Using Argus to generate daily stats in OpenWrt

Mon Apr 15 20:14:55 EDT 2013

Hi Carter,

On Apr 16, 2013 6:29 AM, "Carter Bullard" <carter at qosient.com> wrote:
>
> Hey Graeme,
> Scripts that do NAT tracking?   Not currently in the free distribution,
but
> I have programs that do multi-probe correlation on the fly, that deal with
> the address mappings.  What are you doing this for?  Yourself?

Yes, this is for a home network so no big loads and no commercial
interests. I just want to make sure I know what is happening on my own
network so I can make some educated decisions later on.

> How you collect and archive the data will drive which programs you will
> need for metrics.   Be sure and read how rasplit() and rastream() work
> to build data files to make your metric generation straight forward.
> We recommend using rasplit() to generate data files that cover 5 minute
> ranges, organized by year/month/day.  Makes generating daily, hourly
> metrics pretty easy.

Thanks for the pointers - I'll look at them in more detail.

> You will want to use data aggregation, like that type provided by
racluster()
>  to generate the metrics you want.  Sounds like you want to realize
> something like daily matrix data:
>
>    racluster -r daily.file -m matrix -s stime dur saddr daddr pkts bytes
rate load ........
>
> matrix data will report on IP address <-> IP address metrics, removing the
> protocol or port values.

That will be a great start - Of course the NAT adds a layer of complexity
as the best I'll have is a set of three logs

 - Remote IP <-> Gateway IP
 - Gateway IP <-> Local LAN IP
 - Gateway IP <-> Local WLAN IP

So I will need to do NAT resolution. I imagine that the timestamps for the
packets on either side of the NAT will be pretty close and if I had a
complete set of three files (WAN, LAN, WLAN) for any given interval I could
successfully reconstruct the Remote IP <-> Local IP map.

Right now, I don't care about traffic between the local LAN and WLAN - Only
traffic going through the WAN (ADSL Modem) needs to be measured.

For WAN performance metrics (5 minute bandwidth measurement) I only care
about the WAN packets. I'm thinking:

 - 1 hour WAN/LAN/WLAN logs, processed every 24 hours and archived
 - 5 minute WAN logs, processed every 5 minutes and discarded (only
calculated stats saved)

For the WAN stats, I'm thinking, for each 5 minute interval:
 - Total Tx and Rx bytes
 - Per Remote-IP Tx and Rx bytes

> read the racluster.1 man page.  Depending on whether you want daily
metrics
> from daily data, or hourly stats from weekly data, or whatever, there are
different
> programs to generate the time bins, and report on aggregate metrics per
period.
> Programs like rabins() are going to be important if you want to do
something
> clever.
>
> Argus will capture URL's if you set the ARGUS_CAPTURE_DATA_LEN
> to something like 256 bytes.

Good to know - I think initially I'll keep this up my sleeve as I'm not
sure the router can handle it :)

Regards,

Graeme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130416/2424873e/attachment.html>