0

With a standard log rule "ct state new" we get the details about a new session, however, we only get the data size of the first packet looking in LEN i.e.

2024-06-15T10:11:31.829667+00:00 deepu kernel: ALLOW INPUT: IN=ens33 OUT= MAC=ff:ff:ff:ff:ff:ff:3a:f9:d3:87:89:65:08:cc SRC=172.16.0.1 DST=172.16.0.255 LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=32643 PROTO=UDP SPT=57621 DPT=57621

In this, we see 72 bytes.

How can we log the total volume of data transferred in that session? For example, if this was a 100MB file download, I'd want to see 100MB download, plus the few small packets of TCP establishment etc.

Improve this question

1 Answer 1

Reset to default
0

The basic iptables/nftables counters only track the number of bytes/packages that have matched a particular rule, regardless of which connection they belong to.

For per-session statistics, you would need to track individual connections and log connection statistics whenever a connection ends. Sounds like a job for the connection tracking subsystem!

At least on Debian, there is a conntrackd package, which includes a configuration example at /usr/share/doc/conntrackd/examples/stats/conntrackd.conf, for writing statistics about ending connections to /var/log/conntrackd-stats.log by default. This might be just about exactly what you're asking for.

Improve this answer
1
  • Many, many thanks. I've managed to "tail" this log file add both send_bytes and return_bytes to create total_bytes. This is perfect - thanks! Commented Jun 16, 2024 at 15:15

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.