My friend has a bunch of students living with them and the students are using all her bandwidth in a week, they are then throttled by the ISP back to dialup - ouch.
Anyway she has a router with DD-WRT on it, and I was looking at putting some traffic monitoring software in place to see who the offender is.
I have googled it and seen some info on rflow collector, but am still trying to get my head around how it all fits together.
If I understand what I have read so far correctly then:
Mysql stores the data in a table
rflow collector writes the data to the database
But does rflow collector also display the data or is another program required?
This is on a Windows XP Machine.
I have tried Open Xtra MRTG and NTOP on my PC, but it only seems to monitor whats happening on my NIC not the router?
Yes, and it says you can use a query browser to view the network....sounds like I almost need to be a DB programmer to do this....I just want to view traffic amounts back to clients!!!!!
Good, fast, cheap... pick two. That's the rule. What you're after is doable and the software for it is all free. The expense is your time to set it all up. C'est la vie.
Easier? Sure, just pound the students into submission. Violence always works. It might also be easier to use QoS and apply quotas. Another easier way is to apply time slicing. Give each student 1 hour of internet time in rotation and bill them by the connect time. The easiest way (for me, in my limited experience) is to publicly post their individual traffic statistics. That will generate all manner of embarassing questions and tends to discourage overuse and abuse.
Now, if you wanted a "better" way, instead of an "easier" way, there's always SNMP, which is part of the DD-WRT distribution. Like RFLOW, the problem is that you'll need a dedicated PC, running continuously, to do the logging. There's not enough horsepower or flash space in the WRT54G to store all the collected data.
For SNMP monitoring, I suggest RRDTool running on your favorite Linux distribution:
with a Cacti front end:
If that's too much, you can get a start with PRTG:
which does both SNMP and Netflow. You can sorta monitor by MAC address, so that you don't have to deal with seperating out the traffic by user. However, the free version of PRTG only does 3 OID's, so you'll need to spend the $100 for the commercial version. Send the bill to the students, which may in itself solve the problem. If not, there are plenty of other tools.
RFlow uses a version of Cisco IOS Netflow. There are apparently plenty of monitoring and logging tools available. For example: (nice image)
You might also take a look at Wallwatcher:
It can't seperate out the traffic by client IP, so it won't do what you want, but it's a useful tool for collecting overall traffic data and sniffing, without the complexities of SNMP and Netflow.
I use Rflow, and though it's minimal, it does help me get an idea of what's going on and I haven't found anything else so direct and simple excepting NTOP which is even less supported and trickier. There is almost no documentation on Rflow and very little adjustment,but it works. I certainly wish somebody would give it some attention, I'd pay for it.
But it works and YOU DON'T NEED MySQL to use it. It will show each user currently connected to the router and how much they are downloading and uploading. If you keep it running all the time, you can see running totals for all users. It's a bit hard to sort out the obscure labeling, but you can figure out which data columm serves you.
So, if you don't want to get into the SNMP programs, which I personally couldn't sort out in a week of study, then try Rflow. It's very easy to install and you can make up a text list of MAC addys linked to user names that it will load when it starts.
The tricky part is that you need to have it running on some pc all the time. Also, the numbers are tied to each MAC-IP assignment, so if somebody goes offline and then comes on with a new IP, then you lose their old data. Best to assign IPs for longer term tracking. Certainly using it with MySQL is the way to go, but again, I don't want to spend a week learning it either.
Two other comments:
1) I also put DU meter on the individual problem machines so that the users know what they are doing too. It's specific to the local machine and helps them self-police. DU meter costs money but there are free local bandwidth meters too.
2) V24 of DD-WRT has bandwidth monitoring of it's own. I kinda doubt it will serve you much, but you may want to upgrade dd-wrt (carefully- get the right file ) if you don't have v24 and check that out too.
So, try out Rflow. If you run into trouble, ask here. The DD-WRT forum won't help much on this for some reason, but do a search for it there, many questions (with a few answers) about it are mine !
Ok, I have been playing around with PRTG, and let me check I got this right:
It seems that by default PRTG lets you monitor all the wired ports, and all the wireless ports, but it doesnt actually break that traffic down into whats come from various client IP's?
To do that it appears you need to setup a netflow sensor with a packet filter rule?
And I cant workout why when I setup a netflow sensor with a packet filter rule it says at the top of the graph "netflow data delayed by 5 min"?
Nope. You only need to find the proper OID (object identifier). You can do it two ways. By IP address or by MAC address. Get yourself a MIB browser and dump the entire MIB tree from your router. I like to use an old one called GetIF:
Some usage detail:
The free one from IReasoning is better, but you can't load enough MIB files to make it really useful.
