			Traffic Accounting daemon

IMPORTANT CHANGES:
------------------
We are not supporting full logging from this version. If you want to log all
connections (not in compactnet mode) go and get 0.73 version it will work just
fine. New code has been added so the algorithm of collecting accounting data
has changed and this will resolve problems of heavy load of mysql server in
compactnet mode.

If you are upgrading please read README.upgrade

History:
--------

netacct-mysql is improved version of net-acct originally written by
Ulrich Callmeier. As net-acct was not developed since 1999 I decided to
start different project and to add some features to net-acct like pcap
support which allow to run it on different platforms, mysql support and some
other minor changes.

Description:
------------

 This package logs network traffic. It provides a daemon (nacctd) that
 logs all traffic passing the machine it runs on (similiar to what mrta
 does). Best works when is installed on router/gateway machine. 
 It supports peering file which means that you can divide you traffic in
 international and local peering. See `man nacctpeering` for more info.

Operating Systems supported (tested):
-------------------------------------

 * Linux - 2.2, 2.4
 * FreeBSD 4.x 
 * OpenBSD 2.9 
 * ???

 It was developed under Debian GNU/Linux 2.2 and is reported to work fine
 on FreeBSD 4.x and OpenBSD 2.9. I just don't have access to other OS so
 i can try to add support to different OS only if I have somewhere shell 
 with all things needed to compile it (compiler, autoconf, mysql and pcap) :)

 It was reported to work on Debian HPPA architecture

How it works:
-------------

 Basicly netacct-mysql uses libpcap to put interface in PROMISC mode and 
 now we can say that it is some sort of sniffer. It collects all data
 flown through desired interface. Data is written in mysql database or
 in file as old net-acct.

 To configure for example 192.168.0.0/24 to be logged
 you need to put this line in your config file:

  compactnet 192.168.0.0 255.255.255.0
 
 this means that all traffic FROM and TO 192.168.0.0/24 network will be 
 logged in one line per hour in mysql database. Something like this:

 192.168.1.100  

 2002-03-01 Input 	Output  
 
 08:00 	14,009,697	1,857,621 
 09:00 	926,612 	691,297  
 10:00 	28,856 		121,438
 11:00 	49,873 		41,334 
 12:00 	0 		5,895 
 13:00 	0 		5,895 
 14:00 	9,113,202 	2,723,169 
 15:00 	593,503 	284,094
 16:00 	54,029 		52,481

 As you can see there is detailed per hour statistcs for every ip that is 
 in compact net logging.
 
 Every ip that is NOT in compactnet option will not be logged.

 nacctpeering file
 -----------------
 put here all ip networks that are from your country
 this is traffic between 'ournet' option and all networks from this file
 
 direct_peer (in naccttab)
 -------------------------
 this is traffic between 'ournet' and 'direct_peer'
 if you have local line with some other ISP's in your city add them:

 Example:
 direct_peer 1.2.3.4 255.255.255.0
 direct_peer 1.2.7.8 255.255.255.0 

 ournet
 ------
 put here all your networks so nacctd can differ which traffic is local/direct
 
 Example:
 ournet 192.168.1.0 255.255.255.0
 ournet 62.73.77.0 255.255.255.0

 local traffic
 -------------
 this traffic is between 2 interfaces on local pc. this is traffic that does not go outside your router.

 example:
 you have 2 network cards eth0 (192.168.0.1), eth1 (192.168.1.1)
 traffic between 192.168.0.0/24 and 192.168.1.0/24 is counted as local
 
 Note: all this things are for differ your trafic in stages of:
 country (nacctpeering)
 city (direct_peer)
 local (between local interfaces)
 
 
Usage:
------

You can control nacctd with signals.
Here is what the signals do (one might call this abuse of signals ;-):

SIGINT          ends daemon
SIGTERM         ends daemon
SIGUSR1         increases debugging level
SIGUSR2         turns off debugging
SIGWINCH        prints some kind of version id
SIGTSTP         disables writing to file
SIGCONT         enables writing to file

The last two (TSTP and CONT) are useful for an automated archival of the
logfiles without terminating the daemon. Just send a SIGTSTP before moving
the logfile and send a SIGCONT when you are done.

Statistics:
-----------

 There is package called netstat-3.x.x just get it and read instructions how
 to install and add users so they can view their own traffic. Download it from
 http://sourceforge.net/projects/netacct-mysql/

Logging to mysql:
-----------------

 If you plan to shut down mysql for maintenance and don't want to loose data
 use kill -SIGTSTP pid_of_nacctd. This will stop logging in mysql. Now you
 can shut down your mysql, repair/upgrade/do_whatever_you_want and then start
 it again. Use kill -SIGCONT pid_of_nacctd to enable mysql logging.
 When nacctd can't connect to mysql there is delay time on which it will try
 again. By default error_delay is set to 3 which means that if you set flush
 option to 2 minutes it will try to write data in mysql after 9 minutes
 (error_delay * flush). You can change this value by adding in naccttab:

 errdelay 6 (or some other number)

Peering file (installdir/etc/nacctpeering):
-------------------------------------------

 Put here your peering ip networks. For more info look at nacctpeering file.
 Also there is full Bulgaria ip space .. look at contrib/ directory.

 If you are from bulgaria you can get latest bg networks from nat.bg:

 #!/bin/bash
 lynx -dump http://www.nat.bg/look/AS/networks.html > /tmp/bgn
 cat /tmp/bgn |grep -v "/AS"|grep -v "255.255"|grep "]AS"|awk '{print $2}' > /usr/local/etc/nacctpeering
 rm -f /tmp/bgn

 There is also in contrib/ directory file called nacctpeering.ru - all russian
 IP networks (by RENEGADE)
  
Known Bugs (IMPORTANT):
-----------------------
 
 Need to be tested on !linux os because there are some changes in code that
 i'm not very sure that it will work on bsd ... (pthread + pcap changes)
 
Mailing lists:
--------------

There is a mailing list at SourceForge and it is called netacct-mysql-users.
You can subscribe and unsubscribe at this address:

 http://lists.sourceforge.net/mailman/listinfo/netacct-mysql-users

Archives of this mailing list can be found here:

 http://www.geocrawler.com/redir-sf.php3?list=netacct-mysql-users

And ofcourse you can send questions, ideas ... to me at geroy@users.sourceforge.net

FAQ:
----

Please read FAQ file before ask any questions. Thanx :)

Technical Info:
---------------

Here is the way how packet is matched:

0. check if src_ip or dst_ip is in compactnet .. if not we don't log this packet
1. check if it is local traffic
2. check if it is direct_peer traffic
3. check if it is peering traffic
4. else it is international

Don't kill nacctd with -9 signal or you will loose accounting data from last
write in mysql (flush option). If you kill it with -TERM signal it will write
all collected data on exit.

Donations :)
------------
If you are satisfied of this program and want to donate something .. feel
free to send me at address below. I'm interested in old hardware with 
non-i386 architecture so i can test how it works .. or some memory (30 pin) for
my old 486 box running netbsd .. or an old hdd .. or an wireless pci card so I
can get rid of this f***ing modem/telephone line on 9600 bps :( ... and so
on .... :)

Bulgaria
Gabrovo 5300
Kragozor 9
Nikolay Hristov

Nikolay Hristov <geroy@stemo.bg>, <geroy@users.sourceforge.net>
