1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Seeking details on traffic monitoring

Discussion in 'Tomato Firmware' started by CyyberSpaceCowboy, May 9, 2007.

  1. I understand Tomato and similar firmware provide traffic monitoring utilities. I administer a small network of 150 workstations with a 2500kbps DSL connection to the ISP. Sometimes Internet and LAN connections get slow and I want to know where my bandwidth is going. I don't have any unswitched ports on which to place a workstation running monitoring software. I'd like to run traffic monitor routines on a less expensive router as an alternative to a Cisco or similar firewall.

    I'd like to monitor realtime bandwidth usage as well as be able to view statistical logs. Does anyone know of a link that will teach me how to analyze connection logs to determine if I have malware running on a workstation? I know this is a Tomato forum. but does any of the other firmware provide more advanced security features? Do some models of routers support more security features than other running the same firmware? Thanks
     
  2. u3gyxap

    u3gyxap Network Guru Member

    Maybe bwlog is what you are looking for.
     
  3. jlaase

    jlaase Network Guru Member

    Currently, the Tomato firmware does give you bandwidth usage in real time and for the last 5 hours. It even allows for you to save this data off of the router so it will survive reboots.

    As far as traffic analysis goes, the firmware will allow you to create syslog events for traffic. You have the choice of getting events for allowed outbound traffic, allowed in bound, denied outbound and denied inbound. If you were to collect allowed outbound traffic, you could use a third party tool to help with analysis of this traffic. If you are running a windows machine, you can use a free tool like Wall Watcher or you could buy a tool like LinkLogger. Both of these will allow for easy traffic analysis.

    I hope this helps,

    Josh
     
  4. shadow_empire

    shadow_empire LI Guru Member

    I have the following setup to monitor IP-based bandwith:

    Put the following to your firewall rules (Administration - Scripts - Firewall)
    depending on your clients.


    iptables -N traffic_in
    iptables -N traffic_out
    iptables -I FORWARD 1 -j traffic_in
    iptables -I FORWARD 2 -j traffic_out
    iptables -A traffic_in -d 192.168.1.104
    iptables -A traffic_out -s 192.168.1.104
    iptables -A traffic_in -d 192.168.1.131
    iptables -A traffic_out -s 192.168.1.131
    iptables -A traffic_in -d 192.168.1.101
    iptables -A traffic_out -s 192.168.1.101
    iptables -A traffic_in -d 192.168.1.102
    iptables -A traffic_out -s 192.168.1.102


    Then you can monitor the bandwith with the following commands on the router's shell:

    Check statistics by typing:
    iptables -L traffic_in -vn
    iptables -L traffic_out -vn



    Would be nice if Jon could add this feature to the next Tomato firmware release.
     
  5. lengo lad

    lengo lad LI Guru Member

    shadow_empire,

    I'm quite interested in what you've done here! Any chance you could help me understand what all the -* things mean? E.g., -N -A -I -L -j -d -s -vn. I've never written a script in my life, but this looks very valuable to me and worth understanding! Thanks.
     
  6. Hypernova

    Hypernova LI Guru Member

    I use that traffic counter too but it's not reliable. the values reset every time the you make changes to the QoS rules and what not and there is no way to preserve them. They are at best a quick check for who's whoring B/W by comparing values at different times.
     
  7. lengo lad

    lengo lad LI Guru Member

    Do you mean shadow_empire's traffic counter is not reliable? What if you leave your rules and settings alone--is it more reliable then? I'd be happy to be able to get a record of monthly 'throughput' / bandwidth usage per IP address. Would shadow_empire's rule set do it? Time to run a couple of experiments . . . :eek:
     
  8. affer

    affer LI Guru Member

    I'm sure that the poster must have been referring to Tomato per se. Jon (the author) has configured Tomato so that the statistics counters reset when you make some changes, instead of saving the current numbers. If you leave the settings alone, you should get accurate & cummaltive usage figures. The above script should work fine, (at a glance) I don't see any obvious syntax errors. Just remember that the stats are written to RAM by default.. so they will be lost if you have a power failure. So if the stat history is important to you, save your stats to a remote PC or some kind of NV memory. Or at least use a UPS.

