GNU.WIKI: The GNU/Linux Knowledge Base

  [HOME] [PHP Manual] [HowTo] [ABS] [MAN1] [MAN2] [MAN3] [MAN4] [MAN5] [MAN6] [MAN7] [MAN8] [MAN9]

  [0-9] [Aa] [Bb] [Cc] [Dd] [Ee] [Ff] [Gg] [Hh] [Ii] [Jj] [Kk] [Ll] [Mm] [Nn] [Oo] [Pp] [Qq] [Rr] [Ss] [Tt] [Uu] [Vv] [Ww] [Xx] [Yy] [Zz]


       nacctd - network accounting daemon


       nacctd [-dD] [-c filename]


       The network accounting daemon logs network traffic in a format suitable
       for generating billing information or usage statistics.  nacctd listens
       on  network  interfaces  and  periodically  writes information to a log

       nacctd   is   configured   by   editing   its    configuration    file,


       -d     This will let nacctd run in debug mode

       -D     This  will  make  nacctd not to detach as a daemon, suitable for
              running it from inittab.

       -c     configfile Specify the path of an alternative config file.


       flush <n>
              Flush every n seconds. This gives the interval in  seconds  when
              the  accumulated  data  is flushed to the output file. Typically
              set to 300 (five minutes).

       fdelay <n>
              This defines after how many  seconds  of  inactivity  a  certain
              record  of  traffic  information  may be written out. This helps
              making the log files smaller since only one output  record  will
              be generated for related traffic.  Typically set to 60 seconds.

       file <f>
              Specifies  the  main  output  file for the daemon to log network
              traffic to.

       dumpfile <f>
              Specifies a file to dump data to that is not yet written to  the
              main  output  file.  This is to prevent data loss should a crash
              occur.  On startup an existing file of this name will  be  moved
              to <f>.o

       notdev <interface>
              Don't log entries for this interface.

       device <interface>
              Specifies a network interface to put into promiscuous mode.

       iflimit <interface>
              Log  only  packets  on  this interface.  Mutually exclusive with

       ignoremask <netmask>
              Specifies a netmask (in dotted quad format) for which traffic is
              ignored.  This allows traffic on the local LAN to be excluded.

       ignorenet <network> <netmask>
              Ignore traffic on this network. Ignoring a net with ignorenet is
              not as efficient as ignoremask. Thus  you  should  exclude  your
              local network with ignoremask in preference to ignorenet.

       masqif <ipaddr>
              Specifies  an  ip  number  we are masquerading as.  This re-maps
              ip/port for incoming connections (e.g. FTP-data) to  ip/port  of
              the masqueraded destination.

       debug <n>
              Sets the debugging level to <n>.

       headers <interface-type> <data-start> <type-field>
              Defines  where  the real data starts for each type of interface.
              <interface-type> is one of eth,  lo,  plip,  isdn  etc.   <data-
              start>  is  the  offset  in bytes to the start of the real data.
              <type-field> is the offset of the type field in bytes, or a 0 if
              there  is  no  type field.  If SLIP or PPP devices are specified
              here, association of dynamic ip addresses with  usernames  won't
              work (see dynamicip below).

       dynamicip <dir>
              Specifies  a  directory  to get username information from, where
              users are logged into ppp or slip accounts and assigned  dynamic
              ip  addresses.   The  directory  should  contain a file for each
              logged in user, where the filename is their IP address, and  the
              file  contains  their  username.  Typically, these files will be
              created by ip-up scripts.

       dynamicnet <network> <netmask>
              Specifies the network the  slip/ppp  dynamic  ips  are  assigned

       exclude-name-lookup <network> <netmask>
              Specifies a (sub)net to exclude from dynamic ip name lookup.

       hostlimit <ipaddr>
              Log  only  packets  to/from  this  host.   This may be specified
              multiple times for multiple  hosts.   This  option  is  mutually
              exclusive with iflimit.

       disable <n>
              Don't include field <n> in the output format.

       dontignore <network> <netmask>
              Don't   ignore  hosts  on  the  specified  (sub)net  that  would
              otherwise have been excluded by an  ignorenet  statement.   This
              can  be  a useful to account for proxy traffic by specifying the
              proxy servers' subnet.

       line  <interface> <device>
              Specifies fixed mapping  of  slip/ppp  interface  names  to  tty
              devices.   This  is  used  to assign traffic to a user if nacctd
              runs on the ppp/slip server and  the  relation  between  network
              interface and serial line is fixed.  This option is obsolete.


       The  output file consists of lines with up to 10 fields, or less if the
       configuration file disables one or more fields.

       timestamp protocol src-addr src-port dst-addr dst-port count size  user

              Time in seconds past the epoch (standard UNIX time format)

              IP protocol

       count  count of packets

       size   size of data

       user   associated  user in case of a slip/ppp link, this will always be
              "unknown" for other interfaces.

       If the type is an ICMP message, field 4 is the ICMP  message  type  and
       field 6 is the ICMP message code.

       Please  note that for forwarded packets there will be one line for EACH
       interface the packet passed. So if you are running this on  your  slip-
       server  you  will  get  all the traffic over the slip interfaces TWICE,
       once for the sl* devices and once for the eth* device.  The  same  goes
       for  ppp and generally for all forwarded traffic.  You can specify with
       'notdev' entries which interfaces you don't want to see in the log.


              Configuration file

              Default location for the main output file

              Default location for the dump of data not  yet  written  to  the
              main file.


       /usr/share/doc/net-acct/*, tcpdump(8), trafshow(1).


       This manual page is incomplete, and possibly inaccurate.


       Ulrich Callmeier

       Richard Clark <>

       This  manual  page was written by Alex King <>, for the
       Debian   GNU/Linux   system,   using   material   from   the   original

                                  16 Dec 2001                        nacctd(8)

  All copyrights belong to their respective owners. Other content (c) 2014-2018, GNU.WIKI. Please report site errors to
Page load time: 0.108 seconds. Last modified: November 04 2018 12:49:43.