[LARTC] Trafic monitor

[LARTC] Trafic monitor

[Ionut Gogu]

[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

  Hello !  

I use Slackware Linux on a box for routing and SNAT for a small network:
|eth0: 80.97.108.1|
           |
           |
|eth1: 192.168.1.1| ..........|  my network (192.168.1.0/24)|



 I search for a tool show-me on real time the trafic made by all/one IPon the interface eth1, somethings simple ; EX: 
192.168.1.10 ........... x kbit/s
192.168.1.11 ........... y kbit/s
192.168.1.12 ........... z kbit/s
192.168.1.13 ........... x kbit/s
192.168.1.14 ........... x kbit/s
192.168.1.15 ........... x kbit/s
192.168.1.16 ........... x kbit/s
192.168.1.17 ........... x kbit/s
192.168.1.18 ........... x kbit/s
192.168.1.19 ........... x kbit/s
     
...any ideea  ..Thanks!!

[-- Attachment #2: Type: text/html, Size: 2305 bytes --]

Re: [LARTC] Trafic monitor

[Thilo Schulz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 16 June 2004 09:51, Ionut Gogu wrote:
>  I search for a tool show-me on real time the trafic made by all/one IPon
> the interface eth1, somethings simple ; EX: 192.168.1.10 ........... x
> kbit/s
> 192.168.1.11 ........... y kbit/s
> 192.168.1.12 ........... z kbit/s
> 192.168.1.13 ........... x kbit/s
> 192.168.1.14 ........... x kbit/s
> 192.168.1.15 ........... x kbit/s
> 192.168.1.16 ........... x kbit/s
> 192.168.1.17 ........... x kbit/s
> 192.168.1.18 ........... x kbit/s
> 192.168.1.19 ........... x kbit/s

I'm working on one _RIGHT_NOW_ and expect it to be usable today.
It will be configurable over a webinterface, and will manipulate the iptables 
using a small setuid C-Program I wrote. (I know, setuid root sucks, but 
you'll have to make sure noone else on this server can access or run the 
executable file using the webserver .. that's your job.)
It uses ulogd and stores the traffic in a webinterface, it also does update 
the statistics database once a given limit of traffic has been reached, or a 
certain timeout has been hit. I might give out a usable version tomorrow, but 
I cannot guarantee for its bugfreeness. Though, most of the parts are done 
and they also seem to work the way I want them to.
Plus, it won't destroy any already-present firewall setups.

- -- 
Thilo Schulz

My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0CmeZx4hBtWQhl4RAtm6AJ9ZnZGEaqqEVen4bhj2dp3zHQuBXwCg0mLh
xUIkFG3likAGC9G4lk4rlxg=LxT8
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Trafic monitor

[Morten Nilsen]

[-- Attachment #1: Type: text/plain, Size: 1263 bytes --]

Thilo Schulz wrote:
> On Wednesday 16 June 2004 09:51, Ionut Gogu wrote:
>>  I search for a tool show-me on real time the trafic made by all/one IPon
>> the interface eth1
>
> I'm working on one _RIGHT_NOW_ and expect it to be usable today.
> It will be configurable over a webinterface, and will manipulate the iptables 
> using a small setuid C-Program I wrote. (I know, setuid root sucks, but 
> you'll have to make sure noone else on this server can access or run the 
> executable file using the webserver .. that's your job.)
> It uses ulogd and stores the traffic in a webinterface, it also does update 
> the statistics database once a given limit of traffic has been reached, or a 
> certain timeout has been hit. I might give out a usable version tomorrow, but 
> I cannot guarantee for its bugfreeness. Though, most of the parts are done 
> and they also seem to work the way I want them to.
> Plus, it won't destroy any already-present firewall setups.

I find that thing intriguing, but I have a couple questions;

- How will your solution scale? can it handle 200Mb traffic full duplex
  on a Xeon 2.8GHz without choking? what about 100Mb on an AMD 800MHz?

- Could it affect latency?

- why not use sudo instead of setuid root?

Cheers,
-- 
Morten

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3170 bytes --]

Re: [LARTC] Trafic monitor

[Ed Wildgoose]

>  I search for a tool show-me on real time the trafic made by all/one 
> IPon the interface eth1, somethings simple ; EX:
> 192.168.1.10 ........... x kbit/s
> 192.168.1.11 ........... y kbit/s
> 192.168.1.12 ........... z kbit/s
> 192.168.1.13 ........... x kbit/s
> 192.168.1.14 ........... x kbit/s
> 192.168.1.15 ........... x kbit/s
> 192.168.1.16 ........... x kbit/s
> 192.168.1.17 ........... x kbit/s
> 192.168.1.18 ........... x kbit/s
> 192.168.1.19 ........... x kbit/s
>     
> ...any ideea  ..Thanks!!


Perhaps something like iptraf, ntop, nettop, iftop would be sufficient?

I think ntop looks the most full featured, but perhaps the others will 
do enough for you?  (eg iptraf without port numbers should work?)

