I decided to try bwm-ng. It's in the FreeBSD ports tree as bwm-ng. (Don't think I'm abandoning FreeBSD for Debian. Nothing can beat FreeBSD's package system in terms of number and variety of applications and up-to-date versions.)
Start bwm-ng by telling it the interface you want monitored.
# bwm-ng -I em2
The default screen looks like this.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: rate
| iface Rx Tx Total
===========================================================================
em2: 8.27 KB/s 0.00 KB/s 8.27 KB/s
---------------------------------------------------------------------------
total: 8.27 KB/s 0.00 KB/s 8.27 KB/s
This screen shows the instantaneous traffic rate as measured by bwm-ng in KBps. Instantaneous rates aren't that helpful. To learn more options, I hit the 'h' key.
lqbwm-ng v0.5 - Keybindings:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x
x 'h' show this help x
x 'q' exit x
x '+' increases timeout by 100ms x
x '-' decreases timeout by 100ms x
x 'd' switch KB and auto assign Byte/KB/MB/GB x
x 'a' cycle: show all interfaces, only those which are up, x
x only up and not hidden x
x 's' sum hidden ifaces to total aswell or not x
x 'n' cycle: input methods x
x 'u' cycle: bytes,bits,packets,errors x
x 't' cycle: current rate, max, sum since start, average for last 30s x
x x
mq press any key to continue... qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
On screen the qqqqq and such is a line, not letters.
The 't' options looks helpful. If I hit the 't' key three times, I end up with the following display.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
/ iface Rx Tx Total
===========================================================================
em2: 9.70 KB/s 0.00 KB/s 9.70 KB/s
---------------------------------------------------------------------------
total: 9.70 KB/s 0.00 KB/s 9.70 KB/s
Now I have a 30 second average. I prefer to see bits, not bytes, so I hit the 'u' key once.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
- iface Rx Tx Total
===========================================================================
em2: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
---------------------------------------------------------------------------
total: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
Now I have a 30 second average measured in Kbps.
For a sensor, the max traffic measured is very important. If I leave bwm-ng running for a while (perhaps in a screen(1) sessions), I can see surges. To have bwm-ng show me those maximum events, I can hit the 't' key to cycle through to the max report.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
- iface Rx Tx Total
===========================================================================
em2: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
---------------------------------------------------------------------------
total: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
If I hit the 'd' key bwm-ng will switch from using Kilo units to something it considers more appropriate.
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: max
/ iface Rx Tx Total
===========================================================================
em2: 4.69 Mb/s 0.00 b/s 4.69 Mb/s
---------------------------------------------------------------------------
total: 4.69 Mb/s 0.00 b/s 4.69 Mb/s
Here we see this interface topped out at 4.69 Mbps.
This is the sort of data I need to determine if my sensor can handle this sort of load. The longer I leave bwm-ng running, the more I will know about this site's traffic characteristics.
If you read bwm-ng's man page you'll see you can also run the program as a daemon and output measurements to .csv and other formats.
Remember you can also use Bpfstat on FreeBSD 6 and higher to get Bpf performance data from the kernel. Here I measure every 10 seconds. Notice that the drop figures aren't changing.
# bpfstat -i 10 -I em2
pid netif flags recv drop match sblen hblen command
91593 em2 p--s- 156908 0 156908 1012 0 snort
18669 em2 p--s- 73065540 47 73065540 928 0 snort
33252 em2 p--s- 253633385 429 253633385 424 0 sancp
91593 em2 p--s- 157501 0 157501 750 0 snort
18669 em2 p--s- 73066133 47 73066133 662 0 snort
33252 em2 p--s- 253633978 429 253633978 326 0 sancp
91593 em2 p--s- 158625 0 158625 11355 0 snort
18669 em2 p--s- 73067257 47 73067257 10051 0 snort
33252 em2 p--s- 253635102 429 253635102 2927 0 sancp
91593 em2 p--s- 161417 0 161417 11838 0 snort
18669 em2 p--s- 73070049 47 73070049 11838 0 snort
33252 em2 p--s- 253637894 429 253637894 6530 0 sancp
91593 em2 p--s- 162303 0 162303 166 0 snort
18669 em2 p--s- 73070935 47 73070935 166 0 snort
33252 em2 p--s- 253638780 429 253638780 414 0 sancp
Tidak ada komentar:
Posting Komentar