Measure system traffic -

Rick Sewill rsewill at cableone.net
Tue Jan 23 18:11:51 UTC 2007


On Tue, 2007-01-23 at 10:19 -0500, Bob Goodwin wrote:
> 
> My ISP Wildblue limits me to 5 gig's upload and 17 down over a thirty 
> day period. For the last nine months this has not been a problem, 
> however last month they made a system change and said they were 
> measuring usage more accurately.  Now we are running perilously close to 
> the limits for the last thirty days and I'm not certain why.
> 
> We have four computers [FC6, Mac, and W2k] running on the wireless LAN 
> which appears as eth0 to my computer. The system is comprised of the 
> satellite receiver/modem, a Netgear wireless router, and some Linksys 
> wireless bridges and/or adapters.  Can someone tell me how I can track 
> usage and determine how much each user is consuming?
> 

I do not have a good answer to this question, but I have suggestions.

Each device should, hopefully, keep interface statistics.

It might be possible to gather those statistics, periodically, using
snmp, if the device allows snmp.

Another possibility depends on your configuration.  Does all the traffic
between you and the ISP Wildblue go through a router or bridge you
control?  It is a long-shot, depending on what devices you have and what
features they support, but, if the router or bridge you control, that is
the point of connection with Wildblue, supports VLANs, you might be able
to configure that device to have a VLAN for each of the devices on your
LAN, and then gather statistics based on VLANs.

Another possibility is to use a program, such as iptraf, for monitoring
LAN traffic.  "yum install iptraf"  

Please be certain to force promiscuous mode in any LAN traffic monitor
so you see all traffic that gets to the interface, and not just traffic
that is unicast to/from the PC, or traffic that is multicast or
broadcast, where you are running the LAN traffic monitor.  

Also, please be careful if you have any switches or bridges in your LAN
because a switch or bridge will "learn" which port on the switch or
bridge is the way to reach a unicast MAC address and will only send the
unicast packet out that port.  Your PC, running the LAN traffic monitor
might never see the packet on any of its interfaces.

It is best you run a LAN traffic monitor as close as possible to the
point of connection between your ISP and your local LAN.

I would also be suspicious if your ISP is a Cable company.  Your local
neighbors and you share the Cable to the Cable company.  A few years ago
I had reason to put ethereal (wireshark) between my NAT/firewall box and
the Cable Modem box, I saw lots of traffic.  Besides multicast and
broadcasts from my neighbors, the Cable company was sending a flood (I
hate to say it, but I thought it was a flood) of ARP requests for ranges
of IP addresses.  I would hope the Cable company is not counting such a
flood of ARP packets against your limits because the Cable company would
be the one to generate the flood.  It might be a good idea to look for
this condition, just in case.

> Thanks.
> 
> Bob Goodwin    Zuni, Virginia
> 
-- 
Rick Sewill            tel:+1-218-287-1075 mailto:rsewill at cableone.net
1028 7th St. N.                               mailto:rsewill at gmail.com
Moorhead, MN 56560-1568      ymsgr:rsewill   sip:628497 at fwd.pulver.com
U. S. A.               tel:+1-701-866-0266     xmpp:rsewill at jabber.org




More information about the fedora-list mailing list