• A program for determining local network traffic. Review of the best programs for monitoring traffic on a PC

    This article will look at software solutions that will help you control your traffic. Thanks to them, you can see a summary of the Internet connection consumption of a particular process and limit its priority. It is not necessary to view recorded reports on a PC with special software installed in its OS - this can be done remotely. It won’t be a problem to find out the cost of consumed resources and much more.

    Software from SoftPerfect Research that allows you to control consumed traffic. The program provides additional settings, which make it possible to see information about megabytes consumed for a specific day or week, peak and off-peak hours. It is possible to see indicators of incoming and outgoing speed, received and sent data.

    The tool will be especially useful in cases where metered 3G or LTE is used, and, accordingly, restrictions are required. If you have more than one account, statistics about each individual user will be displayed.

    DU Meter

    An application for tracking the consumption of resources from the World Wide Web. IN work area you will see both incoming and outgoing signal. By connecting to the dumeter.net service account offered by the developer, you will be able to collect statistics on the use of information flow from the Internet from all PCs. Flexible settings will help you filter the stream and send reports to your email.

    The parameters allow you to specify restrictions when using a connection to the World Wide Web. In addition, you can specify the cost of the service package provided by your provider. There is a user manual in which you will find instructions for working with the existing functionality of the program.

    Network Traffic Monitor

    A utility that displays network usage reports with a simple set of tools without the need for pre-installation. The main window displays statistics and a summary of the connection that has Internet access. The application can block the stream and limit it, allowing the user to specify their own values. In the settings you can reset the recorded history. It is possible to record existing statistics in a log file. An arsenal of necessary functionality will help you record download and upload speeds.

    TrafficMonitor

    The application is an excellent solution for countering information flow from the network. There are many indicators that show the amount of data consumed, output, speed, maximum and average values. Software settings allow you to determine the cost of currently used volumes of information.

    The generated reports will contain a list of actions related to the connection. The graph is displayed in a separate window, and the scale is displayed in real time; you will see it on top of all the programs in which you work. The solution is free and has a Russian-language interface.

    NetLimiter

    The program has modern design and powerful functionality. What makes it special is that it provides reports that provide a summary of the traffic consumption of each process running on the PC. The statistics are perfectly sorted by different periods, and therefore it will be very easy to find the desired period of time.

    If NetLimiter is installed on another computer, you can connect to it and control its firewall and other functions. To automate processes within the application, rules created by the user are used. In the scheduler, you can create your own limits when using the services of a provider, as well as block access to the global and local networks.

    DUTraffic

    The special feature of this software is that it displays advanced statistics. There is information about the connection from which the user entered the global space, sessions and their duration, as well as duration of use and much more. All reports are accompanied by information in the form of a diagram highlighting the duration of traffic consumption over time. In the parameters you can customize almost any design element.

    The graph that is displayed in a specific area is updated in a second-by-second mode. Unfortunately, the utility is not supported by the developer, but has a Russian interface language and is distributed free of charge.

    BWMeter

    The program monitors download/upload and speed of the existing connection. Using filters displays an alert if processes in the OS consume network resources. Various filters are used to solve many different problems. The user will be able to fully customize the displayed graphs at their discretion.

    Among other things, the interface shows the duration of traffic consumption, the reception and upload speed, as well as the minimum and maximum values. The utility can be configured to display alerts when events such as the number of megabytes downloaded and connection time occur. By entering the site address in the appropriate line, you can check its ping, and the result is written to a log file.

    BitMeter II

    A solution for providing a summary of the use of provider services. The data is available in both tabular and graphical formats. The parameters configure alerts for events related to connection speed and consumed stream. For ease of use, BitMeter II allows you to calculate how much time it will take to download the amount of data you enter in megabytes.

    The functionality allows you to determine how much available volume is left provided by the provider, and when the limit is reached, a message about this is displayed in the taskbar. Moreover, downloading can be limited in the parameters tab, and you can also monitor statistics remotely in browser mode.

    The presented software products will be indispensable for monitoring the consumption of Internet resources. The functionality of the applications will help you create detailed reports, and the reports sent by e-mail are available for viewing at any convenient time.