    Also, it wouldn't be a lot more work to generate a dynamic html page for per ip stats, similar to the one Jon has built into Tomato. After you decide how you want to save & format the stats, use a shell script to run a cgi generator.
     
  9. mikester

    mikester Network Guru Member

    try google WALLWATCHER
     
  10. lengo lad

    lengo lad LI Guru Member

    shadow_empire & affer,

    any chance one of you could walk me through this? I've altered (for the static DHCP clients that I have) and entered the information in Admin > Scripts > Firewall, but for the life of me I don't know what to do with the instructions, "Then you can monitor the bandwith with the following commands on the router's shell". Where do I enter those commands? Where is the "router's shell"? And where will I find the output? I'm a network noob (but I'm trying:wink: ) Any help you could provide would be great!

    mikester,

    I've spent a couple hours with wallwatcher, but I can't get it to communicate with my router . . . When I 'Test snmp' (on the Bandwidth tab) I am told that "My router did not respond to the test" with a host of reasons given. I've checked the ones I know what to do with (router address, etc.) but some of them are brand new to me (e.g., SNMP OIDs). Are you running WW? Any chance you could help?

    Thanks all,

    paul
     
  11. lengo lad

    lengo lad LI Guru Member

    I just uninstalled and reinstalled WW. After setup I was told my firewall was correctly configured and I was able to ping the router and do a successful "Test snmp". And then . . . nothing . . . No logging, "test snmp" does not return any results, although I am still able to ping the router from WW. In Tomato I have logging enabled (Log to remote system> IP Address / Port: 192.168.1.4 : 514); in WW I have Router: Linksys WRT54G/S (Sveasoft/Hyperwrt) selected with LAN Addr: 192.168.1.1, Port: 514. I'm not sure what else to do . . . Help? :confused:
     
  12. affer

    affer LI Guru Member

    It sounds like you only have logging enabled. So you can use wallwatcher to save your logs, but that doesn't have anything to do with bandwidth stats which you would enable /access seperately.

    To get you started in the right direction; you need to add the traffic script to admin/scripts/firewall. And you probably want to send the cummulative bandwidth reports to wallwatcher as well, so enable that in admin/bandwidth monitoring. Reboot the router to ensure that the traffic script is running. Then use a SSH or telnet utility (e.g. putty) to access the router command line prompt & view the "per ip" stats. If you can't log into the router, check that you have SSH/telnet access enabled in the admin/admin access menu. More details can be found in the faq, misc info, wiki or via google.
     
  13. lengo lad

    lengo lad LI Guru Member

    Thank you!
     
  14. affer

    affer LI Guru Member

    I tried the script out today & it appears to work properly.
    It gives cummulative bandwidth stats for each IP as seen below.

    [​IMG]
     
  15. lengo lad

    lengo lad LI Guru Member

    OK, I've done that.

    Not sure how to do this . . . Do I need to point Tomato to a folder on my computer? I suspect so, but there are a number of options with names I can't even guess at . . .

     
  16. affer

    affer LI Guru Member

    Unfortunately, I don't have enough spare time to walk you through this step by step. But I think that I can answer most of your questions, which should get you up & running. The problem that you had with SSH is that you should set up a public key for SSH, which is more secure than a user/password login. For now go to the tomato admin/admin access menu and uncheck SSH/enable at startup. Then check telnet/enable at startup instead. Don't forget to click on save at the bottom of the page. Now open the putty program, check the telnet button, enter your router ip (by default this would be 192.168.1.1) & click open. Your login will be root & the password is your router password. Then you can list the per ip stats. E.g. to see your upstream stats, you would type -
    iptables -L traffic_out -vn <enter>

    If you want to zero the figures, you would do so by typing -
    iptables -Z traffic_out <enter>

    For help with syntax, type -
    iptables --help <enter>

    To send the bandwidth reports to another computer, go to the tomato admin/bandwidth monitoring menu and click enable. Then you need to choose the location that the reports will be available from. I use a CIFS share, which means that the information is available from the router. Then you have to go to wallwatcher and tell it the location of that share. Alternately, there is a custom path option. I haven't used that, but it should let you specify whatever path you want for the bandwidth reports.

