Controlled counters in Traffic Inspector: we hold megabytes in the fist
Perhaps, all experienced sysadmins are well aware that many Internet providers like to consider traffic in the “plus or minus tram” style (and any discrepancies are usually interpreted in their favor), so the ability to keep track of your network activity will not only facilitate regular reconciliation with the provider, but also allows companies to avoid unnecessary costs.
Due to the specifics of the TCP / IP stack, it is almost impossible to manually separate exactly the traffic that the provider charges for from other types of traffic - for this you need to analyze packet headers, as well as fix the amount of lost and test packets and other service information. That is why most software solutions for accounting for network activity include various options for implementing this feature.
In the Traffic Inspector, such functionality is also there, and it is presented in the form of two types of counters - informational and controlled. Information counters are used for detailed accounting of various types of traffic and collecting statistics for subsequent analysis. When configuring them, in addition to external networks and interfaces, you can specify the type of IP protocol, as well as TCP and UDP ports. Controlled meters are designed mainly for managing the consumption of traffic from the upstream provider as a paid resource, and individual charging and blocking rules can be set for different subnets and types of traffic. About controlled counters further and will be discussed.
Each packet received on external network interfaces is checked according to the conditions of all monitored meters, but is only taken into account on the very first meter whose conditions it meets. The order of the counters in this list is of fundamental importance - the stricter the condition of the counter, the higher it should be in the list. The latest in this list must be a counter for all traffic (it is created by default after installing the program and is called the All Internet) . Thus, each packet is registered only on one counter, and the sum on all counters characterizes the total amount of traffic consumed.
')
The general rule for configuring monitored counters is as follows: for each upstream provider you need to create at least one counter, and if the provider rates traffic on resources differently, then there may be several counters, for example, for full-paid traffic, for preferential traffic and for free traffic.
A general list of all Traffic Inspector’s external counters (monitored and informational) is located in the Traffic Accounting -> Counters section of the administrator console. For controlled counters in this section there is a special subsection.
The following operations with controlled counters are implemented in Traffic Inspector:
• general settings of monitored meters;
• creation / modification of a controlled counter;
• setting attributes of the controlled counter;
• reset of the controlled counter;
• removal of a controlled counter.
Consider them in more detail on a specific example.
Let the provider have its own network with 11.100.100.0/22 addresses and free traffic. The provider also provides a separate tariff for some large Russian Internet resources ( national traffic ), and in all other cases it applies a standard tariff.
In order to correctly estimate the traffic consumed by the provider, we need three controlled counters: My provider, National traffic and All Internet.
The counter on the Entire Internet is always present by default, so we can add the other two counters, with each one using lists of networks. Since the list of national networks is quite large, we will create a list for it in a separate text file, and then import it into Traffic Inspector. If necessary, the same list can be made for the counter " My provider ".
Another important note: since the “ My Provider ” counter is likely to be a “subset” of the National traffic counter, the “ My Provider ” counter needs to be raised up the list and made first.
So let's get started.
Start the Traffic Inspector administration console, go to Traffic Accounting -> Counters -> Controlled Counters, right-click and select Add . In the wizard window that opens, set the counter name and a short comment:
Next, select the network interface, and in the next step, import the list of Internet resources from a text file. To do this, select the List of IP-networks , click the Create List button and follow the instructions of the system.
In the next step, the warning and blocking limits are set:
For example, we limit the amount of daily incoming traffic to 500 MB, and outgoing traffic - to 250 MB. Alerts to the administrator will be sent when there is 50 MB left until the limit on incoming or outgoing traffic is reached. We will not indicate the total blocking limit.
Then, on the Actions tab, you can enable or disable the main operations performed by Traffic Inspector when the limits are exceeded, namely:
• blocking external networks when the blocking limit and the daily blocking limit are exceeded;
• notifying administrators by e-mail when the counter status changes (a mailing must be configured in the Traffic Inspector sending service).
In addition, when locking or unlocking, the system can automatically launch an arbitrary external program or script. This is convenient for performing various actions, for example, automatically switching on a backup Internet channel or sending informational messages. You can configure this feature on the Run external programs tab.
