Linux bandwidth monitoring

I'm looking a tool that can run on a linux router, graph network
bandwidth usage (or better yet, chart it in a way that can be graphed
later with GNUPlot), and send email alerts when bandwidth usage rises
higher than some set bound. Any suggestions?

I'd prefer something that can pull data directly, rather than relying on
SNMP, since the tool will run locally and I have no other need of SNMP.

Thanks,
Rennie deGraaf

Use the iptables packet counters (polling at regular intervals) to pull
the numbers, then output them however you want. Generally, you'll use a
perl script or something running off a cron job to get the latest
count, then append the results to a file. Later on, another script
pulls the numbers out of the file and creates a graph.

Since iptables keeps a counter for each rule, you can create a set of
no-op rules just for the purpose of counting different types of
packets.

It's all been done before, so I'm sure you can find someone else's work
to copy. Either way, it's terribly easy to do. See the documentation
for iptables to see what options you have when fetching the data. Perl
knowledge is helpful for string processing, and cron is indespensible
in such a time-sensitive operation.

Could you give a example how to do this.

I am new at this.


<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Use the iptables packet counters (polling at regular intervals) to pull
> the numbers, then output them however you want. Generally, you'll use a
> perl script or something running off a cron job to get the latest
> count, then append the results to a file. Later on, another script
> pulls the numbers out of the file and creates a graph.
>
> Since iptables keeps a counter for each rule, you can create a set of
> no-op rules just for the purpose of counting different types of
> packets.
>
> It's all been done before, so I'm sure you can find someone else's work
> to copy. Either way, it's terribly easy to do. See the documentation
> for iptables to see what options you have when fetching the data. Perl
> knowledge is helpful for string processing, and cron is indespensible
> in such a time-sensitive operation.
>

In comp.os.linux.networking Rennie deGraaf <ca.ucalgary.cpsc@degraaf>:
> I'm looking a tool that can run on a linux router, graph network
> bandwidth usage (or better yet, chart it in a way that can be graphed
> later with GNUPlot), and send email alerts when bandwidth usage rises
> higher than some set bound. Any suggestions?

> I'd prefer something that can pull data directly, rather than relying on
> SNMP, since the tool will run locally and I have no other need of SNMP.

Sounds like you want to check out 'ntop' running in web mode
should produce lots of nice graphs, dunno about thresholds.

Good luck

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 107: The keyboard isn't plugged in

Thank You for the reply.

I have spamassassin running on my mail server, but what happens is I have a
procmail rule that blocks out attachments for eg: zip files.

then what it does is sends out a autoreply to the sender stating he sent a
zip file and it is not allowed. But viruses come onto the server with forged
headers and the server sends the autoreply to somebody that did not send the
e-mail.

Any other suggestions ?




"Michael Heiming" <michael+(E-Mail Removed)> wrote in message
news:gpf6r2-(E-Mail Removed)...
> In comp.os.linux.networking Rennie deGraaf <ca.ucalgary.cpsc@degraaf>:
> > I'm looking a tool that can run on a linux router, graph network
> > bandwidth usage (or better yet, chart it in a way that can be graphed
> > later with GNUPlot), and send email alerts when bandwidth usage rises
> > higher than some set bound. Any suggestions?
>
> > I'd prefer something that can pull data directly, rather than relying on
> > SNMP, since the tool will run locally and I have no other need of SNMP.
>
> Sounds like you want to check out 'ntop' running in web mode
> should produce lots of nice graphs, dunno about thresholds.
>
> Good luck
>
> --
> Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
> mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
> #bofh excuse 107: The keyboard isn't plugged in

On Fri, 22 Jul 2005 08:20:00 +0200, Michael Heiming wrote:


> Sounds like you want to check out 'ntop' running in web mode
> should produce lots of nice graphs, dunno about thresholds.


ntop very impressive, documentation is appalling, can you point any decent
docs?

In comp.os.linux.networking walace <(E-Mail Removed)>:
> On Fri, 22 Jul 2005 08:20:00 +0200, Michael Heiming wrote:


>> Sounds like you want to check out 'ntop' running in web mode
>> should produce lots of nice graphs, dunno about thresholds.

> ntop very impressive, documentation is appalling, can you point any decent
> docs?

You could try using a search engine (google/etc)? Found the
package delivered docs totally sufficient. IIRC never used more
then 'man ntop'.

