Racount question

[Geoff Powell]

Hello everyone,

I'm trying to use the racount Argus utility to get traffic usage for data
passing through a Linux gateway to the Internet to/from a LAN. I have 
argus data files for the Internal eth interface (in my example internal.out)
and also the External eth interface (external.out)

If my internal network is 192.168.135.0/24, the gateway's ip address is 
192.168.135.5 and the external Internet ip address of the gateway is 
198.198.198.198:

# racount -r external.out - net 198.198.198.198/32
racount    records       total_pkts         src_pkts         dst_pkts      
total_bytes        src_bytes        dst_bytes
    sum       5348           466191            88328           377863         
72556371         28750397         43805974

# racount -r external.out - net 192.168.135.0/24
racount    records       total_pkts         src_pkts         dst_pkts      
total_bytes        src_bytes        dst_bytes
    sum       1819           499867           499867                0         
32676555         32676555                0

# racount -r external.out
racount    records       total_pkts         src_pkts         dst_pkts      
total_bytes        src_bytes        dst_bytes
    sum       7490           966484           588195           378289        
105257690         61426952         43830738

I was expecting the filter on 198.198.198.198 to return all data because 
that is the ip address of the interface. However I have learnt that if 
someone accesses a computer on the LAN through a port forwarding rule or
NAT, the above commands would not account for the data as the dst or src
ip is not 198.198.198.198 but probably 192.168.135.x.

I know that if I use no filters with racount, I can get the total srcbytes
and dstbytes for the external or internal interface, but I can not 
tell if it is outgoing or incoming - I would use src net and dst net
filters

Any suggestions or comments?

Thanks in advance

Regards,
Geoff (geoff at lanrex.net.au)