In the penultimate step, you can set the rules for maintaining network statistics for this counter, including the recording interval, the minimum number of packets for recording, and the sorting of statistical data.
And finally, at the last step, you can specify the frequency of recording of the network data of this counter in the log:
Now create a counter to account for free traffic:
Here, everything is similar to the previous counter, except that the range of IP addresses will be different:
... and you do not need to set limits (as traffic on this network is still free).
Finally, it remains to make sure that both counters are displayed in the list, and My provider should be first in order, National traffic should be second, and the Internet should be at the very end of the list:
If necessary, the order of the counters can be changed using the arrow buttons on the toolbar.
Another effective mechanism for recording and filtering traffic in Traffic Inspector is the so-called wiretapping mode. In this mode, network traffic goes through an external (relative to the Traffic Inspector) gateway, the Traffic Inspector server’s network card works in listening mode, and the traffic for recording is removed from the program driver (you must first send any traffic to this network card, for example, using port mirroring managed switch). User traffic blocking is possible when using managed switches with SNMP support or Traffic Inspector's built-in proxy server.
The wiretapping mode provides the following benefits:
• accurate traffic accounting for each client;
• reporting for the selected period;
• caching proxy server with traffic saving up to 30%;
• restrictions on schedule, content, work speed, etc.
• filtering banners, graphics and multimedia, as well as unwanted sites;
• control of real-time operation remotely via the management console.
To enable this mode, you need to open the Traffic Inspector Configurator (Administrator Console -> Settings -> Actions tab) and in the opened wizard, select the Configuration Settings item:
Next, select the wiretap mode - external gateway :
... and indicate one of the available configurations for this mode:
Please note that when changing Traffic Inspector mode, all current network connections are usually reset, so customers will need to reconnect from their machines.
The Traffic Inspector solution offers powerful tools for managing traffic and its detailed accounting, which allows companies not only more effectively to monitor network activity of users, but also to defend their point of view in case of claims from the provider. Traffic counters can be easily created and fine-tuned for certain types of traffic, tariffs and limits, and all data on the counters can be displayed in real time and recorded in the log for the subsequent generation of reports.
Due to the specifics of the TCP / IP stack, it is almost impossible to manually separate exactly the traffic that the provider charges for from other types of traffic - for this you need to analyze packet headers, as well as fix the amount of lost and test packets and other service information. That is why most software solutions for accounting for network activity include various options for implementing this feature.
In the Traffic Inspector, such functionality is also there, and it is presented in the form of two types of counters - informational and controlled. Information counters are used for detailed accounting of various types of traffic and collecting statistics for subsequent analysis. When configuring them, in addition to external networks and interfaces, you can specify the type of IP protocol, as well as TCP and UDP ports. Controlled meters are designed mainly for managing the consumption of traffic from the upstream provider as a paid resource, and individual charging and blocking rules can be set for different subnets and types of traffic. About controlled counters further and will be discussed.
Some theory
Each packet received on external network interfaces is checked according to the conditions of all monitored meters, but is only taken into account on the very first meter whose conditions it meets. The order of the counters in this list is of fundamental importance - the stricter the condition of the counter, the higher it should be in the list. The latest in this list must be a counter for all traffic (it is created by default after installing the program and is called the All Internet) . Thus, each packet is registered only on one counter, and the sum on all counters characterizes the total amount of traffic consumed.
')
The general rule for configuring monitored counters is as follows: for each upstream provider you need to create at least one counter, and if the provider rates traffic on resources differently, then there may be several counters, for example, for full-paid traffic, for preferential traffic and for free traffic.
A general list of all Traffic Inspector’s external counters (monitored and informational) is located in the Traffic Accounting -> Counters section of the administrator console. For controlled counters in this section there is a special subsection.
The following operations with controlled counters are implemented in Traffic Inspector:
• general settings of monitored meters;
• creation / modification of a controlled counter;
• setting attributes of the controlled counter;
• reset of the controlled counter;
• removal of a controlled counter.
Consider them in more detail on a specific example.
