mpltd
MP Log Traffic Daemon
  • Welcome
  • Gallery
  • Download
  • Documentation
  • Contacts
  • See Also

    Google
  • Documentation

    Install

    • download the latest version from this site.
    • edit mpltd.h for setting your preference for defaults. The %s in PIDFILE and RRDDatabase are replaced with the inet interface name at runtime.
    • run make
    • run make install
    • create a configuration file. (see included mpltd.conf.example for a basic configuration)
    • create the rrdtool db (running mpltd -i:interface -r you get the default command).
    • edit and copy mpltd.rc for make mpltd start at system startup (this depends on your installation. In Ubuntu i copy it to /etc/init.d with name mpltd than run "update-rc.d mpltd default"
    • start mpltd running the modified version of mpltd.rc with the parameter "start". (In Ubuntu i run "/etc/init.d/mpltd start")
    • check your system log for message.


    mpltd.conf

    The configuration file is the magic of this program. Modifing it you can change the behaviour of the program. This configuration file declare what we want to count and how we count it.
    First of all we have to define some COUNTER. One counter is a couple of integer with the bytes arrived and sended for the counter.

    Example:
    COUNTER udp
    
    COUNTER mailIN
    COUNTER mailOUT
    
    COUNTER sshIN
    COUNTER sshOUT
    
    COUNTER serv
    
    COUNTER nav
    
    COUNTER vpn
    
    In this example we define 8 counters.

    Now we have to decide what packet are counted in what counter. We can do this with ports description. The program distinguish from UDP and TCP. For UDP the traffic is all the same. For TCP we have to say if the traffic is of type Server or Client. Server is when our adress has the port specified. Client is when the other address (not our) has the port specified.
    The definition are in the form of What counter parameters

    Let see some examples :
    UDP:PORT        vpn 1124
    
    Here all UDP traffic on port 1124 (source or destination) are counted in the counter called vpn.

    TCP:PORT:CLI    mailOUT     smtp
    TCP:PORT:SRV    mailOUT     pop3    imap2
    TCP:PORT:CLI    mailIN      pop3    imap2   rtsp
    TCP:PORT:SRV    mailIN      smtp
    
    Here we set to counter mailOUT all traffic that we have as server on ports of pop3 and imap2 (someone is connecting to us to prelevate mail). We count as mailOUT what we send on port smtp of other (we connect to smtp for sending mails). The opposite is counted as mailIN. Someone can say that in and out is the traffic on ports, but i think this is sharper.

    TCP:PORT:ALL    vpn     openvpn 3389 1723
    
    Here we set to vpn all traffic for openvpn (as in services definition), port 3389 (rdp) and 1723 (pptp).
    mpltd add a default counter, called UnClassified where are collected all tha data that don't fall into any other counter.

    mpltd_rc

    This small script for starting and stopping the daemon. Modify it to reflect your installation before running it.
    The example shipped is for sniffing on 2 interface (eth1 eth2).

    genGraph.sh

    This is a smal shell script for generating graphics with the result of our logging.
    Last update 02/10/2006 11.08