As far as I can tell, there's no linux tool which can report how much bandwidth a user has used. If you run a co-located machine and pay for bandwidth usage, you really want to know what users have been shipping files around. Granted, most daemons can log network usage (bytes xfer'd), but most clients do not.

To allow an admin to log network usage, it seemed necessary to patch the kernel to log whenever a user reads from or writes to the network. Basically, sys_read() and sys_write() just need to have a hook to printk() the uid, direction, and bytecount on the reads/writes if the file descriptor is an AF_INET socket. And that's what this patch does.

Once the patched kernel is running, use syslog-ng to send kernel log lines matching "USER PACKET LOG" to a script that just stores the passed uid and bytecount information for bandwidth charges at the end of the billing cycle.

Do you plan to contribute this back to the kernel hackers? I realize it would probably need more polish, but it seems like something others would like. I know I'd like something like this in a kernel module.
Maybe, it covers most traffic, but not all. I'll try to capture all and then see if anyone will sponsor the patch.
I just expanded the patch to include sys_socketcall() and print the calling program's name; all that's left (I think) is raw socket handling, which is only root-accessible.