    Computers are connected to each other using external or internal networks. Thanks to this, users can share information with each other, even while on different continents.

    Office traffic control software

    Using ICS, you can easily control traffic accounting and its distribution between users, influence the ability to connect to Internet resources at your discretion, and ensure the security of your internal network.

    School traffic control software

    ICS is a universal Internet gateway with tools for protecting an educational network, traffic accounting, access control and deployment of a mail, proxy and file server.

    Home traffic control software

    X Lite is free internet a gateway that provides all your Internet needs at home. ICS Lite is a full-featured version of Internet Control Server, which includes a license for 8 users.


    Types of networks

    • Home - combine computers in one apartment or house.
    • Corporate - connect the working machines of the enterprise.
    • Local networks often have a closed infrastructure.
    • Global - connect entire regions and can include local networks.

    The benefits of such a connection are enormous: specialists’ time is saved, bills for phone calls. And all these benefits can be reduced to zero if safety is not taken care of in time.

    Firms that are not familiar with the concept of “traffic control” suffer enormous losses or completely limit access to information. There is an easier way to save safely - a program for monitoring traffic on the local network.

    We turn quantity into quality!

    It is important for a manager to know how the company's funds are spent. Therefore, the system administrator is responsible, among other things, for monitoring network traffic in the office. Statistics are collected not only on the volume, but also on the content of the information transmitted.

    Why do you need local network control? Although the answer to this question is obvious, many system administrators cannot substantiate the need to control Internet traffic consumption.

    Benefits for the manager

    Traffic control software:

    1. optimizes network operation - by saving specialists’ working time, labor productivity increases;
    2. shows the distribution of traffic by users - makes it possible to find out who needs Internet resources;
    3. shows for what purposes the traffic was spent - excluding inappropriate access.

    Benefits for the system administrator

    Monitoring traffic on a local network allows you to:

    1. limit user access to unwanted information;
    2. quickly receive data on the volume of traffic - avoiding network congestion;
    3. prevent viruses from entering the network and identify security violators.

    Control implementation options

    Internet traffic control corporate network can be organized in several ways:

    1. Buy a firewall with the ability to differentiate traffic.
    2. Configure proxy servers with NAT drivers with traffic accounting functions.
    3. Use various types add-ons.

    Only a comprehensive solution can provide maximum protection. Internet Control Server provides full access control and offers all the necessary functionality. ICS is a router with a built-in proxy server running on FreeBSD.

    Advantages of ICS

    1. Statistical studies have revealed that employees spend 1/3 of their working time accessing the Internet for personal purposes. A special ICS Internet gateway will help prevent unauthorized access.
    2. The traffic consumption monitoring system keeps records on any user operating systems.
    3. ICS offers flexible settings.
    4. Prepares detailed reports in a convenient form.

    Download for free!

    Start right now - download the demo version of the program for monitoring Internet traffic from our website. You will be able to use all the features of our solution without restrictions for 35 days! After the trial period ends, you just need to purchase full version by placing an order or contacting our managers.

    These are programs that allow you to track active compounds across all network interfaces.

    Modern tools for detailed and detailed traffic monitoring, as a rule:

    • are quite affordable;
    • allow you to limit the speed of each connection separately;
    • give a clear picture of which files and programs load the network and what speed they need to have;
    • allow you to determine the sources of the greatest traffic consumption.

    The program will help you decide on your priorities when using the network.

    Today there are many similar utilities for monitoring and planning traffic consumption.

    CommTraffic

    This is a program for monitoring Internet traffic both on a local network (monitors the Internet activity of several clients at once) and on personal computer using a modem connection. Accounting and statistics of work on the Internet will be displayed in the form of graphs bandwidth. They show the amount of outgoing, incoming and total traffic.

    The program can be configured for almost any tariff plan, which is based on the established volume, takes into account the time of day and connection time. The CommTraffic utility is equipped with:

    • convenient indication;
    • accurate cost calculation;
    • possibility of notification in case of overspending.

    Moreover, it is simple and easy to use. Once you set a traffic and time limit that matches your tariff plan, you will receive notifications sound signal or message to specified address when approaching the established limits.

