Using Argus to generate daily stats in OpenWrt
Carter Bullard
carter at qosient.com
Sat Apr 13 13:43:21 EDT 2013
Hey Graeme,
Glad to see you got things going... Anything I need to do to the code
base to make it better ?
So your box is doing NAT, and that is why all the local traffic is addressed
to/from the gateway address ? Argus captures enough flow info so
you can track flows through NAT'ing.
You can have argus monitor both the interfaces on the box at once,
assigning different srcid's to each monitored interface. Your clients
can then pick which observation domain they want to use to calculate
the metrics you're interested in.
So for aggregate interface stats, use the ethernet addresses of your
lan0.2 interface to do the aggregates. Use the lan0.1 stats to do
IP address and port based stats, and compare them, on occasion,
to make sure that both interface numbers seem reasonable.
Carter
On Apr 12, 2013, at 9:13 PM, Graeme Russ <graeme.russ at gmail.com> wrote:
> Hi Carter,
>
> Thanks for the encouragement - I managed to get Argus compiled for OpenWrt Attitude Adjustment after a few false starts (the old rpl_malloc/rpl_realloc autoconf issue and the toolchain missing rpc/types.h)
>
> So now I can monitor lan0.2 which connects to the ADSL modem with:
>
> root at OpenWrt:/tmp# ./argus -i lan0.1 -B 10.1.1.1 -P 561
>
> and collect the data remotely (on a server connected to lan0.1) with:
>
> [graeme at fs1 argus-3.0.6]$ ra -S 10.1.1.1:561 - ip
>
> One issue that I have is that all the local traffic is addressed to/from the gateway address:
>
> 10:13:44.337312 * tcp 10.2.1.2.51206 -> 10.220.60.110.newacc 1 66 REQ
> 10:13:45.545508 * tcp 130.239.18.172.ircu-3 <?> 10.2.1.2.58990 6 538 CON
> 10:13:45.651617 * tcp 10.3.1.224.49474 <?> 10.1.1.21.ssh 10 1396 CON
> 10:13:45.943295 * tcp 10.1.1.21.54524 -> 10.1.1.1.monito 14 1476 CON
> 10:13:48.832722 * udp 10.2.1.2.37307 <-> 10.2.1.1.domain 4 726 CON
> 10:13:50.333756 * s tcp 10.2.1.2.51206 -> 10.220.60.110.newacc 1 66 REQ
> 10:13:50.576155 * tcp 10.2.1.2.51208 -> 125.56.205.35.http 26 21019 CON
> 10:13:50.577190 * udp 10.2.1.2.62523 <-> 10.2.1.1.domain 5 844 CON
> 10:13:50.577597 * udp 10.2.1.2.61546 <-> 10.2.1.1.domain 2 379 CON
> 10:13:50.578009 * udp 10.2.1.2.53972 <-> 10.2.1.1.domain 5 789 CON
> 10:13:50.578436 * udp 10.2.1.2.nacnl <-> 10.2.1.1.domain 2 555 CON
> 10:13:50.578860 * udp 10.2.1.2.33314 <-> 10.2.1.1.domain 2 291 CON
> 10:13:50.579301 * udp 10.2.1.2.63472 <-> 10.2.1.1.domain 5 835 CON
> 10:13:50.618052 * tcp 10.2.1.2.51209 -> 199.27.75.193.http 3 190 CON
> 10:13:50.618224 * tcp 10.2.1.2.51210 -> 199.27.75.193.http 3 190 CON
> 10:13:50.618487 * tcp 10.2.1.2.51211 -> 199.27.75.193.http 3 190 CON
> 10:13:50.619067 * udp 10.2.1.2.14520 <-> 10.2.1.1.domain 2 605 CON
>
>
> I can, of course, monitor the local side of the router (in this case the wireless interface) with:
> root at OpenWrt:/tmp# ./argus -i lan0.1 -B 10.1.1.1 -P 561
>
> 11:07:38.070886 e tcp 10.3.1.224.52688 -> 125.56.205.25.http 3 162 FIN
> 11:07:38.070979 e tcp 10.3.1.224.52689 -> 125.56.205.25.http 3 162 FIN
> 11:07:38.071069 e tcp 10.3.1.224.52693 -> 125.56.205.25.http 3 162 FIN