More MIB browsers:
If all else fails, use the DOS version SNMPUTIL.EXE from:
Run: SNMPUTIL walk 192.168.1.1 public .1.3.6.1 which should dump everything but with only numeric OID's, not text versions. Sift through the mess until you find the OID's for your favorite IP or MAC address. Well, you can make it easier with: SNMPUTIL walk 192.168.1.1 public .1.3.6.1 | find "192.168.1.11" where 192.168.1.11 is replaced by the IP or MAC address of a computah. The extra numbers at the end of the OID are pointers to a table, where the data is located. When you find an OID worth monitoring, type it into the PRTG config file. Repeat for all computers on the LAN. Also graph the total traffic so that you can tell if anyone has snuck in a new device. The SNMP table will update dynamically, but not the PRTG/MRTG config files.
Wrong. I've used SNMP, dabbled with various SNMP based devices, done battle with monitoring software, and even got paid for the exercise. However, that doesn't mean I really understand it. There are plenty of mysteries that I still don't understand, despite explanations and reading. For example, when does one use a leading decimal point in front of the OID?
Actually, using it fairly easy, especially with a suitable front end program to insulate you from the complexities. A MIB browser is a good start.
Netflow (also known as Rflow) is probably the right answer for monitoring traffic by IP or MAC address.
Got $1800 handy?
Might be fun to try it. It says it's for Cisco but I think it will work with DD-WRT Rflow.
Looks like they also have a wireless monitor for only $2500:
This one looks interesting:
Only $5,000.
Probably a bit much for students. So, there are free Netflow tools:
Like anything good, they're mostly Unix or Linux based. However, there are a few with Windoze versions.
I knew I should have kept my mouth shut. Now Jeff's got me exploring Netflow alternatives again. Still, I think that Rflow has an advantage over the others in that it uses MACupd ( I think it's called) which seems to allow one to monitor....uh,.....actually, I'm not clear what does what.
But it' a feature that must be doing something! And the others don't seem to have it. So there!
I think that my/our problem with monitoring software that uses Netflow, SNMP and/or whatever is that until now, administrators with serious budgets and serious tech skills were the target user. Now, as networking has become ubiquitous, every Tom, Dick and seaweedsl wants / needs monitoring software that we can learn in one hour, not 30.
I wonder when somebody will put out a cleaned-up, fleshed-out, well- explained data-managing version of Rflow. Make it shareware without data logging and $20-25 with and you will have an income. So what if it needs DD-WRT to run, that's common enough now and supports many routers.
Thanks for the links though, Jeff. At the least, Ntop appears to have been updated and I might try it again. I never could get it working before. Or maybe I'll learn MySQL .... when I have time and brain cells to spend on it.
Sorry. When I don't have an instant answer handy, I usually try to get the person asking to do all the work.
DD-WRT v24 final release arrived last week. I've installed it on several non-critical machines. It's working just fine, and even fixed a mysterious wireless key renewal and disconnect problem I was having with WPA2-TKIP (not really offically supported as WPA2 is suppose to use AES encryption).
While you're at it, here's another mystery. Go to "Services" tab and scroll down to the very bottom of the list. There's something called "WAN Traffic Counter - ttraff daemon". I enabled it and tried to decode it's purpose, but failed. The source code is interesting:
and says "used for collecting and storing WAN traffic info to nvram". Ok, so where do I find it and how do I use the collected data?
Go to the source:
macupd v2 | send all known Clients (and WDS) from this machine by UDP
Well, I hate to admit a small failure, but I was sympathetic (and bored) yesterday. So, I downloaded the latest MRTG and decided to scribble a web page detailing what it takes to monitor a DD-WRT based router.
The first thing I discovered is that the MRTG Windoze install and setup instructions have a few major errors. The next thing I discovered is that I had no easy way to generate a dynamic list of MAC addresses so that new graphs could be created on the fly. I think I can do that with MACupd or more crudely with arp -a or a simple Perl script. Within about an hour, I discovered that I had a major project on my hands and gave up for now. I hate programming...
I tried the Windoze (demo) version of NTOP recently. It was even more complicated to setup than before. I did manage to configure Netflow (2055) but couldn't get NTOP to display any data. It was also irritating to find that I had to configure an ethernet interface for data sniffing, even though I wasn't using it.
More, when I have time. Today is Memorial Day in the USA. I'm celebrating the holiday by dragging myself to the office and working on two nightmares. I think I blew up a customers laptop and may have to buy her a replacement. I also have a really ancient Xenix server with a blown IBM monochrome display. When I plug in a VGA, it overlaps the memory mapped for the Digiboard serial card and panics. So, I have to fix the monitor. I hate computers...
Is it running on AT-class hardware or Microchannel? Can you cpio the entire system (sans user data where necessary) to preserve it? Is it MS-Xenix or the IBM variant?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.