    Program for monitoring Internet traffic Network Meter

    An application for collecting network information that allows you to monitor all network adapters installed in the system. Also provides detailed statistics about outgoing and incoming traffic. First, configure the downloaded program when you first launch it. To do this, specify what data you want to see in the main window, and the adapters that Network Meter will “monitor”.

    Minimize the utility window to the notification panel so that it does not take up space on your desktop. Even in this state, the application continues to work in the background.

    The program will plot graphs of network connection consumption intensity in real time. She's not overloaded unnecessary elements interface and settings. Graphic shell The utilities are clear and simple. You can also use it to see:

    • Internet session duration, MAC address and IP;
    • connection type;
    • Maximum cable throughput.

    By downloading Network Meter, you will get a fairly compact, simple and free tool. Great for monitoring traffic and viewing information about network equipment.

    Internet traffic counter Simbad Traffic Counter

    The utility keeps track of incoming and outgoing traffic, and also calculates its cost, according to the tariff of your Internet provider. The consumed traffic is displayed in various quantities (gigabytes, megabytes, kilobytes). In addition, the application keeps statistics. It will automatically detect the modem connection and display the time spent on the Internet. This program for monitoring Internet traffic consumes virtually no system resources and is small in size. Supports work with a large number of protocols.

    Net Activity Diagram Application

    The program for monitoring traffic and Internet speed Net Activity Diagram monitors the Internet and network activity of the computer.

    Produces:

    • tracking of all established connections;
    • displaying various warnings in the form of a message;
    • traffic analysis for specified periods of time.

    Current network activity is displayed both in a separate window and on the taskbar. In addition, the Net Activity Diagram service tracks statistics independently for each port and provides the ability to monitor each type of traffic separately.

    The program is quite flexible. It informs the user in cases of exceeding or approaching the established limits.

    Traffic accounting using Internet Connection Counter

    This program for monitoring Internet traffic will allow you to take into account the cost and time spent on the Internet, the total amount of traffic consumed. Supports various types connections: Dial-Up, ADSL, LAN, GPRS, etc.

    With this utility the user can:

    • use several Internet provider tariffs at the same time;
    • get acquainted with statistics on the traffic used;
    • tune appearance applications.

    In addition, the application will show all active connections, synchronize the system clock and export to Excel format report.

    Traffic saving program

    HandyCache will allow significantly (3-4 times) caching. The next time you visit the site, the application will help you avoid downloading it from the Internet. In addition, you can view these sites without an Internet connection, in offline mode.

    To get started, you need to install HandyCache and point it to the browser as a proxy server. After this, all browsers installed on you will use the HandyCache cache. The default settings of this application suit users in most cases.

    The utility is equipped with flexible settings for managing a wide variety of parameters. Can load files from cache depending on the HandyCache file type or URL. And if necessary, it will download files from the Internet in case of constant version updates. Before this, the program will check their version and only then decide whether to contact the download source.

    The utility is convenient in that to search for any previously used data you do not need to find it again. Just look in the cache for a folder with the same name as the site name. In addition, this Internet traffic monitoring program for Android is ideal.

    Clear and accurate accounting of money

    And also time and traffic can be done using the StatistXP application. A program for monitoring Internet traffic will allow you to use the network comfortably and economically. For the trial period, 10 launches are given. And for further use, the utility is equipped with the option of prepayment and Internet cards.

    The program carries out:

    • notification when connecting and disconnecting by voice;
    • accounting of time, money and traffic with connection statistics by month and year;
    • There is detailed information.

    BitMeter II - a program for monitoring Internet traffic

    This utility is a traffic counter. In addition, it is equipped with a wide range of tools for collecting and monitoring network connections.

    In the main window of the application, you can see a graph of outgoing and incoming traffic in real time. To quickly calculate the time spent downloading, there is a special calculator.

    The application supports setting warnings about exceeding the limits of the maximum traffic limit and Internet connection time.

    Some features of the program:

    • Customizable settings and alerts when speed drops to established level or when loading a certain amount of data.
    • Uploads and downloads are monitored and recorded. This will allow you to see how much traffic was used during a specific period of time.
    • On-screen stopwatch.
    • Nice help file.
    • Convenient, customizable appearance.
    • Possibility of selective monitoring network cards.

