IPFM FAQ
As some questions about IPFM are asked quite often, I decided to begin a little FAQ. If you don't find an answer to your questions here, feel free to ask to IPFM mailing list (ipfm at via dot ecp dot fr).
Configuration
How do I log everything except some subnets ?
Let's say you vant to log subnet 192.168.200.0/255.255.255.0, but log neither local packets nor packets between subnets :
- 192.168.200.0/255.255.255.0 and 192.168.201.0/255.255.255.0
- 192.168.200.0/255.255.255.0 and 192.168.202.0/255.255.255.0
You should use a rule like this :
# Log only local IPs (IPs that will apear in log file) LOG 192.168.200.0/255.255.255.0 # Do not log local traffic LOG NONE 192.168.200.0/255.255.255.0 WITH 192.168.200.0/255.255.255.0 # Do not log traffic with my ISP LOG NONE 192.168.200.0/255.255.255.0 WITH 192.168.201.0/255.255.255.0 LOG NONE 192.168.200.0/255.255.255.0 WITH 192.168.202.0/255.255.255.0
Can I log from more than one device ?
The short answer is : no, you can't.
The long answer is, you can run IPFM 0.12 (unstable version) with options -p (pidfile) and -c (configfile) tu run 2 (or 3) IPFM daemons at a time. Each daemon can listen on one interface, you still have to compute the logs into one file.
Output
In what unit is the output ?
The output is the total amount of bytes transferred by the host with other network devices using IPv4 protocol. Everything is counted (including IP headers).
What does IN, OUT and TOTAL mean ?
A network device sends packets to other devices (OUT) and receives packets from other devices (IN). The sum of IN and OUT is the TOTAL amount of data transferred.
Why does IPFM lose data ?
(Note that since [117], this problem is better handled in IPFM: you can choose which wiki:Timestamp you want to use for the output file)
This happens when you have a different clear and dump interval. Let's see an example to explain the problem: The config file looks like
UTC FILENAME "/usr/local/var/log/ipfm/ipfm-global-%Y-%m-%d.log" dump every 30 minutes clear every 1 day
For the day 2005-03-13, IPFM will write his logs in following files:
- at 00:30, 1:00, ... 23:30 in ipfm-global-2005-03-13.log
- at 00:00 in ipfm-global-2005-03-14.log
And ipfm-global-2005-03-14.log will be overwritten by the next day logs, so you loose 30 minutes of logs.
If you use local time (default) for the output, it becomes worse, as with the confiuration "clear every 1 day", ipfm clears its data at 00:00 UTC, which can be 13:00 local time...
I see some solutions to it:
- include time in the log names and have a script that does remove useless files at 00:12. This is also a good option if you do not want to loose your ipfm logs when rebooting the server.
- do not use the "clear" option in the configuration, include time in the log names and sum the files yourself, for example with BW-IPFM.
- make ipfm dump its last file of the day at 23:59:59 (UTC).
If you use UTC for filenames outputs, the config will look like:
UTC CLEAR every 1 day after 23 hours 59 minutes 59 seconds
For local time, it is a bit complicated. I'll take the example of Germany, where I live. In the summer, local time is have UTC + 2, in the winter, UTC + 1.
- In the summer, I have to dump at 23:59:59 UTC, so 21:59:59 local time
- In the winter, I still have to dump at 23:59:59 UTC, so 22:59:59 local time
In the summer, my config file looks like this (I'm sure you can figure the winter by yourself):
local DUMP every 30 minutes after 29 minutes 59 seconds. CLEAR every 1 day after 21 hours 30 minutes
If you want to dump every <I> Interval and clear at <T - 1 second>, your configuration sould look like this:
local DUMP every <'''I'''> after <I - 1 second> CLEAR every <T> after <T - I>
It also means you have to swap my configuration at every daylight saving change. A kill -HUP on IPFM will do it, but I have to save the log file produced by the kill -HUP and add the data to the new log file... If you can, chose anoter solution :-)
