Bandwidth Monitoring with ipac-ng

navigation


	MartyBugs home

	linux info home

software info


	installing RRDTool

system health


	HDD Temp Monitoring

	Imaging a PC

network traffic


	Traffic Monitoring with RRDTool

	Bandwidth Monitoring with ipac-ng

	WAIX IP Accounting

wireless info


	Wireless Info

	Link Monitoring with RRDTool

router config


	Linux Wireless Router

	Smoothwall Info

	Multiple AS with Quagga

site search

Custom Search

Bandwidth Monitoring with ipac-ng

This page details the installation and configuration of ipac-ng for monitoring the network traffic volume through a linux router.

Contents:

Background
I have a linux router at home, connecting four networks:

   eth0: my home ethernet network
   eth1: my Smoothwall internet firewall
   eth2: my WA Freenet interface
   eth3: my home wireless interface

and I wanted to be able to monitor the total traffic passing through each of this interfaces.
I have ipac-ng configured on my Smoothwall box to monitor traffic to and from the internet, but didn't have a way to monitor my WA Freenet traffic.

This page details how I've configured ipac-ng on my linux router, to monitor the network traffic volume through each interface.

Requirements
You'll need:

a Linux box being used as a router, running iptables
an ipac-ng tarball (version 1.30 or later)
an SCP client (such as WinSCP, or SSH Secure File Transfer Client, part of SSH Secure Shell) for copying files onto your linux box.
a way of getting a command-line prompt on your linux box (either by logging directly onto your linux box, using a SSH client such as PuTTY or SSH Secure Shell).

and optionally

a web server running on the Linux box

Note that you need a version of iptables that's older than 1.3.6, as there are compatibility issues with ipac-ng and iptables 1.3.6 and later. I believe there are some patches available, but haven't investigated them in any detail.

I'm using a custom installation of Red Hat 9.0 linux.
If your configuration is different, you may need to adjust some parts of this guide to suit your configuration.

Obtaining ipac-ng
Download the latest version of ipac-ng from the ipac-ng download page.

This tutorial was originally written for ipac-ng 1.25, but has been updated to incorporate a number of changes for ipac-ng 1.31.

Installing ipac-ng
SCP the tarball into the /usr/src directory on your linux box. From a command prompt, change into the /usr/src directory, and un-tar the tarball:

cd /usr/src
tar -xzvf ipac-ng-1.31.tar.gz

Change into the newly created directory:

cd ipac-ng-1.31

Compile and install ipac-ng:

./configure --enable-default-storage=gdbm
make
make install

Create a directory to hold the configuration files, and copy the sample configuration file into it:

mkdir /etc/ipac-ng
cp contrib/sample_configs/ipac.conf /etc/ipac-ng

The master configuration file for ipac-ng is /etc/ipac-ng/ipac.conf.
Edit this file, and comment out the following two lines by inserting a "#" character at the beginning of each of these lines:

#classic mode = yes

#access agent = files

Defining Rules
We'll define the rules to specify what ipac-ng is monitoring in a new file we'll create, called /etc/ipac-ng/rules.conf.

Note that the sample rules.conf.iptables in /usr/src/ipac-ng-1.31/contrib/sample_configs/ has a fairly descriptive definition of the rules.

The syntax for each rule is:

Name of rule|direction|interface|protocol|source|destination|extension|

where

Name of rule	Any string to identify this rule
direction	ipac~fi - forward in
	ipac~fo - forward out
	ipac~i - outgoing from machine with ipac-ng to other host(/net)
	(or incoming to otherhost)
	ipac~o - incoming to machine with ipac-ng
	(or outgoing from otherhost)
interface	interface name, '+' means all interfaces (dont try to use ip numbers here!)
protocol	tcp \| udp \| icmp \| all
source	described in ipfwadm(8), or empty
destination	described in ipfwadm(8), or empty

I wanted to monitor all incoming and outgoing traffic for each interface on my linux router, so I created a new file called /etc/ipac-ng/rules.conf, with the following contents:

# incoming / outgoing from internet to linux router
incoming from internet|ipac~o|eth1|all||||
outgoing to internet|ipac~i|eth1|all||||
# forwarded traffic from/to internet
incoming from internet|ipac~fi|eth1|all||||
outgoing to internet|ipac~fo|eth1|all||||

# incoming / outgoing from freenet to linux router
incoming from freenet|ipac~o|eth2|all||||
outgoing to freenet|ipac~i|eth2|all||||
# forwarded traffic from/to Freenet
incoming from freenet|ipac~fi|eth2|all||||
outgoing to freenet|ipac~fo|eth2|all||||

# incoming / outgoing from home ethernet to linux router
incoming from home ethernet|ipac~o|eth0|all||||
outgoing to home ethernet|ipac~i|eth0|all||||
# forwarded traffic from/to ethernet
incoming from home ethernet|ipac~fi|eth0|all||||
outgoing to home ethernet|ipac~fo|eth0|all||||

# incoming / outgoing from home wireless to linux router
incoming from home wireless|ipac~o|eth3|all||||
outgoing to home wireless|ipac~i|eth3|all||||
# forwarded traffic from/to home wireless
incoming from home wireless|ipac~fi|eth3|all||||
outgoing to home wireless|ipac~fo|eth3|all||||

These rules will configure ipac-ng to monitor all traffic from the linux router to/from any networks connected to that interface, as well as any traffic forwarded by the linux router to/from any PCs on that interface.

You can create rules to monitor traffic to or from a specific PC on your network, or you can monitor traffic on a specific port, so feel free to implement additional rules if desired.

For example, to monitor all internet traffic to/from a specific PC (say, Frodo, with IP 10.60.11.133) on my home network (where eth1 is the internet interface on my router), I would add these rules:

# forwarded internet traffic to and from Frodo
internet to Frodo|ipac~fi|eth1|all||10.60.11.133||
Frodo to internet|ipac~fo|eth1|all|10.60.11.133|||

The first rule will monitor all traffic through eth1 (my internet interface) which is destined for 10.60.11.133. The second rule will monitor all traffic through eth1 which originates from 10.60.11.133.

Starting Data Collection
To start ipac-ng (ie, build the rules and chains for monitoring), run:

fetchipac -Sv

If everything is correct, you should see a list of the accounting rules as fetchipac builds them.

Note that ipac-ng needs to be (re-)initialised each time your linux box, or each time you restart iptables.
To achieve this, I added the following lines into the start section of my iptables script:

# initialise ip accounting
/usr/local/sbin/fetchipac -Sv

To collect data, fetchipac needs to be run periodically. Rather than storing all the raw data, we'll also sumarise the data periodically. To do so, add these lines to the end of /etc/crontab:

# get data for ipacsum
*/5 * * * * root /usr/local/sbin/fetchipac

# summarise ip accounting info:
2 0 * * * root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the day 7 days ago" >/dev/null
3 0 * * 0 root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the week 11 weeks ago" >/dev/null
4 0 1 1 * root /usr/local/sbin/ipacsum -r -H `/bin/hostname` -t "the year 2 years ago" >/dev/null

The above configuration will cause fetchipac to fetch and store data every 5 minutes, sumarise data for the day 7 days ago at 00:02 daily, the data for the week 11 weeks ago at 00:03 each Sunday, and for the last year 2 years ago at 00:04 on the 1st January each year.

For more information on crontab configuration, run man 5 crontab from a command prompt on your linux box.

Viewing ipac-ng Data
Sumarized data as recoreded by ipac-ng can be viewed by running ipacsum from the command line.

Running ipacsum without any command line paramters will display the total traffic for each of the rules you've defined from the time when you first started running ipac-ng upto the current time.

To view traffic for a specific period of time, you can use the --starttime and --endtime command-line paramters.

Alternatively, if you're interested in viewing data for the last day, or week, or month, you can use the --timeframe or -t command-line parameters.

For example, to view data for today, use

ipacsum -t today

for the last month, use

ipacsum -t "this month"

For example, on my linux router, to view ipacsum totals for the previous day, I run

ipacsum -t yesterday

which results in the following output:

Host: elrond.mpot.mm.wafreenet / Time created: 2003/05/15 16:21:01 WST
Data from 2003/05/14 00:00:00 WST to 2003/05/14 23:59:59 WST
  incoming from home ethernet                     :            336M
  incoming from freenet                           :            658M
  incoming from home wireless                     :              2M
  incoming from internet                          :            958M
  incoming from smoothwall                        :              9M
  outgoing to home ethernet                       :              2G
  outgoing to freenet                             :             20M
  outgoing to home wireless                       :             11M
  outgoing to internet                            :            316M

However, the results are displayed in varying units, so to display the same results with common units (we'll use megabytes), use

ipacsum -t yesterday --fixed-quantity M

which results in

IP accounting summary
Host: elrond.mpot.mm.wafreenet / Time created: 2003/05/15 16:21:07 WST
Data from 2003/05/14 00:00:00 WST to 2003/05/14 23:59:59 WST
  incoming from home ethernet                     :            336M
  incoming from freenet                           :            658M
  incoming from home wireless                     :              2M
  incoming from internet                          :            958M
  incoming from smoothwall                        :              9M
  outgoing to home ethernet                       :           1623M
  outgoing to freenet                             :             20M
  outgoing to home wireless                       :             11M
  outgoing to internet                            :            316M

Run ipacsum --help for usage information, or man ipacsum for more details.

Graphing ipac-ng Data
ipac-ng also includes support for creating graphs of the traffic being monitored. This allows you to monitor the traffic via a web browser.

First of all, create a directory for the ipac-ng images and web pages:

mkdir /var/www/html/ipac

Create a shell script called /usr/local/bin/makegraphs to do the image creation, with the following contents:

#!/bin/sh
/usr/local/sbin/ipacsum --png /var/www/html/ipac/ --png-average-curve 15 \
        --png-index index.html --png-caption-in-index --png-width 695 -s 24h

Make the script executable:

chmod 755 /usr/local/bin/makegraphs

This script will create png images for each rule, showing the traffic over the last 24 hours, and includes a curve showing the average traffic.

Test the image creation by manually running the script from the command line:

/usr/local/bin/makegraphs

Totals for the last 24 hours will be displayed, and the /var/www/html/ipac/ directory should now contain an image for each rule, as well as index.html.

Assuming you've got your web server software configured appropriately, you should be able to view the ipac-ng graphs by pointing your browser at http://your_ip/ipac/.

Automate the image creation every half hour by adding these lines into /etc/crontab

# generate some ipac graphs
*/30 * * * * root /usr/local/bin/makegraphs >/dev/null

References
ipac-ng - Linux IP accounting package
crontab man page

last updated 21 Oct 2007