syslog traffic analyzers

[Kenneth Porter]

--On Thursday, November 03, 2005 9:56 AM -0600 Les Mikesell 
<lesmikesell at gmail.com> wrote:

> If you only want to track the traffic on a few servers, I guess
> you could run ntop on each of those machines to generate the
> flow data and send it to a central location for processing.

It depends on the level of detail you need. ntop uses libpcap and does deep 
analysis of packets, so it's good for complex analysis, but is fairly 
heavy-weight and uses lots of memory. If you just want to count bytes going 
through a particular port, use the byte counters in iptables. Create a 
sub-table with a set of match rules but no jump targets so the packets just 
get counted but not accepted or rejected and invoke it from 
INPUT/OUTPUT/FORWARD chains as appropriate. Use the iptables read/clear 
counters feature to periodically collect the data.