Ed W
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Trafic monitor

[Ronny Aasen]

On Thu, 2004-06-17 at 12:18, Ed Wildgoose wrote:
> >  I search for a tool show-me on real time the trafic made by all/one 
> > IPon the interface eth1, somethings simple ; EX:
> > 192.168.1.10 ........... x kbit/s
> > 192.168.1.11 ........... y kbit/s
> > 192.168.1.12 ........... z kbit/s
> > 192.168.1.13 ........... x kbit/s
> > 192.168.1.14 ........... x kbit/s
> > 192.168.1.15 ........... x kbit/s
> > 192.168.1.16 ........... x kbit/s
> > 192.168.1.17 ........... x kbit/s
> > 192.168.1.18 ........... x kbit/s
> > 192.168.1.19 ........... x kbit/s
> >     
> > ...any ideea  ..Thanks!!
> 
> 
> Perhaps something like iptraf, ntop, nettop, iftop would be sufficient?
> 
> I think ntop looks the most full featured, but perhaps the others will 
> do enough for you?  (eg iptraf without port numbers should work?)

ipfm do exactly this. 
1 interface that see all trafic makes logs of what it can see
i have put it on a monitor port on the switch

or you can use a hardware ethernet tap 

-- 
Ronny Aasen <list@datapart-as.no>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Trafic monitor

[Thilo Schulz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 June 2004 09:59, Morten Nilsen wrote:
>
> - How will your solution scale? can it handle 200Mb traffic full duplex
>   on a Xeon 2.8GHz without choking? what about 100Mb on an AMD 800MHz?

This is a very good question. I think, the kernel should do guiding the 
traffic through iptables pretty efficiently and fast. I rather suspect the 
accounting daemon to be the bottleneck.
At the moment, I have my traffic accounter daemon, say: the one logging the 
traffic, linked against electricfence, which should have very negative 
effects on performance. I will run a transfer from my server that has a 
100Mbit connection later today, and monitor CPU usage. If the 
electricfence-version does well, you can be sure the productive version will 
do definitely.
My C program is actually written in a way to store produced traffic at first 
internally, and not use the database functions every time a packet comes in.
It should be clear, that the more traffic categories you have though, the more 
CPU usage is going to be required.
I'll keep you updated on my findings :)

> - Could it affect latency?

I doubt it would have much of an impact on latency, as the accounting is being 
done in userspace, not on kernel level.

> - why not use sudo instead of setuid root?

Because I must say to my own embarassement, I haven't used sudo yet.
But: you should only have to modify a line in the php script, I think, to make 
this work using sudo.

- -- 
Thilo Schulz

My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0YXEZx4hBtWQhl4RAnGJAJ4v+lc2XxZTwRDbAynGHXSzqYKTLQCgjiKM
34ytH/wFsTRQUXz5nGf4Qdg=1ldg
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Trafic monitor

[Thilo Schulz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 June 2004 13:51, Thilo Schulz wrote:
> At the moment, I have my traffic accounter daemon, say: the one logging the
> traffic, linked against electricfence, which should have very negative
> effects on performance. I will run a transfer from my server that has a
> 100Mbit connection later today, and monitor CPU usage. If the
> electricfence-version does well, you can be sure the productive version
> will do definitely.

Okay, This seems to work really well.

226 33.268 seconds (measured here), 5.03 Mbytes per second
175560916 bytes received in 33.27 secs (5153.0 kB/s)

The daemon used for logging never came above a top CPU usage of 1.8% at this 
throughput, and this value only got that high when my program was updating 
the mysql databases. Really the thing eating most of the CPU was the reading 
from disk and the ftp program. Here is the CPU in use for this little 
experiment:

model name      : Intel(R) Pentium(R) 4 CPU 2.66GHz

Anyways, I'll be working on doing a small release package, for those who are 
interested in this thing. Don't expect too much from it, I hardly sat a week 
at this system. It was my goal to just have a convenient way of getting 
traffic statistics for my root server and be warned if I go over the traffic 
limit I have, not add as many nifty features as possible. You can do that 
yourself if you find my package worth of your precious attention and really 
want to ;)

- -- 
Thilo Schulz

My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA0aZFZx4hBtWQhl4RAkLVAJ4upDEUOpj267v0kLnTkg+nZpmEeACgnHkb
3LESGamMy4jjogJOIrbkBOw=6PCt
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Trafic monitor

[Thilo Schulz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 June 2004 16:10, Thilo Schulz wrote:
> Anyways, I'll be working on doing a small release package, for those who
> are interested in this thing. Don't expect too much from it, I hardly sat a
> week at this system. It was my goal to just have a convenient way of
> getting traffic statistics for my root server and be warned if I go over
> the traffic limit I have, not add as many nifty features as possible. You
> can do that yourself if you find my package worth of your precious
> attention and really want to ;)

My package is available for download from:
http://thilo.kickchat.com/taccounter-0.99.tar.bz2

- -- 
Thilo Schulz

My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA1bbkZx4hBtWQhl4RAh9aAJ9KcctKv+LxhDc1VmZTVS3TMNZE5wCg29/k
6Q10pVJTQ2yTdtVFY/Z5cT4=7x3+
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/