    Data counter is not only interesting program, which will be used by Internet users. It works fine on a PC with a network cable installed. Thanks to this, we will be able to analyze all network traffic, even that which is located. Using a program to monitor Internet traffic on a computer, we can easily find out whether our computer is infected and whether it is sending unnecessary packets.

    Choosing the best program for monitoring Internet traffic.

    Network Meter is a handy desktop gadget and traffic metering program that allows you to easily monitor your Internet connection and distribute it over your local network and Wi-Fi. Most users ignore the features offered by desktop gadgets that have already appeared in Windows Vista and ported to Windows 7. Some of these applications can be very useful.

    Network Meter is an application that monitors active connection to the Internet. It allows you to specify an IP address both on the local network and on the Internet. Shows the current data transfer speed, download speed, upload speed and the amount of data that we downloaded and sent during the last session (since Windows was restarted). In addition, in wireless network monitoring mode, the application shows Network SSID Wi-Fi, that is, its name and the percentage value of the signal quality (0 - 100%). An additional element of the gadget is an IP address locator (IP search) and an Internet tester (speed test).

    Anyone can use the program:

    1. Unpack the gadget installer from the ZIP archive, selecting a location on your hard drive. Double click the extracted file to install Network Meter.
    2. You will be prompted to check the manufacturer, click Install. The gadget should appear on our desktop (usually on the right), but it can be placed anywhere by clicking and dragging with the left mouse button.
    3. The app is already active, but to make sure it's monitoring the connection you're interested in, go to the "Network Meter" option. To do this, right-click on the gadget and select “Options”.
    4. On the main “Settings” tab, you can manage the gadget’s functions. First of all, you need to choose which network to monitor (network type). You can choose to connect to your local network via cable (wired network) or Wi-Fi ( wireless network). In the latter case, the gadget will be equipped with additional functions - SSID and a signal quality meter. The function indicated by the marker shows the network card controlled by our local IP address(local area network), as well as a network controlled for data transmission. If you use it on a personal PC, there will be no problems, but on a laptop you should make sure that the All Network Meter is in present moment controls the active card - usually you have to choose between Ethernet LAN and Wi-Fi card.
    5. The “Screen” tab determines how the gadget will display information. For example, it is recommended to change the default unit setting from bits per second to get the speed in kilobytes or megabits. The settings are saved by pressing the “OK” button.
    6. Changes to the Network Meter window appear immediately. It is worth noting that the counter represents the current data transfer - on at the moment and thus monitors network activity. However, another metric counts how much data is downloaded and sent during that session. It may be useful for users using metered networks - for example, 3G mobile Internet. This makes it easy to know if the packet is overdrawn.

    License: Free

    IMPORTANT. proper operation The program requires the .NET Framework 1.1 package installed on the system.

    A brilliant program in terms of GUI that may surprise you greatly interesting features. GlassWire is a program for controlling the data flow of an Internet connection, characteristic feature which is, first of all, a modern animated interface, the appearance of which can be further modified using graphic templates, which increase the readability of the information presented on the graphs. The program allows you to display the names of processes and applications that initiate new sessions and use the network connection. The user is informed about everything through pop-up windows and directly from the program window.

    Using GlassWire is intuitive and comes down to switching between successive tabs that correspond to the main functions implemented in the program: graphical data analysis, firewall settings, transfer of consumption data divided into applications and a list of notifications. In them we usually have the following three views, which allow us to customize the contents of the screen to our needs - at the same time more information about individual processes can be displayed, as well as the account presenting the data in charts.

    Directly from the program menu you can access the section technical support, available online at the manufacturer's website. It is very clear and contains not only quick and complete guide on using the program, but also access to a database of frequently asked questions or user forums. Although the program is currently only available in a development version, the manufacturer's commitment to fine tuning all the details quickly makes it popular. Advantages:

    • firewall function;
    • very convenient and beautiful interface;
    • ease of operation.

    Flaws:

    • lack of many functions in the free version;
    • there is no data transfer tracking schedule.

    License: free.

