bpfmon is a simple tool to monitor IP network traffic on a local network
segment and measure consumed bandwidth (in or out).  Sample data is
dumped to data/{timestamp} every 300 seconds (5 minutes) to be
post-processed by postprocess.pl.  The post-processing script reviews
all samples, and generates a CSV file sorted by host and sampling
period, which can be read in by most spreadsheet software, graphing
software, etc.

bpfmon is, for better or for worse, pretty hard-coded:

You'll need to change several settings in the source and Makefile in
order to use it.  First, change the network interface listed in the
Makefile to reflect your needs.  It defaults to fxp0 because, of course,
that's what I use.

You'll also need to change the definition of "local" in bpfmon.c,
which is defined in the function named local().  The goal of this
program was to measure non-local traffic, for which hosts on the
network will be billed.  Traffic is discounted for sampling purposes
if it has both local source and destination IP addresses.  It will
then be assigned to a sampling bucket based on whichever IP in
the header is local.  The result, on a non-switched network, is
a sampling, by local IP address, of non-local traffic incoming to
our outgoing from that IP address.  You might want to change the
subnet tests into a simple equality test if you are monitoring only
one host.

There are many easy improvements that could be made to this program
by a sufficiently motivated consumer: command line arguments instead
of compile-time defines would be the big one.

Notes for the unwary:

You want to run this program all the time, as it won't monitor traffic
when it's not running.  This means it needs to be started immediately
at boot.  Also, it can't monitor traffic it cannot see, so if you
run it on a switched network, you will see only what the switch sends
to your local segment.  IPv6 and non-IP traffic is not monitored.  No
attempt is made to handle an overflow of the BPF buffer.  You'll need
to run one instance per interface if you want to monitor on more
than one interface.  Only the IP packet length is accounted for; no
attempt is made to account for any link layer framing.

Despite all this, I hope it works well for you; if you do something cool
with this software, let me know.

Robert Watson
rwatson@FreeBSD.org