    I hope that gets you going. I'd love to see the per ip breakdown added to the tomato cummulative stats pages too. But it's a bit presumptious of us to imagine that Jon will do so. He's already written some great firmware here. If the per ip stats seem valuable or in demand to him, he may add this feature in due course. And if not, then we can still use scripts to collate the bandwidth breakdown.
     
  17. ericren23

    ericren23 LI Guru Member

    Is this data daily or monthly? or does it keep adding up till it gets reseted via the -Z switch?

    Has anyone tested the accuracy of this script? does it catch all traffic from that ip address?
    When I use it, it only seem to record a very small percentage of my total traffic :(
    Maybe this is local traffic instead of internet? is there a way to separate the two types?

    Im also using the WRT54G script generator to generate a bandwidth control script, could this affect the monitoring?? the following is my script


    #--------------------------------------------
    #WRT54 Script Generator v1.01
    #(C) 2006-2007 Robert "Robson" Mytkowski
    #--------------------------------------------
    TCA="tc class add dev br0"
    TFA="tc filter add dev br0"
    TQA="tc qdisc add dev br0"
    SFQ="sfq perturb 10"
    tc qdisc del dev br0 root
    tc qdisc add dev br0 root handle 1: htb
    tc class add dev br0 parent 1: classid 1:1 htb rate 9000kbit
    $TCA parent 1:1 classid 1:10 htb rate 4000kbit ceil 8000kbit prio 1
    $TCA parent 1:1 classid 1:11 htb rate 4000kbit ceil 8000kbit prio 0
    $TCA parent 1:1 classid 1:12 htb rate 900kbit ceil 900kbit prio 4
    $TQA parent 1:10 handle 10: $SFQ
    $TQA parent 1:11 handle 11: $SFQ
    $TQA parent 1:12 handle 12: $SFQ
    $TFA parent 1:0 prio 1 protocol ip handle 10 fw flowid 1:10
    $TFA parent 1:0 prio 0 protocol ip handle 11 fw flowid 1:11
    iptables -t mangle -A POSTROUTING -d 192.168.1.101 -j MARK --set-mark 10
    iptables -t mangle -A POSTROUTING -d 192.168.1.102 -j MARK --set-mark 11
    $TFA parent 1:0 protocol ip prio 4 u32 match u16 0x0800 0xFFFF at -2 match u32 0x46E9C833 0xFFFFFFFF at -12 match u16 0x0013 0xFFFF at -14 flowid 1:12
    tc qdisc add dev br0 ingress
    $TFA parent ffff: protocol ip handle 52 fw police rate 80kbit mtu 12k burst 10k drop
    iptables -t mangle -A PREROUTING -m mac --mac-source 00:13:46:E9:C8:33 -j MARK --set-mark 52
    iptables -I FORWARD -m mac --mac-source 00:13:46:E9:C8:33 -p tcp -m connlimit --connlimit-above 50 -j DROP
    iptables -N traffic_in
    iptables -N traffic_out
    iptables -I FORWARD 1 -j traffic_in
    iptables -I FORWARD 2 -j traffic_out
    iptables -A traffic_in -d 192.168.1.101
    iptables -A traffic_out -s 192.168.1.101
    iptables -A traffic_in -d 192.168.1.102
    iptables -A traffic_out -s 192.168.1.102
    iptables -A traffic_in -d 192.168.1.103
    iptables -A traffic_out -s 192.168.1.103
    iptables -A traffic_in -d 192.168.1.104
    iptables -A traffic_out -s 192.168.1.104

    thanks!
     
  18. Hypernova

    Hypernova LI Guru Member

    IT resets every time the WAN ip changes or settings change. (which cause the iptable programme to restart wiping the values)

    I looked around there seems to be this iptables-save/restore function (http://www.faqs.org/docs/iptables/iptables-save.html) that can save them to file but when I tried it it appears that such function was removed from tomato's version of iptables. I get a command not found when I type it in.
     