    An advanced monitoring utility that allows you to monitor network traffic, application-generated. Generates reports in many formats. This program reports downloading and sending data for the Internet, local network and for certain programs. It also tells you which applications are using the internet. Controls quality Wi-Fi signal. Latest version Fully compatible with Windows 10. DU metric clearly tracks data usage. It provides hourly, daily, weekly and monthly reports. Can also warn when fixed limits are exceeded. Data from reports can be exported to Excel, Word and PDF. Stopwatch mode allows you to measure data consumption with a high degree of accuracy in certain time. Not only can you specify the hours during which transfers should not be counted (which would be useful for people who use tariff plans with free hours).

    DU Meter appears as a translucent notification window in the lower right corner of the desktop and shows real-time network traffic information. The DU Meter window can be enlarged by dragging its edges with the mouse. Each vertical line is one second. The red line is incoming traffic, and green is outgoing. At the bottom of the window there are tabs “Internet”, “LAN”, “Programs” - by switching between them, you can see the corresponding data. By right-clicking on the program window, you can bring up a pop-up menu that gives access to various reports, a stopwatch mode, or user and administrator options.

    To see the main Internet traffic report as quickly as possible, hover your mouse over the DU Meter icon on the taskbar. To view detailed information about online program activity, right-click on the semi-transparent DU meter window and select View network connections" In the new window, on the “Programs” tab, there are all applications that use data transfer. On the " Open connections TCP » displays information that will help you identify unauthorized traffic from your computer. Advantages:

    • maximum number of report formats;
    • simultaneous data calculation for specific applications and network traffic;
    • usage timer.

    Disadvantage: trial version.

    License: trial.

    These are the most popular applications. You can try several others that stand out for their functionality.

    Very useful program. Many additional features make it the most versatile application for monitoring data transfers on a PC. Advantages:

    • ease of operation;
    • tracking specific applications;
    • ability to create reports;
    • traffic monitoring mode on the router (requires SNMP supported by the router).

    Disadvantage: Inaccurate tracking of applications running on the system.

    License: free.

    Takes up very little space and does not overload the processor during operation. There are not many advanced features, but the application excels in its simplicity. Advantages:

    • simple controls;
    • stopwatch function.

    Flaws:

    • uninteresting appearance;
    • Lack of application-specific data tracking.

    License: free.

    Works without problems in almost all Windows versions, has features available only in paid versions of this type of program. Advantages:

    • firewall function;
    • schedule with the ability to disable tracking at a certain time;
    • remote management of statistics via the network.

    Disadvantage: Quite difficult to use.

    License: free.

    Of course, the list of programs for tracking traffic on a computer can be continued for quite a long time. We have collected the best and most popular applications. If you already have experience using other software, share it in the comments.

    Any administrator sooner or later receives instructions from management: “count who goes online and how much they download.” For providers, it is complemented by the tasks of “letting whoever needs it in, taking payment, limiting access.” What to count? How? Where? There is a lot of fragmentary information, it is not structured. We will save the novice admin from tedious searches by providing him with general knowledge and useful links to hardware.
    In this article I will try to describe the principles of organizing the collection, accounting and control of traffic on the network. We will consider the problems of the issue and list possible ways Retrieving information from network devices.

    This is the first theoretical article in a series of articles devoted to the collection, accounting, management and billing of traffic and IT resources.

    Internet access structure

    In general, the network access structure looks like this:
    • External resources - the Internet, with all sites, servers, addresses and other things that do not belong to the network that you control.
    • Access device – router (hardware or PC-based), switch, VPN server or concentrator.
    • Internal resources are a set of computers, subnets, subscribers whose operation on the network must be taken into account or controlled.
    • A management or accounting server is a device on which a specialized software. Can be functionally combined with a software router.
    In this structure, network traffic passes from external resources to internal ones, and back, through the access device. It transmits traffic information to the management server. The control server processes this information, stores it in the database, displays it, and issues blocking commands. However, not all combinations of access devices (methods) and collection and control methods are compatible. The various options will be discussed below.

