From owner-freebsd-net Tue Aug 4 10:06:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA11802 for freebsd-net-outgoing; Tue, 4 Aug 1998 10:06:28 -0700 (PDT) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from galois.boolean.net (galois.boolean.net [209.133.111.74]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA11756 for ; Tue, 4 Aug 1998 10:06:21 -0700 (PDT) (envelope-from Kurt@Boolean.Net) Received: from gypsy (galois.boolean.net [209.133.111.74]) by galois.boolean.net (8.8.8/8.8.8) with SMTP id RAA22358 for ; Tue, 4 Aug 1998 17:06:30 GMT (envelope-from Kurt@Boolean.Net) Message-Id: <3.0.5.32.19980804095330.00963790@127.0.0.1> X-Sender: guru@127.0.0.1 (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 04 Aug 1998 09:53:30 -0700 To: freebsd-net@FreeBSD.ORG From: "Kurt D. Zeilenga" Subject: monitoring aggregate traffic Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I was wonderring what others are using to monitor aggregate bandwidth. That is, by proto, by port, by dst, by src, etc. Whether the tool supports tracking of min/max/averages, control over aging of inactive entries, recording of top entires (regradless of their current activity), and integration with graphing tools (such as MTRG)? I am current hacking the hell out of trafshow to allow aggregation of entries. (trafshow is curses-based and runs well when logged in over small pipes). My first hack was simple, I added an option, -i which takes a string descibing what to ignore when recording entries. -i "sd" causes both source and dest ports to be ignored, aggregates hostA->hostB traffic. -i "Dsd" ignores dest address and ports and hence aggregates talkers. I also changed the sort function to compare current bytes instead of total bytes. To sort out my particular problem (occassional bcast spikes), I've been running: mytrafshow -p -i "Dsd" ether broadcast (bcast by dst) mytrafshow -p -i "SDs" ether broadcast (bcast by dport) This has allowed me to easily monitor the bandwidth utilization in realtime. Of course, I really don't want be setting in front of my terminal all week waiting for the next unexplained spike. I've started my second round of hacking to record min/max/avg for each entry and to make some display improvements (my first hack didn't make any display changes, see below), to allow control over aging of entries, and to have a history page of top/most spikers. The third round, I guess, would be to export the stats so they can integrated with MTRG or the like. Of course, I rather not have to reinvent this wheel... (this is a distraction from real work). I'd like to hear about what tools you use to monitor your networks. Here is an example of my current hack showing aggregated by port. >From Address To Address Proto Bytes CPS ============================================================================ ==== 0.0.0.0..netbios- 0.0.0.0..netbios- udp 1735074 226 0.0.0.0..router 0.0.0.0..router udp 985428 191 0.0.0.0..netbios- 0.0.0.0..netbios- udp 1345037 163 0.0.0.0..bootpc 0.0.0.0..bootps udp 335872 32 0.0.0.0..bootps 0.0.0.0..bootpc udp 155800 32 0.0.0.0..who 0.0.0.0..who udp 5480 3 0.0.0.0..2396 0.0.0.0..sunrpc udp 336 3 0.0.0.0..timed 0.0.0.0..timed udp 104 3 0.0.0.0 0.0.0.0 unkn 46 1 0.0.0.0 0.0.0.0 icmp 36 1 (fxp0) TCP pkts: 0 UDP pkts: 34341 KBytes: 4698 Page 1 of 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message