Hi, sorry for my English. I'm studying it better, I promise
I'm using OpenWRT on a small router configured as a switch. I find it fantastic.
I have been studying statistics for a few years and I would like to explore different networking topics.
I would like to log all the IP addresses that pass through my device and then collect them on an external server (rsyslog I already know).
I was advised to set different rules on iptables by calibrating the "log level" to receive only the information I need (only ip) but I'm still not satisfied.
Iptables seems to me to save a lot of information that is useless to me and I would not like this to impact the performance of the device. (650 Mhz single core processor and 128 Mb RAM, 16Mb rom)
How can I only register ip addresses without weighing on device performance?
Are there any "tips and tricks"?
There are three places I can easily think of getting information about the packets:
From the iptables rules as log statements
From the established connections using conntrack (this will not give packet counts, just that a connection exists)
From the packets themselves using tcpdump or the like
If you're using it as a switch, this may be challenging or impossible, as the packets generally won't go through the CPU, so they aren't "visible". Generally only those packets being routed through and those to/from the router itself will be seen by the CPU.
You may be able to use a "mirror port" on the switch and another port to monitor ("snoop") them with the CPU.
You may have problems with the CPU power monitoring more than somewhere around 100 mbps.
Also look at netflow and softflowd. Softflowd runs on the router and sends out records in netflow format to your server which can store and analyze them. The data consists mostly of IP address and port on each side, and the number of bytes transferred. Softflowd is not very hard on router resources since it handles data in summary form and immediately dispatches it to the external server.
I expressed myself badly, I created a bridge between two ethernet interfaces.
Conntrack is what is used for the "real time graph"?
Because on Luci it seems to me that the traffic values โโexpressed in packets and bandswitches are also displayed.
The network card is 100 mbps, and is connected directly to the gateway. Internet speed rarely exceeds 30 mbps up/down. Perfect!
It seems just what is right for me. In case you sent everything to an external server. Next week I will try it. Unlike conntrack it seems to me already set up to send data to an external server. Excellent, I hope it works directly on RAM without using a buffer on disk, I will barely have 5-6 Mb free.