    Network traffic

    First, you need to define what is meant by “network traffic” and what useful statistical information can be extracted from the user data stream.
    The dominant internetworking protocol is still IP version 4. The IP protocol corresponds to layer 3 of the OSI model (L3). Information (data) between the sender and the recipient is packaged into packets - having a header and a “payload”. The title defines where and where is he going packet (sender and recipient IP addresses), packet size, payload type. The bulk of network traffic consists of packets with UDP and TCP payloads - these are Layer 4 (L4) protocols. In addition to addresses, the header of these two protocols contains port numbers, which determine the type of service (application) transmitting data.

    To transmit an IP packet over wires (or radio) network devices are forced to “wrap” (encapsulate) it in a layer 2 (L2) protocol packet. The most common protocol of this type is Ethernet. The actual transmission “to the wire” occurs at the 1st level. Typically, the access device (router) does not analyze packet headers at levels higher than level 4 (exception is intelligent firewalls).
    Information from the fields of addresses, ports, protocols and length counters from the L3 and L4 headers of data packets constitutes the “raw material” that is used in traffic accounting and management. The actual amount of information transmitted is found in the Length field of the IP header (including the length of the header itself). By the way, due to packet fragmentation due to the MTU mechanism, the total amount of transmitted data is always larger size payload.

    The total length of the IP and TCP/UDP fields of the packet that are interesting to us in this context is 2...10% of the total length of the packet. If you process and store all this information batch by batch, there will not be enough resources. Fortunately, the vast majority of traffic is structured to consist of a series of “conversations” between external and internal network devices, called “flows.” For example, as part of one operation of sending an email (SMTP protocol), a TCP session is opened between the client and the server. It is characterized by a constant set of parameters (source IP address, source TCP port, destination IP address, destination TCP port). Instead of processing and storing information batch by packet, it is much more convenient to store flow parameters (addresses and ports), as well as additional information– the number and sum of the lengths of transmitted packets in each direction, optionally the duration of the session, indexes of router interfaces, the value of the ToS field, etc. This approach is beneficial for connection-oriented protocols (TCP), where it is possible to explicitly intercept the termination of a session. However, even for non-session-oriented protocols, it is possible to perform aggregation and logical completion of a flow record based on, for example, a timeout. Below is an excerpt from the SQL database of our own billing system, which logs information about traffic flows:

    It is necessary to note the case when the access device performs address translation (NAT, masquerading) to organize Internet access for computers on the local network using one, external, public IP address. In this case, a special mechanism replaces IP addresses and TCP/UDP ports of traffic packets, replacing internal (not routable on the Internet) addresses according to its dynamic translation table. In this configuration, it is necessary to remember that in order to correctly record data on internal network hosts, statistics must be collected in a way and in a place where the translation result does not yet “anonymize” internal addresses.

    Methods for collecting traffic/statistics information

    You can capture and process information about passing traffic directly on the access device itself (PC router, VPN server), transferring it from this device to a separate server (NetFlow, SNMP), or “from the wire” (tap, SPAN). Let's look at all the options in order.
    PC router
    Let's consider the simplest case - an access device (router) based on a PC running Linux.

    How to set up such a server, address translation and routing, a lot has been written. We are interested in the next logical step - information on how to obtain information about the traffic passing through such a server. There are three common methods:

    • intercepting (copying) packets passing through the server’s network card using the libpcap library
    • intercepting packets passing through the built-in firewall
    • using third-party tools for converting packet-by-packet statistics (obtained by one of the two previous methods) into a netflow aggregated information stream
    Libpcap


    In the first case, a copy of the packet passing through the interface, after passing the filter (man pcap-filter), can be requested by a client program on the server written using this library. The packet arrives with a layer 2 header (Ethernet). It is possible to limit the length of the information captured (if we are only interested in information from its header). Examples of such programs are tcpdump and Wireshark. There is an implementation of libpcap for Windows. If address translation is used on a PC router, such interception can only be carried out on its internal interface connected to local users. On external interface,After broadcast, IP packets do not contain information about the ,internal hosts of the network. However, with this method it is impossible to take into account the traffic generated by the server itself on the Internet (which is important if it runs web or postal service).

    libpcap requires outside support operating system, which currently amounts to installing a single library. In this case, the application (user) program that collects packages must:

    • open the required interface
    • specify the filter through which to pass received packets, the size of the captured part (snaplen), the buffer size,
    • set the promisc parameter, which puts the network interface into capture mode for all packets passing by, and not just those addressed to the MAC address of this interface
    • set a function (callback) called on each received packet.

