iptables on Linux counts bytes that pass through it, even if there are no iptables rules:
$ iptables -L -v -x Chain INPUT (policy ACCEPT 6079694 packets, 2474020715 bytes) [...]
That counts ipv4 packets. The ipv6 equivalent is ip6tables.
So without needing to add any iptables rules at all, I can feed this output to mrtg with a script as follows, which outputs IPv4 traffic (for all three categories) as the first (input) variable, and IPv6 as the second(output) variable.
#!/bin/bash A=0 IP4=$(/sbin/iptables -L -x -v | grep -e ^Chain | sed 's/.* \([0-9]*\) bytes)$/\1/' | ( while read n ; do A=$(( $A + $n )) ; done ; echo $A)) A=0 IP6=$(/sbin/ip6tables -L -x -v | grep -e ^Chain | sed 's/.* \([0-9]*\) bytes)$/\1/' | ( while read n ; do A=$(( $A + $n )) ; done ; echo $A)) echo $IP4 echo $IP6 echo 0 echo unknown
On one host, there really is hardly any ipv6 traffic (2 bytes/sec!) so I turned on the log scale plot option in MRTG to show the ipv6 a bit more (though to be honest its still pretty invisible).
Here's the config I used in MRTG to call the above script:
Target[ip46]: `/home/benc/bin/iptables-to-mrtg` Target[ip46]: `curl http://dildano.hawaga.org.uk/mrtg-iptables.txt` options[ip46]: growright,logscale MaxBytes[ip46]: 1000000000000 Title[ip46]: IPv4 vs IPv6 YLegend[ip46]: bytes/sec LegendI[ip46]: IPv4 LegendO[ip46]: IPv6
and here's an example graph (live, click for historical data):
I'm summing the all three iptables chains: input, output, and forwarded, for all interfaces. So some traffic here can be counted unexpectedly: A forwarded packet traverses all three chains (I think) so this is not a good way to count traffic if your linux box is a router; The lo interface will also be counted, so traffic to localhost (127.0.0.1 or ::1) will be counted in this graph. This might be useful to remove.
When there's a tunnel endpoint on the machine, then traffic to that tunnel will be counted twice: one as it passes the tunnel interface, and once as the encapsulated form passes the physical ethernet interface.
These are not insurmountable, I think: by setting specific iptables rules that address these concerns and counting traffic from those instead of the main chain counters.