NET accounting for Linux
========================

Short description
-----------------
This package logs network traffic. It provides a daemon (nacctd) that 
logs all traffic passing the machine it runs on (similiar to what tcpdump
does).

Preliminary capability is provided to associate traffic to slip/ppp users
in case you run a slip/ppp server.

Why would you want to use this?
-------------------------------
- You are providing IP to customers and want to charge them based on the traffic
  they generate.
- You are a statistics freak and want to see how much of your network traffic
  is for NetNews, FTP, WWW etc.

Usage/Installation
------------------
1) go to source directory
   [e.g.: cd src]
2) do a "make"
   you must have your kernel sources installed properly to do this
   [e.g.: make]
3) copy naccttab.sample to /etc/naccttab
   this is the config file
   [e.g.: cp naccttab.sample /etc]
4) tune the options in naccttab to your needs
   the sample file is heavily documented so this should be easy
5) optionally install nacctd in /usr/sbin or whereever you like
   [e.g.: cp nacctd /usr/sbin]
6) start nacctd
   [e.g.: /usr/sbin/nacctd]

You can control nacctd with signals.
Here is what the signals do (one might call this abuse of signals ;-):

SIGINT		ends daemon
SIGTERM		ends daemon
SIGHUP		ends daemon
SIGUSR1		increases debugging level
SIGUSR2		turns off debugging
SIGWINCH	prints some kind of version id
SIGTSTP		disables writing to file
SIGCONT		enables writing to file

The last two (TSTP and CONT) are useful for an automated archival of the
logfiles without terminating the daemon. Just send a SIGTSTP before moving
the logfile and send a SIGCONT when you are done.

Output
------
You will get a logfile with lines like this:

Sample line:

786476591   6   193.98.158.1   119   192.76.152.9   2072   5370   eth0	unknown

1: time in seconds since 1.1.1970 (standard unix way of giving time)
2: ip protocol, you can look this up in /etc/protocols
   1 is icmp, 6 is tcp, 17 is udp
3: source ip address
4: soure port, you can look this up in /etc/services, if it's a wellknown
   port
5: destination ip address
6: destination port
7: size of data
8: device over which the packet was received/sent
9: associated user in case of a slip/ppp link
   this will always be "unknown" for ethernet devices and such

The enclosed perl script will make this more readable.
Please note that this script is merely an example.

Mailing lists
-------------
There are two mailing lists related to this package.
One is for discussion and questions, the other one is
an announcement-only list for the announcement of new
versions and important bug fixes.
Mail majordomo@pythia.lunetix.de for more info.

To subscribe to the announcement list
send mail to majordomo@pythia.lunetix.de with
a body of "subscribe net-acct-announce".
You should really consider this if you are using this
package. The list is very low volume, so you won't get
swamped with mail.

Notes
-----
The daemon itself has proven to be quite stable on
our machine, we use this for about four months now.

I'd however like to know how it behaves under different circumstances
and configurations.
Please tell me about any experiences you have.
I'm also interested in suggestions for features that could
be added.
Things I know are missing:

 - handling of dynamically assigned IP numbers when there is no fixed relation
   between network interface and serial line
   
   I don't see any way to handle this without a kernel patch.
   If anyone knows how to get the corresponding serial line to say sl0 please
   let me know.

 - a reasonable back end to evaluate the data

   I have got a bunch of perl scripts right now to
   do this, but this needs to be more flexible and
   complete.
   What do you expect from a back end?


Bug reports
-------------
As this is alpha software it most likely contains some bugs.
To do an actually useful bug report please send me the following information
- your setup 
  - hardware (ethercard etc.)
  - software (kernel, libc, etc.)
  - network layout
- what you did and what happened
- excerpt of the syslog files with debugging set to at least 2
- anything else you think is useful to trace down the bug

I'm interested in any suggestions on how to improve this software,
please mail them to me.

If anyone volunteers to write better documentation or to improve this
readme (maybe fix all the bad english) I'd be very happy to hear from
you.

------------------------------------------------------------

Please send any comments, bug-reports, patches, flames, postcards to me.

Ulrich Callmeier (uc@brian.lunetix.de)

------------------------------------------------------------
