Provided by: net-acct_0.71-9.1_amd64 bug

NAME

       nacctd - network accounting daemon

SYNOPSIS

       nacctd [-dD] [-c filename]

DESCRIPTION

       The  network  accounting  daemon  logs network traffic in a format suitable for generating
       billing information or  usage  statistics.   nacctd  listens  on  network  interfaces  and
       periodically writes information to a log file.

       nacctd is configured by editing its configuration file, /etc/nacctd.conf.

OPTIONS

       -d     This will let nacctd run in debug mode

       -D     This  will  make  nacctd  not  to  detach as a daemon, suitable for running it from
              inittab.

       -c     configfile Specify the path of an alternative config file.

CONFIGURATION FILE OPTIONS

       flush <n>
              Flush every n seconds. This gives the interval in seconds when the accumulated data
              is flushed to the output file. Typically set to 300 (five minutes).

       fdelay <n>
              This  defines  after  how  many  seconds  of inactivity a certain record of traffic
              information may be written out. This helps making the log files smaller since  only
              one  output  record  will  be  generated  for related traffic.  Typically set to 60
              seconds.

       file <f>
              Specifies the main output file for the daemon to log network traffic to.

       dumpfile <f>
              Specifies a file to dump data to that is not yet written to the main  output  file.
              This  is to prevent data loss should a crash occur.  On startup an existing file of
              this name will be moved to <f>.o

       notdev <interface>
              Don't log entries for this interface.

       device <interface>
              Specifies a network interface to put into promiscuous mode.

       iflimit <interface>
              Log only packets on this interface.  Mutually exclusive with hostlimit.

       ignoremask <netmask>
              Specifies a netmask (in dotted quad format) for which  traffic  is  ignored.   This
              allows traffic on the local LAN to be excluded.

       ignorenet <network> <netmask>
              Ignore  traffic  on this network. Ignoring a net with ignorenet is not as efficient
              as ignoremask. Thus you should  exclude  your  local  network  with  ignoremask  in
              preference to ignorenet.

       masqif <ipaddr>
              Specifies  an  ip number we are masquerading as.  This re-maps ip/port for incoming
              connections (e.g. FTP-data) to ip/port of the masqueraded destination.

       debug <n>
              Sets the debugging level to <n>.

       headers <interface-type> <data-start> <type-field>
              Defines where the real data starts for each type of interface.  <interface-type> is
              one  of  eth, lo, plip, isdn etc.  <data-start> is the offset in bytes to the start
              of the real data.  <type-field> is the offset of the type field in bytes, or a 0 if
              there  is no type field.  If SLIP or PPP devices are specified here, association of
              dynamic ip addresses with usernames won't work (see dynamicip below).

       dynamicip <dir>
              Specifies a directory to get username information from, where users are logged into
              ppp  or  slip  accounts  and  assigned  dynamic ip addresses.  The directory should
              contain a file for each logged in user, where the filename is their IP address, and
              the  file contains their username.  Typically, these files will be created by ip-up
              scripts.

       dynamicnet <network> <netmask>
              Specifies the network the slip/ppp dynamic ips are assigned from.

       exclude-name-lookup <network> <netmask>
              Specifies a (sub)net to exclude from dynamic ip name lookup.

       hostlimit <ipaddr>
              Log only packets to/from this host.  This  may  be  specified  multiple  times  for
              multiple hosts.  This option is mutually exclusive with iflimit.

       disable <n>
              Don't include field <n> in the output format.

       dontignore <network> <netmask>
              Don't  ignore  hosts  on  the  specified  (sub)net  that  would otherwise have been
              excluded by an ignorenet statement.  This can be a  useful  to  account  for  proxy
              traffic by specifying the proxy servers' subnet.

       line  <interface> <device>
              Specifies  fixed  mapping of slip/ppp interface names to tty devices.  This is used
              to assign traffic to a user if nacctd runs on the ppp/slip server and the  relation
              between network interface and serial line is fixed.  This option is obsolete.

OUTPUT FILE FORMAT

       The  output file consists of lines with up to 10 fields, or less if the configuration file
       disables one or more fields.

       timestamp protocol src-addr src-port dst-addr dst-port count size user interface

       timestamp
              Time in seconds past the epoch (standard UNIX time format)

       protocol
              IP protocol

       count  count of packets

       size   size of data

       user   associated user in case of a slip/ppp link, this will always be "unknown" for other
              interfaces.

       If  the  type is an ICMP message, field 4 is the ICMP message type and field 6 is the ICMP
       message code.

       Please note that for forwarded packets there will be  one  line  for  EACH  interface  the
       packet passed. So if you are running this on your slip-server you will get all the traffic
       over the slip interfaces TWICE, once for the sl* devices and once for the eth* device. The
       same  goes for ppp and generally for all forwarded traffic.  You can specify with 'notdev'
       entries which interfaces you don't want to see in the log.

FILES

       /etc/nacctd.conf
              Configuration file

       /var/log/net-acct
              Default location for the main output file

       /var/log/net-acct-dump
              Default location for the dump of data not yet written to the main file.

SEE ALSO

       /usr/share/doc/net-acct/*, tcpdump(8), trafshow(1).

CAVEATS

       This manual page is incomplete, and possibly inaccurate.

AUTHORS

       Ulrich Callmeier

       Richard Clark <rclark@ethos.co.nz>

       This manual page was written by Alex King <alex@king.net.nz>,  for  the  Debian  GNU/Linux
       system, using material from the original documentation.

                                           16 Dec 2001                                  nacctd(8)