Following up on my problems with traffic accounting tools, I started writing my own.
The name? Useful Traffic Accounting Dragon. U.T.A. Dragon for short. Why Dragon? Because a dragon is easily superior to a troll.
It uses /proc/net/tcp, tcp6, udp and udp6 to get current network connections, the /proc directories for processes to get the information on which process causes what network connection and iptables for packet counting. And best of all: It does not wipe your iptables rules when being started!
U.T.A. Dragon is written in perl and runs as a daemon. I decided on perl since this is the best suited language I know for parsing stuff like the output of iptables commands and the /proc filesystems entries. Regular expressions are just too cool :)
At startup and then every full minute Dragon first scans the iptables rules in effect and adds the information it finds to a MySQL database. After that the /etc/passwd file is rescanned to get changes in user accounts. Yes, Dragon counts packets by users. That means that the kernel and iptables need the owner-socketlookup patch from the patch-o-matic included in iptables. When this is done, the /proc process directories are rescanned, followed by the tcp, tcp6, udp and ud6 files.
All the new information is checked against the old and iptables rules are added and deleted accordingly.
Lather, rinse, repeat ad infinitum.
The frontend that will display the collected data in a human-readable way is a web application written in PHP. Incidentally, it's the only part left to write before I will make a 0.1 version release.