* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
@ 2004-06-16 11:06 ` Thilo Schulz
2004-06-17 7:59 ` Morten Nilsen
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Thilo Schulz @ 2004-06-16 11:06 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 16 June 2004 09:51, Ionut Gogu wrote:
> I search for a tool show-me on real time the trafic made by all/one IPon
> the interface eth1, somethings simple ; EX: 192.168.1.10 ........... x
> kbit/s
> 192.168.1.11 ........... y kbit/s
> 192.168.1.12 ........... z kbit/s
> 192.168.1.13 ........... x kbit/s
> 192.168.1.14 ........... x kbit/s
> 192.168.1.15 ........... x kbit/s
> 192.168.1.16 ........... x kbit/s
> 192.168.1.17 ........... x kbit/s
> 192.168.1.18 ........... x kbit/s
> 192.168.1.19 ........... x kbit/s
I'm working on one _RIGHT_NOW_ and expect it to be usable today.
It will be configurable over a webinterface, and will manipulate the iptables
using a small setuid C-Program I wrote. (I know, setuid root sucks, but
you'll have to make sure noone else on this server can access or run the
executable file using the webserver .. that's your job.)
It uses ulogd and stores the traffic in a webinterface, it also does update
the statistics database once a given limit of traffic has been reached, or a
certain timeout has been hit. I might give out a usable version tomorrow, but
I cannot guarantee for its bugfreeness. Though, most of the parts are done
and they also seem to work the way I want them to.
Plus, it won't destroy any already-present firewall setups.
- --
Thilo Schulz
My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA0CmeZx4hBtWQhl4RAtm6AJ9ZnZGEaqqEVen4bhj2dp3zHQuBXwCg0mLh
xUIkFG3likAGC9G4lk4rlxg=LxT8
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
2004-06-16 11:06 ` Thilo Schulz
@ 2004-06-17 7:59 ` Morten Nilsen
2004-06-17 10:18 ` Ed Wildgoose
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Morten Nilsen @ 2004-06-17 7:59 UTC (permalink / raw)
To: lartc
[-- Attachment #1: Type: text/plain, Size: 1263 bytes --]
Thilo Schulz wrote:
> On Wednesday 16 June 2004 09:51, Ionut Gogu wrote:
>> I search for a tool show-me on real time the trafic made by all/one IPon
>> the interface eth1
>
> I'm working on one _RIGHT_NOW_ and expect it to be usable today.
> It will be configurable over a webinterface, and will manipulate the iptables
> using a small setuid C-Program I wrote. (I know, setuid root sucks, but
> you'll have to make sure noone else on this server can access or run the
> executable file using the webserver .. that's your job.)
> It uses ulogd and stores the traffic in a webinterface, it also does update
> the statistics database once a given limit of traffic has been reached, or a
> certain timeout has been hit. I might give out a usable version tomorrow, but
> I cannot guarantee for its bugfreeness. Though, most of the parts are done
> and they also seem to work the way I want them to.
> Plus, it won't destroy any already-present firewall setups.
I find that thing intriguing, but I have a couple questions;
- How will your solution scale? can it handle 200Mb traffic full duplex
on a Xeon 2.8GHz without choking? what about 100Mb on an AMD 800MHz?
- Could it affect latency?
- why not use sudo instead of setuid root?
Cheers,
--
Morten
[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3170 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
2004-06-16 11:06 ` Thilo Schulz
2004-06-17 7:59 ` Morten Nilsen
@ 2004-06-17 10:18 ` Ed Wildgoose
2004-06-17 10:42 ` Ronny Aasen
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Ed Wildgoose @ 2004-06-17 10:18 UTC (permalink / raw)
To: lartc
> I search for a tool show-me on real time the trafic made by all/one
> IPon the interface eth1, somethings simple ; EX:
> 192.168.1.10 ........... x kbit/s
> 192.168.1.11 ........... y kbit/s
> 192.168.1.12 ........... z kbit/s
> 192.168.1.13 ........... x kbit/s
> 192.168.1.14 ........... x kbit/s
> 192.168.1.15 ........... x kbit/s
> 192.168.1.16 ........... x kbit/s
> 192.168.1.17 ........... x kbit/s
> 192.168.1.18 ........... x kbit/s
> 192.168.1.19 ........... x kbit/s
>
> ...any ideea ..Thanks!!
Perhaps something like iptraf, ntop, nettop, iftop would be sufficient?
I think ntop looks the most full featured, but perhaps the others will
do enough for you? (eg iptraf without port numbers should work?)
Ed W
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
` (2 preceding siblings ...)
2004-06-17 10:18 ` Ed Wildgoose
@ 2004-06-17 10:42 ` Ronny Aasen
2004-06-17 11:51 ` Thilo Schulz
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Ronny Aasen @ 2004-06-17 10:42 UTC (permalink / raw)
To: lartc
On Thu, 2004-06-17 at 12:18, Ed Wildgoose wrote:
> > I search for a tool show-me on real time the trafic made by all/one
> > IPon the interface eth1, somethings simple ; EX:
> > 192.168.1.10 ........... x kbit/s
> > 192.168.1.11 ........... y kbit/s
> > 192.168.1.12 ........... z kbit/s
> > 192.168.1.13 ........... x kbit/s
> > 192.168.1.14 ........... x kbit/s
> > 192.168.1.15 ........... x kbit/s
> > 192.168.1.16 ........... x kbit/s
> > 192.168.1.17 ........... x kbit/s
> > 192.168.1.18 ........... x kbit/s
> > 192.168.1.19 ........... x kbit/s
> >
> > ...any ideea ..Thanks!!
