[LARTC] Monitoring....

[LARTC] Monitoring....

[Nelson Guedes Paulo Junior]

Hi all,

Just shape my connection isn't enough. I need to monitoring what's
happening, for example, I need to now if my users are downloading too
much, if they are using too much ftp or if thei are ussing too much
SSH. Other things that are relevant are Media Streaming, MP3 Downloading
and Web Traffic.

BUT, some of these services negociate a high port and use these ports for
the traffic. How do I prevent that to consume band and how do I log that
and make graphics to justify and upgrade on my link infrastructure?
How do I monitor this things???

Sorry about my English... :-)

Thanks a lot...
Any help would be apreciated!!
[]'s

-----
Nelson Guedes Paulo Junior   
E-mail:  <npaulo@linux.ime.usp.br>   UIN: 2489382 (Tender [:alpha:]*)
-----------------------------------------------------------------------
Eu cavo, tu cavas, ele cava, nós cavamos, vós cavais,
eles cavam... Não é bonito, mas é profundo.
-----------------------------------------------------------------------

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Monitoring....

[Stef Coene]

On Thursday 13 February 2003 18:49, Nelson Guedes Paulo Junior wrote:
> Hi all,
>
> Just shape my connection isn't enough. I need to monitoring what's
> happening, for example, I need to now if my users are downloading too
> much, if they are using too much ftp or if thei are ussing too much
> SSH. Other things that are relevant are Media Streaming, MP3 Downloading
> and Web Traffic.
>
> BUT, some of these services negociate a high port and use these ports for
> the traffic. How do I prevent that to consume band and how do I log that
> and make graphics to justify and upgrade on my link infrastructure?
> How do I monitor this things???
What if you monitor wel-known port (web, game ports, ...) and have an other 
monitor for all the rest?  And block all other ports so they have to use the 
ports you monitor :)

> Sorry about my English... :-)
It's not better then mine.  And they understand me (at least I think).

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Monitoring....

[Nelson Guedes Paulo Junior]

On Thu, 13 Feb 2003, Stef Coene wrote:

> On Thursday 13 February 2003 18:49, Nelson Guedes Paulo Junior wrote:
> > Hi all,
> >
> > Just shape my connection isn't enough. I need to monitoring what's
> > happening, for example, I need to now if my users are downloading too
> > much, if they are using too much ftp or if thei are ussing too much
> > SSH. Other things that are relevant are Media Streaming, MP3 Downloading
> > and Web Traffic.
> >
> > BUT, some of these services negociate a high port and use these ports for
> > the traffic. How do I prevent that to consume band and how do I log that
> > and make graphics to justify and upgrade on my link infrastructure?
> > How do I monitor this things???
> What if you monitor wel-known port (web, game ports, ...) and have an other 
> monitor for all the rest?  And block all other ports so they have to use the 
> ports you monitor :)


This is ok, but HOW I can do that??? (monitor, not block ok??)




> 
> > Sorry about my English... :-)
> It's not better then mine.  And they understand me (at least I think).


It Happens... :-)


Thanks....
[]'s

 
> Stef
> 
> -- 
> 
> stef.coene@docum.org
>  "Using Linux as bandwidth manager"
>      http://www.docum.org/
>      #lartc @ irc.oftc.net
> 
> 



-----
Nelson Guedes Paulo Junior   
E-mail:  <npaulo@linux.ime.usp.br>   UIN: 2489382 (Tender [:alpha:]*)
-----------------------------------------------------------------------
Eu cavo, tu cavas, ele cava, nós cavamos, vós cavais,
eles cavam... Não é bonito, mas é profundo.
-----------------------------------------------------------------------


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Monitoring....

[Stef Coene]

On Thursday 13 February 2003 20:35, Nelson Guedes Paulo Junior wrote:
> On Thu, 13 Feb 2003, Stef Coene wrote:
> > On Thursday 13 February 2003 18:49, Nelson Guedes Paulo Junior wrote:
> > > Hi all,
> > >
> > > Just shape my connection isn't enough. I need to monitoring what's
> > > happening, for example, I need to now if my users are downloading too
> > > much, if they are using too much ftp or if thei are ussing too much
> > > SSH. Other things that are relevant are Media Streaming, MP3
> > > Downloading and Web Traffic.
> > >
> > > BUT, some of these services negociate a high port and use these ports
> > > for the traffic. How do I prevent that to consume band and how do I log
> > > that and make graphics to justify and upgrade on my link
> > > infrastructure? How do I monitor this things???
> >
> > What if you monitor wel-known port (web, game ports, ...) and have an
> > other monitor for all the rest?  And block all other ports so they have
> > to use the ports you monitor :)

> This is ok, but HOW I can do that??? (monitor, not block ok??)
You can use iptables.  You can create a filter rule (or more) that matches the 
packets you want to monitor.  Schedule a iptables -L -v -n each 5 minutes and 
use the byte counters to update a log file.  I recommend rrdtool for it.  I 
have some scripts on www.docum.org.  The monitor script uses the byte 
counters of iptables to get some data.  In the GUI section, you can find some 
perl scripts that I use update the rrd files and to create the graph.

If you need more help, you can contact me.  For the rrdtool, I recommend using 
an existing script and adapt it to your needs so you don't have to bother 
about the needed options.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Monitoring....

