			Traffic Accounting daemon

History:
--------

netacct-mysql is improved version of net-acct originally written by
Ulrich Callmeier. As net-acct was not developed since 1999 I decided to
start different project and to add some features to net-acct like pcap
support which allow to run it on different platforms, mysql support and some
other minor changes.

Description:
------------

 This package logs network traffic. It provides a daemon (nacctd) that
 logs all traffic passing the machine it runs on (similiar to what mrta
 does). Best works when is installed on router/gateway machine. 
 It supports peering file which means that you can divide you traffic in
 international and local peering. See `man nacctpeering` for more info.

Operating Systems supported (tested):
-------------------------------------

 * Linux - 2.2, 2.4
 * FreeBSD 4.x 
 * OpenBSD 2.9 
 * ???

 It was developed under Debian GNU/Linux 2.2 and is reported to work fine
 on FreeBSD 4.x and OpenBSD 2.9. I just don't have access to other OS so
 i can try to add support to different OS only if I have somewhere shell 
 with all things needed to compile it (compiler, autoconf, mysql and pcap) :)

How it works:
-------------

 Basicly netacct-mysql uses libpcap to put interface in PROMISC mode and 
 now we can say that it is some sort of sniffer. It collects all data
 flown through desired interface. Data is written in mysql database or
 in file as old net-acct.

 There are two types of loggin. Compact and full logging.
 
 To configure for example 192.168.0.0/24 to be logged in compact mode
 you need to put this line in your config file:

  compactnet 192.168.0.0 255.255.255.0
 
 this means that all traffic FROM and TO 192.168.0.0/24 network will be 
 logged in one line per hour in mysql database. Something like this:

 192.168.1.100  

 2002-03-01 Input 	Output  
 
 08:00 	14,009,697	1,857,621 
 09:00 	926,612 	691,297  
 10:00 	28,856 		121,438
 11:00 	49,873 		41,334 
 12:00 	0 		5,895 
 13:00 	0 		5,895 
 14:00 	9,113,202 	2,723,169 
 15:00 	593,503 	284,094
 16:00 	54,029 		52,481

 As you can see there is detailed per hour statistcs for every ip that is 
 in compact net logging.
 
 Full logging means that every connection will be written in mysql database.

 It writes these fields in mysql:
  
  * aid - auto_increment id type variable
  * time - time
  * date - date
  * duration - duration of the session (examp. 231 sec.)
  * protocol - protocol type 6 = TCP, 17 = UDP, 1 = ICMP
  * src_ip - source ip address of connection
  * src_port - source port of connection
  * dst_ip - destination ip address of connection
  * dst_port - destination port of connection
  * packets - number of packets send/received
  * data_size - actual transfered data (in bytes)
  * device - on which device (eth0, eth1, ppp0, ne0, ne1 ...)
  * user - on dialup servers can be user name (not tested)
  * peer_flag - 1 = data is from peering, 0 = data is from outside
            (peering ip addresses are taken from nacctpeering file)


  To configure some network to be logged in full mode just leave it as is
  and make sure that it is not in compactnet line. Everything that is NOT
  logged in compact mode is logged in full mode.
  
  WARNING: Full mode logging generates huge mysql database about 100Mb per 
  month in a network with 20 pc's.
  
Usage:
------

You can control nacctd with signals.
Here is what the signals do (one might call this abuse of signals ;-):

SIGINT          ends daemon
SIGTERM         ends daemon
SIGUSR1         increases debugging level
SIGUSR2         turns off debugging
SIGWINCH        prints some kind of version id
SIGTSTP         disables writing to file
SIGCONT         enables writing to file

The last two (TSTP and CONT) are useful for an automated archival of the
logfiles without terminating the daemon. Just send a SIGTSTP before moving
the logfile and send a SIGCONT when you are done.

Statistics:
-----------

 For now there are 2 different web interfaces for netacct-mysql
 1) Developed by Sebastian Nohn. I suggest to use it if your netacct-mysql
    logs traffic in full mode. It can be found in web/nacct-php directory
 2) Developed by Boril Yonchev. Use it if your traffic is collected in
    compactnet mode. It is in mrta style. It can be found in web/netstat
    directory
 3) and read web/README.1st ;)

Logging to mysql:
-----------------

 If you plan to shut down mysql for maintenance and don't want to loose data
 use kill -SIGTSTP pid_of_nacctd. This will stop logging in mysql. Now you
 can shut down your mysql, repair/upgrade/do_whatever_you_want and then start
 it again. Use kill -SIGCONT pid_of_nacctd to enable mysql logging.
 When nacctd can't connect to mysql there is delay time on which it will try
 again. By default error_delay is set to 3 which means that if you set flush
 option to 2 minutes it will try to write data in mysql after 9 minutes
 (error_delay * flush). You can change this value by adding in naccttab:

 errdelay 6 (or some other number)

The HASHSIZE option:
--------------------

 If your network have large traffic and nacctd make trouble i.e. looks like
 there is memory leak try to change HASHSIZE option to some large number.
 By default HASHSIZE=4096 which means that nacctd can hold 4096 accounting
 lines before write them to mysql. So if you have intensive traffic with
 many small packets (like game servers) change this value to something larger.

Peering file (installdir/etc/nacctpeering):
-------------------------------------------

 Put here your peering ip networks. For more info look at nacctpeering file.
 Also there is full Bulgaria ip space .. look at contrib/ directory.
  
The DUMP files:
---------------

 You may notice that if nacctd is killed with -9 signal it leaves some dump
 files:
 net-acct-dump.o
 net-acct-dump.o.o
 net-acct-dump.o.o.o
 ......
 This dump file is used for temporary storage of data that is not written yet
 in mysql. So if your machine crashes or nacctd is killed (for some reason)
 with -KILL signal you can find temporary stored data in this files. To import
 data from these files use the script tools/safe_nacctd.pl which Vlado Tzanev
 has contributed to the project :) For more info look inside script.

Known Bugs (IMPORTANT):
-----------------------
 
 * Still listens only on one inteface - will be fixed but no time :(
 * It seems to have a problems when counting high network traffic with
   many small packets from game servers.

Mailing lists:
--------------

There is a mailing list at SourceForge and it is called netacct-mysql-users.
You can subscribe and unsubscribe at this address:

 http://lists.sourceforge.net/mailman/listinfo/netacct-mysql-users

Archives of this mailing list can be found here:

 http://www.geocrawler.com/redir-sf.php3?list=netacct-mysql-users

And ofcourse you can send questions, ideas ... to me at geroy@users.sourceforge.net

Nikolay Hristov <geroy@stemo.bg>, <geroy@users.sourceforge.net>
