From owner-freebsd-isp@FreeBSD.ORG Wed Sep 3 00:39:01 2008 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26B151065A2B for ; Wed, 3 Sep 2008 00:39:01 +0000 (UTC) (envelope-from howie@thingy.com) Received: from mail.thingy.com (wotsit.thingy.com [212.21.100.67]) by mx1.freebsd.org (Postfix) with ESMTP id 82EA18FC1E for ; Wed, 3 Sep 2008 00:39:00 +0000 (UTC) (envelope-from howie@thingy.com) Received: (qmail 32688 invoked by uid 0); 3 Sep 2008 01:12:18 +0100 Received: from unknown (HELO Satans-Little-Helper-mkII.local) (howie@thingy.com@212.21.124.49) by wotsit3.thingy.com with AES256-SHA encrypted SMTP; 3 Sep 2008 01:12:18 +0100 Message-ID: <48BDD65E.4040902@thingy.com> Date: Wed, 03 Sep 2008 01:12:14 +0100 From: Howard Jones User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: freebsd-isp@freebsd.org References: <20080902185102.GA7176@crosswinds.net> In-Reply-To: <20080902185102.GA7176@crosswinds.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: [freebsd-isp] B/W Monitoring with IPFW X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Sep 2008 00:39:01 -0000 Tony Holmes wrote: > I have simply gotten buried in the many options for monitoring and > graphing b/w data and just need a pointer from experienced people > at solutions. > > I have a dedicated FreeBSD 4.10 (yeah it's old) firewall with IPFW > and the appropriate counter rules installed. Each counter rule has > an in and out rule for the boxes (contained in a Class-C block) that > I wish to monitor. > > I have a dedicated monitoring box for presenting of data. Collecting > every 5 mins will be the standard. > > I wish to have a delve-down of the following: > > Level 1: Summary of all traffic in/out > Level 2: Summary of host in/out - these will be grouped by IP/function > I use dedicated server/jails for functions (http on one, ftp one > another, etc) > Level 3: Detail of each individual IP > > I've gotten lost in the options - mrtg, rrdtool, cacti... using custom script, > snmpd... the list goes on. In all my years I've never done this part myself and > now I find I need to. > Extending net-snmp to do this, and then using anything that can read/graph/report SNMP (cacti, mrtg, cricket etc) is pretty straightforward. If you can make a simple shell script to get the value you want (e.g. ipfw show 400 | cut -f3 -d' ') then this works OK as a starting point. I have a similar example on my site: http://wotsit.thingy.com/haj/cacti/cacti-dynfirewall.html (and a few more on there). You might also want to look at ng_netflow or ntop - can't remember if netgraph/ng_* was in 4.10 though. To get down to per-IP without having a huge number of ipfw count rules, these two might fit better. Howie