rpm -qd ntop
/usr/share/doc/ntop-3.1/1STRUN.txt
/usr/share/doc/ntop-3.1/AUTHORS
/usr/share/doc/ntop-3.1/BUG_REPORT
/usr/share/doc/ntop-3.1/BUILD-MinGW.txt
/usr/share/doc/ntop-3.1/BUILD-NTOP.txt
/usr/share/doc/ntop-3.1/CONTENTS
/usr/share/doc/ntop-3.1/COPYING
/usr/share/doc/ntop-3.1/CVS/Entries
/usr/share/doc/ntop-3.1/CVS/Repository
/usr/share/doc/ntop-3.1/CVS/Root
/usr/share/doc/ntop-3.1/CVS/Template
/usr/share/doc/ntop-3.1/ChangeLog
/usr/share/doc/ntop-3.1/DAG
/usr/share/doc/ntop-3.1/FAQ
/usr/share/doc/ntop-3.1/FILES
/usr/share/doc/ntop-3.1/HACKING
/usr/share/doc/ntop-3.1/INSTALL
/usr/share/doc/ntop-3.1/KNOWN_BUGS
/usr/share/doc/ntop-3.1/MANIFESTO
/usr/share/doc/ntop-3.1/NEWS
/usr/share/doc/ntop-3.1/PORTING
/usr/share/doc/ntop-3.1/README
/usr/share/doc/ntop-3.1/README.SSL
/usr/share/doc/ntop-3.1/README.Suse
/usr/share/doc/ntop-3.1/RMON/CVS/Entries
/usr/share/doc/ntop-3.1/RMON/CVS/Repository
/usr/share/doc/ntop-3.1/RMON/CVS/Root
/usr/share/doc/ntop-3.1/RMON/CVS/Template
/usr/share/doc/ntop-3.1/RMON/README.RMON
/usr/share/doc/ntop-3.1/RedHat-rpmbuild-HOWTO.txt
/usr/share/doc/ntop-3.1/SUPPORT_NTOP.txt
/usr/share/doc/ntop-3.1/THANKS
/usr/share/doc/ntop-3.1/TODO
/usr/share/doc/ntop-3.1/database/CVS/Entries
/usr/share/doc/ntop-3.1/database/CVS/Repository
/usr/share/doc/ntop-3.1/database/CVS/Root
/usr/share/doc/ntop-3.1/database/CVS/Template
/usr/share/doc/ntop-3.1/database/README
/usr/share/doc/ntop-3.1/database/README.mySQL
/usr/share/doc/ntop-3.1/ntop-autotools.pdf
/usr/share/doc/ntop-3.1/ntop-autotools.vsd
/usr/share/doc/ntop-3.1/ntop.conf.sample
/usr/share/doc/ntop-3.1/ntop.txt
/usr/share/man/man8/ntop.8.gz

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 74: You're out of memory

The muse whacked Jenda Mudron over the head on 22 Jul 2005 and caused
hir to enscribe <dbq47b$kkc$(E-Mail Removed)>:
> Thank You for the reply.
>
> I have spamassassin running on my mail server, but what happens is I
> have a procmail rule that blocks out attachments for eg: zip files.
>
> then what it does is sends out a autoreply to the sender stating he
> sent a zip file and it is not allowed. But viruses come onto the
> server with forged headers and the server sends the autoreply to
> somebody that did not send the e-mail.
>
> Any other suggestions ?
>
>
For this very reason, sending auto-replies is a Bad Thing. Virus and
spam checkers should just reject the Email with an error message that
indicates to the sender why it was rejected. If you have users who
routinely need to get .zip attachments, their corespondents should be
whitelisted.

If you are not running spamassassin until after the SMTP transaction
has completed, you should just drop the message into a spam folder and
notify the recipient so s/he can (a) manually check the attachment
and/or (b) notify the sender if it is legit.

Every time a new virus that fakes From: headers comes out, I get
hundreds of bogus "we rejected your message" autoreplies from clueless
mail servers. It is really irritating.


--
Henry Stilmack, CISSP
Email to hps (at) shangri-la (dot) cx
Registered Linux User #324965

> Could you give a example how to do this.

The following perl script prints out the time, bytes received, sent,
and total for eth0 since last reboot as a single line that can be
appended to a CSV file. It's not the most elegant solution, but it's
takes very little space to post :-)
-------------------
open(FILE,'</proc/net/dev');
while (<FILE>)
{
/eth0/ or next;
@parts = split /[ :\t]+/;
print time.",$parts[2],$parts[10],".($parts[2]+$parts[10])."\n";
}
------------------

If it's not immediately obvious to you what to do with it, then perhaps
you'd best try using someone else's work instead. If someone else is
reading this who wants to try putting something together on their own,
bear in mind that you can get your numbers through multiple different
methods, including device packet counts (as I'm doing here) iptables
counters, and packet capturing. Each offers its own degree of
flexibility and difficulty, so consider all your options before
starting.

For monitoring purposes, sending email is easy to automate. Look at
"sendmail -t", for example, or perl's Net::SMTP provide easy methods of
doing so.

Bear in mind that this all requires a certain degree of background
knowledge and programming ability. The tools are there so that you'd
have to do very little work, but you still have to know how to use the
tools.

> I am new at this.

Yeah, then maybe using someone else's solution is your best bet.
Something like ntop (which has already been suggested) will produce
very aesthetically pleasing results. When you're looking for something,
Google is your friend. Search for "linux bandwidth monitor", "linux
bandwidth monitoring" and any other variation thereon you can think of.
Freshmeat.net and sourceforge.net often host projects like this, so try
looking there.

(E-Mail Removed) wrote:
>>Could you give a example how to do this.
>
>
> The following perl script prints out the time, bytes received, sent,
> and total for eth0 since last reboot as a single line that can be
> appended to a CSV file. It's not the most elegant solution, but it's
> takes very little space to post :-)
> -------------------
> open(FILE,'</proc/net/dev');
> while (<FILE>)
> {
> /eth0/ or next;
> @parts = split /[ :\t]+/;
> print time.",$parts[2],$parts[10],".($parts[2]+$parts[10])."\n";
> }
> ------------------

Just for kicks, here's the same thing in awk:

awk 'BEGIN {FS="[ \t:]*"} {if ($2 == "eth0") {printf("%s %s %s %s\n",
systime(), $3, $11, ($3+$11))}}' /proc/net/dev

This could be run repeatedly using cron, and the data recorded could be
graphed using GNUPlot. However, you will need something a little more
complicated if you want to record differences from previous
measurements, send alerts when a value exceeds a bound, or draw data
from multiple sources.

Rennie