    When a packet is transmitted through the selected interface, after passing the filter, this function receives a buffer containing Ethernet, (VLAN), IP, etc. headers, total size up to snaplen. Since the libcap library copies packets, it cannot be used to block their passage. In this case, the traffic collection and processing program will have to use alternative methods, for example, calling a script to place a given IP address in a traffic blocking rule.

    Firewall


    Capturing data passing through the firewall allows you to take into account both the traffic of the server itself and the traffic of network users, even when address translation is running. The main thing in this case is to correctly formulate the capture rule and put it into right place. This rule activates packet forwarding system library, from where the traffic accounting and management application can receive it. For Linux OS, iptables is used as a firewall, and interception tools are ipq, netfliter_queue or ulog. For OC FreeBSD – ipfw with rules like tee or divert. In any case, the firewall mechanism is complemented by the ability to work with a user program in the following way:
    • A user program - a traffic handler registers itself in the system using system call, or library.
    • A user program or external script installs a rule in the firewall, “wrapping” the selected traffic (according to the rule) inside the handler.
    • For each passing packet, the handler receives its contents in the form of a memory buffer (with IP headers, etc. After processing (accounting), the program must also tell the operating system kernel what to do next with such a packet - discard it or pass it on. Alternatively, it is possible pass the modified packet to the kernel.

    Since the IP packet is not copied, but sent to the software for analysis, it becomes possible to “eject” it, and therefore, completely or partially restrict traffic of a certain type (for example, to a selected local network subscriber). However, if the application program stops responding to the kernel about its decision (hung, for example), traffic through the server is simply blocked.
    It should be noted that the described mechanisms, with significant volumes of transmitted traffic, create excessive load on the server, which is associated with the constant copying of data from the kernel to the user program. The method of collecting statistics at the OS kernel level, with output in application program aggregated statistics using the NetFlow protocol.

    Netflow
    This protocol was developed by Cisco Systems to export traffic information from routers for the purpose of traffic accounting and analysis. The most popular version 5 now provides the recipient with a stream of structured data in the form of UDP packets containing information about past traffic in the form of so-called flow records:

    The amount of information about traffic is several orders of magnitude less than the traffic itself, which is especially important in large and distributed networks. Of course, it is impossible to block the transfer of information when collecting statistics via netflow (unless additional mechanisms are used).
    Currently becoming popular further development This protocol is version 9, based on the template flow record structure, implementation for devices from other manufacturers (sFlow). Recently, the IPFIX standard was adopted, which allows statistics to be transmitted via protocols at deeper levels (for example, by application type).
    The implementation of netflow sources (agents, probes) is available for PC routers, both in the form of utilities working according to the mechanisms described above (flowprobe, softflowd), and directly built into the OS kernel (FreeBSD:, Linux:). For software routers, the netflow statistics stream can be received and processed locally on the router itself, or sent over the network (transfer protocol - over UDP) to the receiving device (collector).


    The collector program can collect information from many sources at once, being able to distinguish their traffic even with overlapping address spaces. With the help additional funds, such as nprobe, it is also possible to carry out additional data aggregation, stream bifurcation or protocol conversion, which is important when managing large and distributed network with dozens of routers.

    Netflow export functions support routers from Cisco Systems, Mikrotik, and some others. Similar functionality (with other export protocols) is supported by all major network equipment manufacturers.