  19. mikester

    mikester Network Guru Member

    Hi Lengo Lad,

    Wallwatcher is extremely easy to use and minimally invasive IMHO. You can install SNMP but it'll take a little more effort on your part. I find wallwatcher gives me about 95% of what I need over installing SNMP and running an SNMP logger on a host PC.

    To have Tomato send data to Wallwatcher:

    Go to Administration/Logging (http:/(tomato.ip)/admin-log.asp)

    Check "Log to Remote System"
    Add your logging PC IP address and port 514
    Log BOTH inbound and outbound connections

    Install and run WallWatcher on your logging PC listening to port 514

    Watch and enjoy!

    BTW if you are running Zonealarm or equivalent it may be blocking traffic sent to Wallwatcher.
     
  20. ericren23

    ericren23 LI Guru Member

    Hi mikester, im trying out Wallwatcher too. Ive it to receive in/out connection details, but to get bandwidth, do i still need to install SNMP?
     
  21. mikester

    mikester Network Guru Member

    If you want bandwidth by IP you will need to use either SNMP or the IPTABLES solution posted earlier.

    Tomato will give you overall bandwidth.

    Even without SNMP you can see who is eating up connections/bandwidth via Wallwatcher and take appropriate action afterwords.
     
  22. lengo lad

    lengo lad LI Guru Member

    I finally got WW working (thanks, mikester!) One hitch: it only records 'sent' traffic; 'received' is greyed out (in WW -> File -> Analyze Bandwidth -> Summarize by). I have logging enabled for both inbound and outbound connections in Tomato (Admin -> Logging); I used the setting "If allowed by firewall". But when I download a 2MB file, there's no indication of that in WW (which is exactly what I want to see . . . ) Any more hints?
     
  23. mikester

    mikester Network Guru Member

    Sounds like you need to tweak your WW settings on your PC, not on your Tomato - I suggest reading through the help files and playing around with settings. Mike
     
  24. dadaniel

    dadaniel Network Guru Member

    Does anyone have sent this suggestion to Jon's mail adress?
     
  25. lengo lad

    lengo lad LI Guru Member

    Yes.
     
  26. affer

    affer LI Guru Member

    As you note, the save command was not compiled in Tomato. But the counter output can probably be pipelined to a log & then reloaded into the counters with the --set-counters option. You'd save the counter status to NV memory with a Tomato shutdown script. And then restore (set) the counters by reading the stored value & using the set command when the router reboots. I haven't had time to actually try this, but it should work. At the very least, we should be able to log the counter values frequently, so that values lost on a reboot or WAN IP change are not likely to be significant.

    To answer a previous poster, the script counters appear to be very accurate, byte accurate for half a dozen large downloads that I tried and also appear to be spot on for the four or five days that I let the traffic script run on my router.
     
  27. lengo lad

    lengo lad LI Guru Member

    I envy you . . . I'm still trying to get download stats :frown:
     
  28. affer

    affer LI Guru Member

    Try this?

    I'm assuming that you have Tomato running on your router
    Log into Tomato with your web browser
    First, we need to know the IP range of your network
    Go to the Status menu, then Device list, note the IP's
    Now click on the Administration menu | Scripts | Firewall
    Cut and paste the script from the window below into the Firewall page

    Code:
    iptables -N traffic_in
    iptables -N traffic_out
    iptables -I FORWARD 1 -j traffic_in
    iptables -I FORWARD 2 -j traffic_out
    iptables -A traffic_in -d 192.168.1.100
    iptables -A traffic_out -s 192.168.1.100
    iptables -A traffic_in -d 192.168.1.101
    iptables -A traffic_out -s 192.168.1.101
    iptables -A traffic_in -d 192.168.1.102
    iptables -A traffic_out -s 192.168.1.102
    iptables -A traffic_in -d 192.168.1.103
    iptables -A traffic_out -s 192.168.1.103
    iptables -A traffic_in -d 192.168.1.104
    iptables -A traffic_out -s 192.168.1.104
    iptables -A traffic_in -d 192.168.1.105
    iptables -A traffic_out -s 192.168.1.105
    
    Now, the traffic script, as written here assumes that your network is 192.168.1.100 to 192.168.1.105. If your IP range is different, then edit the script or add entries. You can see the pattern above. Just add two entries for each additional IP. Then click save on the bottom of the Firewall page. Reboot your router.

