1

tl;dr: Suppose I have a list of LAN clients (ip/macaddress/name); how would I best go about graphing the traffic going in/out of my OpenBSD 6.1 gateway?

In my network everything going in/out of it passes through my OpenBSD gateway through pf. I would like to be able to graph for all LAN clients (PC's, iPads, phones etc.) the amount of traffic coming from/going to the client.

I have looked at pfstat but that only seems to graph values for interfaces. I would like a bit more detailed view so I can make out what client does how much traffic.

I can script a little bash/python/perl so I could periodically (cron) generate a list of clients in my network with ip/macaddress/name in a file and generate (for example) pfstat.conf files based on that to keep my graphs up-to-date whenever new clients are added to my network etc. That shouldn't be a problem. My question is specifically on how to go from there. pfstat seemed like a good choice but doesn't seem to support my scenario; I'm not even sure pf supports what I am looking for, for that matter. Maybe it does but I missed it or maybe there are better tools I don't know about. I am aiming for a simple setup; I don't want to go the Nagios/Centreon/that-kinda-stuff route. I prefer a simple tool with ditto config, a cronjob and be done with it.

RobIII
  • 217
  • 3
  • 11
  • It really depends on what you actually want to graph and why. You can tag various rules in `pf` and graph stats for said rules. Or you could use something like `nfsen`. – Satō Katsura Jun 12 '17 at 18:14
  • `It really depends on what you actually want to graph and why.` What: bytes in/out. Why: why would that matter? Because I want to. But for one I'd like to see [how much traffic my Tesla up/downloads](https://www.reddit.com/r/teslamotors/comments/6gsc6v/i_think_the_neural_net_mining_is_just_starting/) for a given period. I'll look into tagging and `nfsen`. – RobIII Jun 12 '17 at 19:09
  • _Why: why would that matter?_ - Because traffic accounting is very different from, say, intrusion detection. – Satō Katsura Jun 12 '17 at 21:04
  • I'm sorry if my question was unclear; I appreciate the tips anyway. – RobIII Jun 12 '17 at 21:45

1 Answers1

1

Read up on pflow(4) and related (integrates with pf). You’ll export this NetFlow/IPFIX data to a collector/reporting package of your choosing. I just use nfdump and its related CLI friends, but NfSen is the web UI front end for this.

Bink
  • 276
  • 1
  • 7
  • pflow sounds interesting from what I read [here](http://man.openbsd.org/pflow.4). Any tips on getting started? Maybe tutorials or something you can recommend for pflow newbies? – RobIII Jun 12 '17 at 21:48
  • I wish I had something I could readily refer you to, but my experience comes with prior industry knowledge. pf has basic support and I recommend reading simple things that can give you basic NetFlow/IPFIX information and then you should be able to translate it into pflow/pf without too much trouble. That said, I recommend not tagging specific traffic with pf and simply having pflow apply to all pf traffic if possible—it is likely your NetFlow/IPFIX reporting tool will do a better job of isolating specific flows and you might find other data interesting as well once it’s in one repository. – Bink Jun 13 '17 at 01:17
  • I know that this sounds like Necrobumping comenting after a 4 year gap, but this can be of a help - http://bsdly.blogspot.com.br/2014/02/yes-you-too-can-be-evil-network.html –  Jun 21 '17 at 13:21