    Libpcap “outside”
    Let's complicate the task a little. What if your access device is a hardware router from another manufacturer? For example, D-Link, ASUS, Trendnet, etc. It is most likely impossible to install additional data acquisition software on it. Alternatively, you have a smart access device, but it is not possible to configure it (you don’t have rights, or it is controlled by your provider). In this case, you can collect information about traffic directly at the point where the access device meets the internal network, using “hardware” packet copying tools. In this case, you will definitely need a separate server with a dedicated network card to receive copies of Ethernet packets.
    The server must use the packet collection mechanism using the libpcap method described above, and our task is to submit a data stream identical to that coming from the access server to the input of the network card dedicated for this purpose. For this you can use:
    • Ethernet – hub (hub): a device that simply forwards packets between all its ports indiscriminately. IN modern realities it can be found somewhere in a dusty warehouse, and using this method is not recommended: unreliable, low speed (there are no hubs with a speed of 1 Gbit/s)
    • Ethernet is a switch with the ability to mirror (mirroring, SPAN ports. Modern smart (and expensive) switches allow you to copy all traffic (incoming, outgoing, both) of another physical interface, VLAN, including remote (RSPAN) to a specified port.
    • Hardware splitter, which may require installation of two network cards instead of one to collect - and this is in addition to the main, system one.


    Naturally, you can configure a SPAN port on the access device itself (router), if it allows it - Cisco Catalyst 6500, Cisco ASA. Here is an example of such a configuration for a Cisco switch:
    monitor session 1 source vlan 100 ! where do we get the packages from?
    monitor session 1 destination interface Gi6/3! where do we issue packages?

    SNMP
    What if we don’t have a router under our control, we don’t want to contact netflow, we’re not interested in the details of our users’ traffic. They are simply connected to the network through a managed switch, and we just need to roughly estimate the amount of traffic going to each of its ports. As you know, network devices with the ability remote control support, and can display counters of packets (bytes) passing through network interfaces. To poll them, it would be correct to use the standardized remote management protocol SNMP. Using it, you can quite simply obtain not only the values ​​of the specified counters, but also other parameters, such as the name and description of the interface, MAC addresses visible through it, and other useful information. This is done both by command line utilities (snmpwalk), graphical SNMP browsers, and more complex network monitoring programs (rrdtools, cacti, zabbix, whats up gold, etc.). However, this method has two significant drawbacks:
    • Traffic blocking can only be done by complete shutdown interface, using the same SNMP
    • traffic counters taken via SNMP refer to the sum of the lengths of Ethernet packets (unicast, broadcast and multicast separately), while the rest of the previously described tools give values ​​relative to IP packets. This creates a noticeable discrepancy (especially on short packets) due to the overhead caused by the length of the Ethernet header (however, this can be approximately combated: L3_byte = L2_byte - L2_packets * 38).
    VPN
    Separately, it is worth considering the case of user access to the network by explicitly establishing a connection to the access server. A classic example is the good old dial-up, the analogue of which in the modern world is VPN services remote access(PPTP, PPPoE, L2TP, OpenVPN, IPSEC)


    The access device not only routes user IP traffic, but also acts as a specialized VPN server and terminates logical tunnels (often encrypted) within which user traffic is transmitted.
    To account for such traffic, you can use all the tools described above (and they are well suited for deep analysis by ports/protocols), as well as additional mechanisms that provide VPN access control tools. First of all, we will talk about the RADIUS protocol. His work is a rather complex topic. We will briefly mention that the control (authorization) of access to the VPN server (RADIUS client) is controlled by a special application (RADIUS server), which has a database ( text file, SQL, Active Directory) valid users with their attributes (connection speed limits, assigned IP addresses). In addition to the authorization process, the client periodically transmits accounting messages to the server, information about the state of each currently running VPN session, including counters of transmitted bytes and packets.

    Conclusion

    Let's bring all the methods for collecting traffic information described above together:

    Let's summarize. In practice there is large number methods for connecting the network you manage (with clients or office subscribers) to an external network infrastructure, using a number of access means - software and hardware routers, switches, VPN servers. However, in almost any case, you can come up with a scheme where information about traffic transmitted over the network can be directed to software or hardware its analysis and management. It is also possible that this tool will allow feedback with the access device, using intelligent access restriction algorithms for individual clients, protocols, and more.
    This is where I will finish the analysis of the materiel. The remaining unanswered topics are:

    • how and where the collected traffic data goes
    • traffic accounting software
    • What is the difference between billing and a simple “counter”
    • How can you impose traffic restrictions?
    • accounting and restriction of visited websites
    Read more: