Monitoring and reporting network usage

Peter Van Epp vanepp at sfu.ca
Mon Jun 25 12:50:21 EDT 2001 

> 
> Hi there,
> 
> 	Argus has been suggested to me by the people on the NeTraMet mailing
> list as a suitable application:  I have a need to monitor and then report on
> per IP bandwidth usage, and am looking to replace my current application
> with a more powerful (read: more features) one.
> 
> 	I am currently using a program called 'Snuffle' on a FreeBSD box
> (600Mhz, 64Mb RAM) with an RTL8139-based network card.  The following two
> observations have been made to me:
> 
> - FreeBSD offers better packet capture ability than Linux

	Actually my experience is the other way around. Solaris and Redhat
(suitably configured) are better than FreeBSD at 100 megs. That said I still
use FreeBSD because my volume is low enough it hasn't been a problem. Note
that you need to patch the kernel bpf routines on FreeBSD for argus to work
correctly (the patch should be on qosient.com somewhere, if not it is in the
PR at FreeBSD.org, it isn't in 4.3 RELEASE).

> 
> - the RTL8139-based cards are poor for packet capture
> 

	Yep. they hang at high packet volumes. The 3c905B is the preferred
card but Intel Etherexpress is almost as good. For Linux you need the
alternate driver (not the 3com one. It also hangs at high data volumes). I 
believe it may be the default now, if needed I can dig up the reference from 
our beowolf maintainer. 
	A package called tcpreplay (from www.anzen.com) will allow you to 
test a configuration by replaying a tcpdump file of your traffic at variable
speeds (up to full 100 HDX, and around 160 megs or so, disk limited on FDX).
I have a set of patches that let it run on FreeBSD (and with FDX with two
nics).

> 	First off, does anyone have any comments they would care to share on
> the above points?
> 
> 	Secondly, is Argus a suitable choice for my needs?

	Yep. Since version 2 keeps the length of ICMP packets (which 1.x didn't)
a perl script or one of the new clients (depending on your needs) can produce
traffic flows to the granularity of an IP/port pair without problem.

> 
> 	Thanks in advance,
> 
> --
> Sean Kelly <sean.kelly at the-web-works.co.uk>
> 
> 
> 
> *************************************************************
> This email message has been scanned by MIMEsweeper for the 
> presence of computer viruses by www.viruscleaningcentre.co.uk 
> Hosted by the North East Datacentre www.ne-datacentre.co.uk
> *************************************************************
>

More information about the argus mailing list