logged (only tools like tcpdump use them).

This differs from the ip-accounting provided with the standard
linux kernel in that you get a detailed listing of which user
is responsible for what traffic. This is really useful if
you have to pay for IP traffic.

You'll get accountig information like this:

(time)		(from)          (to)            (bytes) (uid)   (command)
788828421       130.133.7.106   193.98.158.12   9870    1014    lynx
788828421       193.98.158.12   130.133.7.106   1500    1014    lynx
788897755       198.86.40.81    193.98.158.12   447820  1015    ftp
788897755       193.98.158.12   198.86.40.81    66844   1015    ftp

I am interested in any experiences, opinions, ideas you have.
I know that some internal details of this patch are not perfect,
(I guess some sti()'s are unneccessary), so if anyone has any suggestions 
for improvements, please tell me.

There are two mailing lists related to this package.
One is for discussion and questions, the other one is
an announcement-only list for the announcement of new
versions and important bug fixes.
Mail majordomo@pythia.lunetix.de for more info.

To subscribe to the announcement list
send mail to majordomo@pythia.lunetix.de with
a body of "subscribe inet-acct-user-announce".
You should really consider this if you are using this
package. The list is very low volume, so you won't get
swamped with mail.

You find detailed step-by-step installation instructions
in the directory doc.

Most probably this is not bugfree, but we are running this on
an internet host for some months now and didn't experience 
any problems.

The patches here are against plain linux 1.2.x, where x currently
is 0.
I have enclosed the patches for older kernels, too.

There is a ftp server for the most current patches, so 
I don't have to release a new package for each new kernel.
Try ftp.uni-erlangen.de:/pub/Linux/LOCAL/net-tools
Note that these patches don't have any functional improvements or bug-fixes,
they are just changed to match the respective kernel and I wont
announce them on the mailing list.
When I add features or fix bugs I'll release a new package.

All the stuff is under the GPL.

The accounting data can be read from user level by an extension
to the syslog syscall.
A daemon is provided to read the data from the kernel and write it to
a file.
There is a simple perl script to post process the data. 
From the sample above it produces this output:

Fri 30.12.94 23:00:21   bibo.met.fu-berlin.de   public.lunetix.de       9870    jim   lynx
Fri 30.12.94 23:00:21   public.lunetix.de       bibo.met.fu-berlin.de   1500    jim   lynx
Sat 31.12.94 18:15:55   calypso-2.oit.unc.edu   public.lunetix.de       447820  joe    ftp
Sat 31.12.94 18:15:55   public.lunetix.de       calypso-2.oit.unc.edu   66844   joe    ftp

Enhancements to this one are welcome.

Exclusion of subnets:
---------------------

You can define one certain subnet which is excluded from accounting. This
is particularly useful for your local ethernet. Any packets destined to a
host on this subnet or coming from a host on this network are ignored.
A tool is provided to set this from user level.

------------------------------------------------------------
Please send any comments, bug-reports, patches, flames, pizzas to me.
Ulrich Callmeier (uc@brian.lunetix.de)
------------------------------------------------------------