[Nelson Guedes Paulo Junior]

On Thu, 13 Feb 2003, Stef Coene wrote:
> On Thursday 13 February 2003 20:35, Nelson Guedes Paulo Junior wrote:
> > On Thu, 13 Feb 2003, Stef Coene wrote:
> > > On Thursday 13 February 2003 18:49, Nelson Guedes Paulo Junior wrote:
> > > > Hi all,
> > > >
> > > > Just shape my connection isn't enough. I need to monitoring what's
> > > > happening, for example, I need to now if my users are downloading too
> > > > much, if they are using too much ftp or if thei are ussing too much
> > > > SSH. Other things that are relevant are Media Streaming, MP3
> > > > Downloading and Web Traffic.
> > > >
> > > > BUT, some of these services negociate a high port and use these ports
> > > > for the traffic. How do I prevent that to consume band and how do I log
> > > > that and make graphics to justify and upgrade on my link
> > > > infrastructure? How do I monitor this things???
> > >
> > > What if you monitor wel-known port (web, game ports, ...) and have an
> > > other monitor for all the rest?  And block all other ports so they have
> > > to use the ports you monitor :)
> 
> > This is ok, but HOW I can do that??? (monitor, not block ok??)
> You can use iptables.  You can create a filter rule (or more) that matches the 
> packets you want to monitor.  Schedule a iptables -L -v -n each 5 minutes and 
> use the byte counters to update a log file.  I recommend rrdtool for it.  I 
> have some scripts on www.docum.org.  The monitor script uses the byte 
> counters of iptables to get some data.  In the GUI section, you can find some 
> perl scripts that I use update the rrd files and to create the graph.

Thanks Stef.
But I've tried to see your examples and all graphs are broken. There are
no images at all. Can you fix that???

If you could send me an example attached (don't sendo to the list cause
someone may be angry with that) I'll be very happy... :-)


> If you need more help, you can contact me.  For the rrdtool, I recommend using 
> an existing script and adapt it to your needs so you don't have to bother 
> about the needed options.

I have, at least for the moment, one question about iptables:

Does I need to create another chain to sse the bytes like:

iptables -N mychain
iptables -I INPUT -j mychain
iptables -I OUTPUT -j mychain
iptables -I FORWARD -j mychain
iptables -A mychain -p tcp --dport 22 -j ACCEPT

Does I need to do that???

And, if I need, there's some security implication in doing that, I mean,
this way how other rules I need to block SSH for not welcomming IP's???

Thanks for all...

[]'s

-----
Nelson Guedes Paulo Junior   
E-mail:  <npaulo@linux.ime.usp.br>   UIN: 2489382 (Tender [:alpha:]*)
-----------------------------------------------------------------------
Eu cavo, tu cavas, ele cava, nós cavamos, vós cavais,
eles cavam... Não é bonito, mas é profundo.
-----------------------------------------------------------------------


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Monitoring....

[Stef Coene]

> Thanks Stef.
> But I've tried to see your examples and all graphs are broken. There are
> no images at all. Can you fix that???
http://home.docum.org/qos/snmp.html
or do you mean an other page ?
(http://home.docum.org/stef.coene/qos/gui/rrd.html is an old page that has 
indeed broken images).

> If you could send me an example attached (don't sendo to the list cause
> someone may be angry with that) I'll be very happy... :-)
Most of my scripts are downloadable.  

> > If you need more help, you can contact me.  For the rrdtool, I recommend
> > using an existing script and adapt it to your needs so you don't have to
> > bother about the needed options.
>
> I have, at least for the moment, one question about iptables:
>
> Does I need to create another chain to sse the bytes like:
>
> iptables -N mychain
> iptables -I INPUT -j mychain
> iptables -I OUTPUT -j mychain
> iptables -I FORWARD -j mychain
> iptables -A mychain -p tcp --dport 22 -j ACCEPT
>
> Does I need to do that???
No.  Each rule has a byte counter.  But if you redirect all traffic you want 
to count to the same self-created chain, you can use the byte counter of that 
chain so you don't have to calculate the sum of the separated chains.

> And, if I need, there's some security implication in doing that, I mean,
> this way how other rules I need to block SSH for not welcomming IP's???
Put the counter rules at the end of the firewall script.  And if you create 
new chain, you can use -j new_chain.  So you don't accept/deny the packets 
but still have the counters.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Monitoring....

[Ming-Ching Tiew]

My suggestion is for you to do this, insert
the 'filtering' rules into the INPUT/OUTPUT/FORWARD
chains, eg

   iptables -I FORWARD -p tcp --dport 22 -j mychain
   iptables -I INPUT -p tcp --.... -j mychain
   iptables -I OUTPUT -p udp -- .... -j mychain
   .....
   and so on,

and for mychain,

   iptables -A mychain -j RETURN

You can safely put this. It will not disrupt anything.

If originally you already have some other accept/deny,
they continue to work.

--- Nelson Guedes Paulo Junior
<npaulo@linux.ime.usp.br> wrote:
> I have, at least for the moment, one question about
> iptables:
> 
> Does I need to create another chain to sse the bytes
> like:
> 
> iptables -N mychain
> iptables -I INPUT -j mychain
> iptables -I OUTPUT -j mychain
> iptables -I FORWARD -j mychain
> iptables -A mychain -p tcp --dport 22 -j ACCEPT
> 
> Does I need to do that???
> 


__________________________________________________
Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day
http://shopping.yahoo.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/