If you read my first book you know I prefer small applications that run in Unix terminals to more complicated programs. I decided to get a sense of the bandwidth being monitored at several sensors deployed at client sites. I did not want to install MRTG or Ntop to answer simple questions like "What is the maximum bandwidth seen by the sensor?" or "What is an average amount of traffic seen?"
I decided to try bwm-ng. It's in the FreeBSD ports tree as bwm-ng. (Don't think I'm abandoning FreeBSD for Debian. Nothing can beat FreeBSD's package system in terms of number and variety of applications and up-to-date versions.)
Start bwm-ng by telling it the interface you want monitored.
# bwm-ng -I em2
The default screen looks like this.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: rate
| iface Rx Tx Total
===========================================================================
em2: 8.27 KB/s 0.00 KB/s 8.27 KB/s
---------------------------------------------------------------------------
total: 8.27 KB/s 0.00 KB/s 8.27 KB/s
This screen shows the instantaneous traffic rate as measured by bwm-ng in KBps. Instantaneous rates aren't that helpful. To learn more options, I hit the 'h' key.
lqbwm-ng v0.5 - Keybindings:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x
x 'h' show this help x
x 'q' exit x
x '+' increases timeout by 100ms x
x '-' decreases timeout by 100ms x
x 'd' switch KB and auto assign Byte/KB/MB/GB x
x 'a' cycle: show all interfaces, only those which are up, x
x only up and not hidden x
x 's' sum hidden ifaces to total aswell or not x
x 'n' cycle: input methods x
x 'u' cycle: bytes,bits,packets,errors x
x 't' cycle: current rate, max, sum since start, average for last 30s x
x x
mq press any key to continue... qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
On screen the qqqqq and such is a line, not letters.
The 't' options looks helpful. If I hit the 't' key three times, I end up with the following display.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
/ iface Rx Tx Total
===========================================================================
em2: 9.70 KB/s 0.00 KB/s 9.70 KB/s
---------------------------------------------------------------------------
total: 9.70 KB/s 0.00 KB/s 9.70 KB/s
Now I have a 30 second average. I prefer to see bits, not bytes, so I hit the 'u' key once.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
- iface Rx Tx Total
===========================================================================
em2: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
---------------------------------------------------------------------------
total: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
Now I have a 30 second average measured in Kbps.
For a sensor, the max traffic measured is very important. If I leave bwm-ng running for a while (perhaps in a screen(1) sessions), I can see surges. To have bwm-ng show me those maximum events, I can hit the 't' key to cycle through to the max report.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
- iface Rx Tx Total
===========================================================================
em2: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
---------------------------------------------------------------------------
total: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
If I hit the 'd' key bwm-ng will switch from using Kilo units to something it considers more appropriate.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: max
/ iface Rx Tx Total
===========================================================================
em2: 4.69 Mb/s 0.00 b/s 4.69 Mb/s
---------------------------------------------------------------------------
total: 4.69 Mb/s 0.00 b/s 4.69 Mb/s
Here we see this interface topped out at 4.69 Mbps.
This is the sort of data I need to determine if my sensor can handle this sort of load. The longer I leave bwm-ng running, the more I will know about this site's traffic characteristics.
If you read bwm-ng's man page you'll see you can also run the program as a daemon and output measurements to .csv and other formats.
Remember you can also use Bpfstat on FreeBSD 6 and higher to get Bpf performance data from the kernel. Here I measure every 10 seconds. Notice that the drop figures aren't changing.
# bpfstat -i 10 -I em2
pid netif flags recv drop match sblen hblen command
91593 em2 p--s- 156908 0 156908 1012 0 snort
18669 em2 p--s- 73065540 47 73065540 928 0 snort
33252 em2 p--s- 253633385 429 253633385 424 0 sancp
91593 em2 p--s- 157501 0 157501 750 0 snort
18669 em2 p--s- 73066133 47 73066133 662 0 snort
33252 em2 p--s- 253633978 429 253633978 326 0 sancp
91593 em2 p--s- 158625 0 158625 11355 0 snort
18669 em2 p--s- 73067257 47 73067257 10051 0 snort
33252 em2 p--s- 253635102 429 253635102 2927 0 sancp
91593 em2 p--s- 161417 0 161417 11838 0 snort
18669 em2 p--s- 73070049 47 73070049 11838 0 snort
33252 em2 p--s- 253637894 429 253637894 6530 0 sancp
91593 em2 p--s- 162303 0 162303 166 0 snort
18669 em2 p--s- 73070935 47 73070935 166 0 snort
33252 em2 p--s- 253638780 429 253638780 414 0 sancp
0 komentar:
Posting Komentar