[mrtg] Re: Plot computers online/each computers traffic

Richard Johnson rdump at river.com
Sat Sep 18 21:42:34 MEST 1999


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 23:53 -0600 on 9/17/99, paul.rosberg at esrange.ssc.se wrote:
> I want to use mrtg on my network to plot the number of computers that are
> using the network at the moment.
> I also would like to be able to see how much traffic each computer on the
> network is using.
> I know this can be done by installing snmp on each computer, but since most
> ppl are using win95/98 I would rather just use the router (a linux router)
> to get this traffic information. I am pretty new to MRTG and would
> appreciate some help to accomplish these two things.


I've set up something similar to what you seem to need (accounting of router
transit/WAN link usage on a per-machine or per-subnet basis), but SNMP wasn't
the answer I found.

I used OpenBSD for the router (I like secure platforms for critical functions
:-), and employed the built-in IP filter for the traffic stats (IPfilter is
available at <http://cheops.anu.edu.au/~avalon/ip-filter.html>, with a HOWTO
at <http://www.swcp.com/~synk/ipf-howto.txt>).

You may be able to install IPfilter on your Linux box (it's been tested with
2.0 kernels, but perhaps not 2.2 yet).  Or you may be able to translate the
ipf stuff to an another more common Linux kernel packet filter with
accounting (but I don't know which of ipfw, ipfwadm, or ipchains will do the
accounting in a useful form).

My /etc/ipf.rules file had lines like the following:

| # audit web server traffic
| count in on fxp0 from any to 192.168.23.1/32
| count out on fxp0 from 192.168.23.1/32
| # audit engineering workstation network
| count in on fxp0 from any to 192.168.24.0/24
| count out on fxp0 from 192.168.24.0/24 to any
| # audit engineering project lead workstation
| count in on fxp0 from any to 192.168.24.104/32
| count out on fxp0 from 192.168.24.104/32 to any
| ...
| # audit marketing workstation network
| count in on fxp0 from any to 192.168.120.0/24
| count out on ...

The output of '/sbin/ipfstat -ahio' will give us something like:

| {packets} {bytes} {corresponding rule}
| 1388166 68991567 count in on fxp0 from any to 192.168.23.1/32
| 1807312 938387367 count out on fxp0 from 192.168.23.1/32 to any
| 651605 188087239 count in on fxp0 from any to 192.168.24.0/24
| 533663 83957718 count out on fxp0 from 192.168.24.0/24 to any
| 53 3770 count in on fxp0 from any to 192.168.24.104/32
| 48 4828 count out on fxp0 from 192.168.24.104/32 to any
| ...
| 8752748 2244136610 count in on fxp0 from any to 192.168.120.0/24
| ...

I then set up a targets for mrtg like this:

| Target[engnetbytes]: `/usr/local/bin/ipfacct2mrtg 192.168.24.0/24 bytes`
| Target[engnetpackets]: `/usr/local/bin/ipfacct2mrtg 192.168.24.0/24
| packets`

ipfacct2mrtg is just a Perl script that does something like:

| #!/usr/bin/perl -w
| $net = shift @ARGV;
| $ctype = shift @ARGV;
| $incoming = $outgoing = 0;
| open FOO, "/sbin/ipfstat -ahio |";
| while (<FOO>) {
|     if ( m/$net/ ) {
|         if ( m/count in/ ) {
|             ( $packets, $bytes, @rest ) = split;
|             if ( $ctype eq 'bytes' ) { $incoming += bytes; }
|             if ( $ctype eq 'packets' ) { $incoming += packets; }
|         }
|         if ( m/count out/ ) {
|             ( $packets, $bytes, @rest ) = split;
|             if ( $ctype eq 'bytes' ) { $outgoing += bytes; }
|             if ( $ctype eq 'packets' ) { $outgoing += packets; }
|         }
|     }
| }
| close FOO;
| print $incoming, "\n";
| print $outgoing, "\n";
| print "NA\n";
| print "NA\n";

(Warning: before using any of that in a production environment, add error
checking and other such fine stuff. :-)

Switching to rrdtool would probably allow you to combine packet and byte
counts on a single set of graphs, show different worksations all on one
graph, and so forth.


Richard

PS - The above technique also works wonderfully for tracking traffic to and
from IP-based virtual web servers on the box running IPfilter, so web
co-locate customers can see a pretty picture of how popular (or unpopular :-)
their virtual host is at different times of the day.  This way, the picture
includes all traffic, not just what can be gleaned after the fact from web,
smtp, ftp, ping flood, and other logs.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm

iQA/AwUBN+Pqz2KSuJuuNAZUEQIImACgrc+xETWM4WpQd1pkTXdzJXy0jKwAn1/t
5Y/ccpoqI3At1ulA04phX/HV
=FKjJ
-----END PGP SIGNATURE-----


--
* To unsubscribe from the mrtg mailing list, send a message with the
  subject: unsubscribe to mrtg-request at list.ee.ethz.ch
* The mailing list archive is at http://www.ee.ethz.ch/~slist/mrtg


More information about the mrtg mailing list