> 11:07:38.071199 e tcp 10.3.1.224.52690 -> 125.56.205.25.http 3 162 FIN
> 11:07:38.071362 e tcp 10.3.1.224.52738 -> 125.56.205.233.http 3 162 FIN
> 11:07:38.071434 e tcp 10.3.1.224.52739 -> 125.56.205.233.http 3 162 FIN
> 11:07:38.071490 e tcp 10.3.1.224.52740 -> 125.56.205.233.http 3 162 FIN
> 11:07:38.071546 e tcp 10.3.1.224.52737 -> 125.56.205.233.http 3 162 FIN
> 11:07:38.071602 e tcp 10.3.1.224.52742 -> 125.56.205.233.http 3 162 FIN
> 11:07:38.071657 e tcp 10.3.1.224.52741 -> 125.56.205.233.http 3 162 FIN
> 11:07:38.071740 e tcp 10.3.1.224.52734 -> 118.214.198.126.http 3 162 FIN
> 11:07:38.071831 e tcp 10.3.1.224.52736 -> 118.214.198.126.http 3 162 FIN
> 11:07:38.071931 e tcp 10.3.1.224.52779 -> 125.56.204.128.http 3 162 FIN
> 11:07:38.072024 e tcp 10.3.1.224.52780 -> 125.56.204.128.http 3 162 FIN
> 11:07:38.072114 e tcp 10.3.1.224.52781 -> 125.56.204.128.http 3 162 FIN
> 11:07:38.072207 e tcp 10.3.1.224.52762 -> 125.56.204.128.http 3 162 FIN
> 11:07:38.072298 e tcp 10.3.1.224.52701 -> 125.56.205.48.http 3 162 FIN
> 11:07:38.072391 e tcp 10.3.1.224.52669 -> 125.56.204.88.http 3 162 FIN
>
> But what I want is the total aggregated stats on the ADSL connection. So now I need to figure out a way to match each entry with the device on the local LAN - any ideas?
>
>
> Regards,
>
> Graeme
>
>
> On Fri, Apr 12, 2013 at 11:26 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Grame,
> Argus compiled and ran great on OpenWRT years ago, but I haven't done anything OpenWRT related in a while, so not sure if it will be easy still. Should be able to monitor wan0, no problem, if memory serves, but it is hardware specific, ...., which interfaces OpenWRT can monitor.
>
> Collecting agrus data from an argus on OpenWRT is easy and generating the type of metrics you're interested is straight forward.
> If you want to store these values in rrd's, we have perl scripts ( ragraph ) that can be used to maintain rrd's for your values. No problem.
>
> So I say go for it. We'll help you get there !!!
> Carter
>
>
> On Apr 11, 2013, at 7:09 PM, Graeme Russ <graeme.russ at gmail.com> wrote:
>
> > Hi All,
> >
> > I've installed OpenWrt on my WiFi router and now I'm looking for a way to generate network statistics for the ADSL connection. The ADSL connection is through a separate router, so generating the statistics should be a simple matter of processing the packets passing through the WAN0 interface. Daily statistics I would like to generate include:
> >
> > - Total inbound and outbound data
> > - Inbound and outbound data per local IP address/port/protocol (TCP/UDP)
> > - Inbound and outbound data per remote IP address/port/protocol (TCP/UDP)
> > - Inbound and outbound data per unique local IP/Remote IP/port/protocol (TCP/UDP)
> > - Average inbound and outbound throughput per 5 minute interval (total bytes/second)
> >
> > Two questions
> > - Is Argus the right solution?
> > - How hard will it be to get Argus running in OpenWrt Attitude Adjustment?
> >
> > Thanks,
> >
> > Graeme
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130413/e2db6e5d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130413/e2db6e5d/attachment.bin>
More information about the argus
mailing list