There will be times when any network troubleshooter will need to know if an IP address is passing traffic through a router to a specific destination.  Normally on a Unix machine, such as a firewall, the tool most would choose is tcpdump.  IP accounting doesn’t quite provide this much functionality, but it certainly provides a summary of traffic passing through a router.

interface xxxxxxX/X
ip accounting

The router will only record packets that goes through the router.  Any connections initiated from the router or terminates to the router are not counted.  To view the accounting table:

Router#show ip accounting
 192.168.194.20   192.168.39.19                22549             1894116
 192.168.39.19    192.168.194.20               22617             1899828
 192.168.99.34    192.168.194.20                4825              321528
 192.168.194.20   192.168.99.34                20823             1488977
 192.168.32.32    192.168.196.7               117118            15584552
 192.168.196.7    192.168.32.32               696129            41071611
 192.168.50.106   192.168.196.7               232694            30100216
 192.168.196.7    192.168.50.106              234880            13857920
 192.168.194.75   192.168.99.34                14023             1486289
 192.168.99.34    192.168.194.72                3848              238759
 192.168.194.72   192.168.99.34                18431             1709778

The first column is the source IP address, second is the destination, third is the number of packets, and fourth is the total number of bytes.  The source and destination is from the perspective of the interface configured for IP accounting.  The traffic would be recorded as what is leaving that particular interface.

Let’s say ip accounting was configured on the Serial interface of a router.  Look at the accounting output above, the first line indicates 192.168.194.20 as the source and 192.168.39.19 as the destination.  The host configured as 192.168.194.20 would be behind this router and 192.168.39.19 would be the host reachable via the serial interface that IP accounting is configured on.

You also will notice that every two lines contain the same IP addresses, they are just flipped in the source and destination fields.  This represents two way traffic between the hosts.  If you were troubleshooting a problem and only saw the counters incrementing on one line and not the other, that could indicate the traffic is being successfully to the destination, but is never receiving the response.