Life example
Let the provider have its own network with 11.100.100.0/22 addresses and free traffic. The provider also provides a separate tariff for some large Russian Internet resources ( national traffic ), and in all other cases it applies a standard tariff.
In order to correctly estimate the traffic consumed by the provider, we need three controlled counters: My provider, National traffic and All Internet.
The counter on the Entire Internet is always present by default, so we can add the other two counters, with each one using lists of networks. Since the list of national networks is quite large, we will create a list for it in a separate text file, and then import it into Traffic Inspector. If necessary, the same list can be made for the counter " My provider ".
Another important note: since the “ My Provider ” counter is likely to be a “subset” of the National traffic counter, the “ My Provider ” counter needs to be raised up the list and made first.
So let's get started.
Start the Traffic Inspector administration console, go to Traffic Accounting -> Counters -> Controlled Counters, right-click and select Add . In the wizard window that opens, set the counter name and a short comment:
Next, select the network interface, and in the next step, import the list of Internet resources from a text file. To do this, select the List of IP-networks , click the Create List button and follow the instructions of the system.
In the next step, the warning and blocking limits are set:
For example, we limit the amount of daily incoming traffic to 500 MB, and outgoing traffic - to 250 MB. Alerts to the administrator will be sent when there is 50 MB left until the limit on incoming or outgoing traffic is reached. We will not indicate the total blocking limit.
Then, on the Actions tab, you can enable or disable the main operations performed by Traffic Inspector when the limits are exceeded, namely:
• blocking external networks when the blocking limit and the daily blocking limit are exceeded;
• notifying administrators by e-mail when the counter status changes (a mailing must be configured in the Traffic Inspector sending service).
In addition, when locking or unlocking, the system can automatically launch an arbitrary external program or script. This is convenient for performing various actions, for example, automatically switching on a backup Internet channel or sending informational messages. You can configure this feature on the Run external programs tab.
In the penultimate step, you can set the rules for maintaining network statistics for this counter, including the recording interval, the minimum number of packets for recording, and the sorting of statistical data.
And finally, at the last step, you can specify the frequency of recording of the network data of this counter in the log:
Now create a counter to account for free traffic:
Here, everything is similar to the previous counter, except that the range of IP addresses will be different:
... and you do not need to set limits (as traffic on this network is still free).
Finally, it remains to make sure that both counters are displayed in the list, and My provider should be first in order, National traffic should be second, and the Internet should be at the very end of the list:
If necessary, the order of the counters can be changed using the arrow buttons on the toolbar.
Server in wiretapping mode
Another effective mechanism for recording and filtering traffic in Traffic Inspector is the so-called wiretapping mode. In this mode, network traffic goes through an external (relative to the Traffic Inspector) gateway, the Traffic Inspector server’s network card works in listening mode, and the traffic for recording is removed from the program driver (you must first send any traffic to this network card, for example, using port mirroring managed switch). User traffic blocking is possible when using managed switches with SNMP support or Traffic Inspector's built-in proxy server.
The wiretapping mode provides the following benefits:
• accurate traffic accounting for each client;
• reporting for the selected period;
• caching proxy server with traffic saving up to 30%;
• restrictions on schedule, content, work speed, etc.
• filtering banners, graphics and multimedia, as well as unwanted sites;
• control of real-time operation remotely via the management console.
To enable this mode, you need to open the Traffic Inspector Configurator (Administrator Console -> Settings -> Actions tab) and in the opened wizard, select the Configuration Settings item:
Next, select the wiretap mode - external gateway :
... and indicate one of the available configurations for this mode:
Please note that when changing Traffic Inspector mode, all current network connections are usually reset, so customers will need to reconnect from their machines.
Conclusion
The Traffic Inspector solution offers powerful tools for managing traffic and its detailed accounting, which allows companies not only more effectively to monitor network activity of users, but also to defend their point of view in case of claims from the provider. Traffic counters can be easily created and fine-tuned for certain types of traffic, tariffs and limits, and all data on the counters can be displayed in real time and recorded in the log for the subsequent generation of reports.
Source: https://habr.com/ru/post/230575/
All Articles