>
>
> Perhaps something like iptraf, ntop, nettop, iftop would be sufficient?
>
> I think ntop looks the most full featured, but perhaps the others will
> do enough for you? (eg iptraf without port numbers should work?)
ipfm do exactly this.
1 interface that see all trafic makes logs of what it can see
i have put it on a monitor port on the switch
or you can use a hardware ethernet tap
--
Ronny Aasen <list@datapart-as.no>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
` (3 preceding siblings ...)
2004-06-17 10:42 ` Ronny Aasen
@ 2004-06-17 11:51 ` Thilo Schulz
2004-06-17 14:10 ` Thilo Schulz
2004-06-20 16:10 ` Thilo Schulz
6 siblings, 0 replies; 8+ messages in thread
From: Thilo Schulz @ 2004-06-17 11:51 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 17 June 2004 09:59, Morten Nilsen wrote:
>
> - How will your solution scale? can it handle 200Mb traffic full duplex
> on a Xeon 2.8GHz without choking? what about 100Mb on an AMD 800MHz?
This is a very good question. I think, the kernel should do guiding the
traffic through iptables pretty efficiently and fast. I rather suspect the
accounting daemon to be the bottleneck.
At the moment, I have my traffic accounter daemon, say: the one logging the
traffic, linked against electricfence, which should have very negative
effects on performance. I will run a transfer from my server that has a
100Mbit connection later today, and monitor CPU usage. If the
electricfence-version does well, you can be sure the productive version will
do definitely.
My C program is actually written in a way to store produced traffic at first
internally, and not use the database functions every time a packet comes in.
It should be clear, that the more traffic categories you have though, the more
CPU usage is going to be required.
I'll keep you updated on my findings :)
> - Could it affect latency?
I doubt it would have much of an impact on latency, as the accounting is being
done in userspace, not on kernel level.
> - why not use sudo instead of setuid root?
Because I must say to my own embarassement, I haven't used sudo yet.
But: you should only have to modify a line in the php script, I think, to make
this work using sudo.
- --
Thilo Schulz
My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA0YXEZx4hBtWQhl4RAnGJAJ4v+lc2XxZTwRDbAynGHXSzqYKTLQCgjiKM
34ytH/wFsTRQUXz5nGf4Qdg=1ldg
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
` (4 preceding siblings ...)
2004-06-17 11:51 ` Thilo Schulz
@ 2004-06-17 14:10 ` Thilo Schulz
2004-06-20 16:10 ` Thilo Schulz
6 siblings, 0 replies; 8+ messages in thread
From: Thilo Schulz @ 2004-06-17 14:10 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 17 June 2004 13:51, Thilo Schulz wrote:
> At the moment, I have my traffic accounter daemon, say: the one logging the
> traffic, linked against electricfence, which should have very negative
> effects on performance. I will run a transfer from my server that has a
> 100Mbit connection later today, and monitor CPU usage. If the
> electricfence-version does well, you can be sure the productive version
> will do definitely.
Okay, This seems to work really well.
226 33.268 seconds (measured here), 5.03 Mbytes per second
175560916 bytes received in 33.27 secs (5153.0 kB/s)
The daemon used for logging never came above a top CPU usage of 1.8% at this
throughput, and this value only got that high when my program was updating
the mysql databases. Really the thing eating most of the CPU was the reading
from disk and the ftp program. Here is the CPU in use for this little
experiment:
model name : Intel(R) Pentium(R) 4 CPU 2.66GHz
Anyways, I'll be working on doing a small release package, for those who are
interested in this thing. Don't expect too much from it, I hardly sat a week
at this system. It was my goal to just have a convenient way of getting
traffic statistics for my root server and be warned if I go over the traffic
limit I have, not add as many nifty features as possible. You can do that
yourself if you find my package worth of your precious attention and really
want to ;)
- --
Thilo Schulz
My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA0aZFZx4hBtWQhl4RAkLVAJ4upDEUOpj267v0kLnTkg+nZpmEeACgnHkb
3LESGamMy4jjogJOIrbkBOw=6PCt
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: [LARTC] Trafic monitor
2004-06-16 7:51 [LARTC] Trafic monitor Ionut Gogu
` (5 preceding siblings ...)
2004-06-17 14:10 ` Thilo Schulz
@ 2004-06-20 16:10 ` Thilo Schulz
6 siblings, 0 replies; 8+ messages in thread
From: Thilo Schulz @ 2004-06-20 16:10 UTC (permalink / raw)
To: lartc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 17 June 2004 16:10, Thilo Schulz wrote:
> Anyways, I'll be working on doing a small release package, for those who
> are interested in this thing. Don't expect too much from it, I hardly sat a
> week at this system. It was my goal to just have a convenient way of
> getting traffic statistics for my root server and be warned if I go over
> the traffic limit I have, not add as many nifty features as possible. You
> can do that yourself if you find my package worth of your precious
> attention and really want to ;)
My package is available for download from:
http://thilo.kickchat.com/taccounter-0.99.tar.bz2
- --
Thilo Schulz
My public PGP key is available at http://home.bawue.de/~arny/public_key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA1bbkZx4hBtWQhl4RAh9aAJ9KcctKv+LxhDc1VmZTVS3TMNZE5wCg29/k
6Q10pVJTQ2yTdtVFY/Z5cT4=7x3+
-----END PGP SIGNATURE-----
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 8+ messages in thread