nacctd - network accounting daemon
nacctd [-dD] [-c filename]
The network accounting daemon logs network traffic in a format suitable
for generating billing information or usage statistics. nacctd listens
on network interfaces and periodically writes information to a log
nacctd is configured by editing its configuration file,
-d This will let nacctd run in debug mode
-D This will make nacctd not to detach as a daemon, suitable for
running it from inittab.
-c configfile Specify the path of an alternative config file.
CONFIGURATION FILE OPTIONS
Flush every n seconds. This gives the interval in seconds when
the accumulated data is flushed to the output file. Typically
set to 300 (five minutes).
This defines after how many seconds of inactivity a certain
record of traffic information may be written out. This helps
making the log files smaller since only one output record will
be generated for related traffic. Typically set to 60 seconds.
Specifies the main output file for the daemon to log network
Specifies a file to dump data to that is not yet written to the
main output file. This is to prevent data loss should a crash
occur. On startup an existing file of this name will be moved
Don't log entries for this interface.
Specifies a network interface to put into promiscuous mode.
Log only packets on this interface. Mutually exclusive with
Specifies a netmask (in dotted quad format) for which traffic is
ignored. This allows traffic on the local LAN to be excluded.
ignorenet <network> <netmask>
Ignore traffic on this network. Ignoring a net with ignorenet is
not as efficient as ignoremask. Thus you should exclude your
local network with ignoremask in preference to ignorenet.
Specifies an ip number we are masquerading as. This re-maps
ip/port for incoming connections (e.g. FTP-data) to ip/port of
the masqueraded destination.
Sets the debugging level to <n>.
headers <interface-type> <data-start> <type-field>
Defines where the real data starts for each type of interface.
<interface-type> is one of eth, lo, plip, isdn etc. <data-
start> is the offset in bytes to the start of the real data.
<type-field> is the offset of the type field in bytes, or a 0 if
there is no type field. If SLIP or PPP devices are specified
here, association of dynamic ip addresses with usernames won't
work (see dynamicip below).
Specifies a directory to get username information from, where
users are logged into ppp or slip accounts and assigned dynamic
ip addresses. The directory should contain a file for each
logged in user, where the filename is their IP address, and the
file contains their username. Typically, these files will be
created by ip-up scripts.
dynamicnet <network> <netmask>
Specifies the network the slip/ppp dynamic ips are assigned
exclude-name-lookup <network> <netmask>
Specifies a (sub)net to exclude from dynamic ip name lookup.
Log only packets to/from this host. This may be specified
multiple times for multiple hosts. This option is mutually
exclusive with iflimit.
Don't include field <n> in the output format.
dontignore <network> <netmask>
Don't ignore hosts on the specified (sub)net that would
otherwise have been excluded by an ignorenet statement. This
can be a useful to account for proxy traffic by specifying the
proxy servers' subnet.
line <interface> <device>
Specifies fixed mapping of slip/ppp interface names to tty
devices. This is used to assign traffic to a user if nacctd
runs on the ppp/slip server and the relation between network
interface and serial line is fixed. This option is obsolete.
OUTPUT FILE FORMAT
The output file consists of lines with up to 10 fields, or less if the
configuration file disables one or more fields.
timestamp protocol src-addr src-port dst-addr dst-port count size user
Time in seconds past the epoch (standard UNIX time format)
count count of packets
size size of data
user associated user in case of a slip/ppp link, this will always be
"unknown" for other interfaces.
If the type is an ICMP message, field 4 is the ICMP message type and
field 6 is the ICMP message code.
Please note that for forwarded packets there will be one line for EACH
interface the packet passed. So if you are running this on your slip-
server you will get all the traffic over the slip interfaces TWICE,
once for the sl* devices and once for the eth* device. The same goes
for ppp and generally for all forwarded traffic. You can specify with
'notdev' entries which interfaces you don't want to see in the log.
Default location for the main output file
Default location for the dump of data not yet written to the
/usr/share/doc/net-acct/*, tcpdump(8), trafshow(1).
This manual page is incomplete, and possibly inaccurate.
Richard Clark <firstname.lastname@example.org>
This manual page was written by Alex King <email@example.com>, for the
Debian GNU/Linux system, using material from the original
16 Dec 2001 nacctd(8)