    Log into your router again & go to the Administration menu
    Now go to the Admin access link
    Under Telnet Daemon, check enable at startup
    Click save on the bottom of the page


    Now you need a telnet utility program e.g. putty
    Download putty.exe from the Putty site
    Run putty, click on telnet, then enter your routers IP address, usually 192.168.1.0 or 192.168.1.1
    Click on the Open button
    A login window will open, type root as your login, then the <enter> key
    Then type your router password & <enter> again
    Now you should be logged into your router command line

    Lastly type
    iptables -L traffic_in -v -n <enter>, then
    iptables -L traffic_out -v -n <enter>

    And you should have detailed traffic stats now, sorted by IP. My apologies if this seems a bit basic - but as you are having difficulties, maybe you were missing a step or doing something differently. If you're still having problems, post a detailed explanation of exactly what you're seeing.

    HTH
     
  29. Hypernova

    Hypernova LI Guru Member

    Personally I put both in and out in that same set. If you make sure the orders are the same it's easy to read both in and out at the same time. I also use the -v flag only since that gives you the name of the computers if you set them correctly.

    I'll try that in a few weeks after exam finishes...
     
  30. affer

    affer LI Guru Member

    The mystery deepens a bit. I noticed today that the iptables-restore command is available in Tomato. So it makes no sense that iptables-save is not. Bug? Or maybe I missing something obvious? I don't know. I did a search of this forum and found three or four other posters asking the same question.. and no one offering any solutions.

    Anyway, it should still be possible to save & restore the ruleset counters with a pair of scripts. In fact, much of the work has already been done for us in this thread. Just change the targets. If I remember correctly, the ruleset is stored on the router at /ipt/iptables.txt, so refer to the other thread to save this file (ruleset) upon shutdown. And use a WANup script to restore the traffic counters on startup.
    e.g. cat /path/iptables.txt | iptables-restore -c

     
  31. AF35

    AF35 LI Guru Member

    Hi,
    Sorry to dig up this old thread.

    But I have a related question regarding to Wall Watcher.

    All I'm trying to do is to get WW to record how much data has each local IP address downloaded per month.

    I'm abit confused as which traffic type is recorded from WAN (or internet) to local IP? is it called inbound traffic? (from Internet to WAN) or outbound traffic? (from WAN to LAN IPs)
    if you look at it from router point of view, inbound traffic can both mean from internet to router and also from workstations (LAN) to router.

    the same question applies to tomato logging page too. i'm confused about the term inbound connection and outbound connection in tomato too.

    can someone clarify this for me? or simply teach me how to record internet traffic to each local IP address?
    (ie i like to log the result of iptables -L traffic_in -vn in daily or monthly basis)
    Cheers
     
  32. palmdoc

    palmdoc Addicted to LI Member

    Hi. Many thanmks for this interesting lead. I's a tomato noob here.
    Here's what I got so far

    Code:
    # iptables -L traffic_in -v -n
    iptables: No chain/target/match by that name
    # iptables -L traffic_out -v -n
    iptables: No chain/target/match by that name
    
    What does this mean?
     
  33. palmdoc

    palmdoc Addicted to LI Member

    Oops. I guess I was a little impatient :redface:. Tried it a little later on and the data was there. Thanks for the useful script!
     
  34. phykris

    phykris Addicted to LI Member

    Does anyone have an idea what the performance impact and memory requirements are to monitor one IP address? Are the statistics updated on the fly, or with a certain interval? This feature would be an interesting thing to add to the graphical interface of Victek's Qos IP bandwidth limiter mod (both real time bandwidth usage and total volume overview).
     
  35. yourbull1

    yourbull1 Guest

    Ruby script for finding IP bandwidth hogs

    Hey folks,

    If you know ruby I wrote up a little script to setup your tomato router and parse/reset bandwidth info from iptables. It's more of a stop-gap until they add per-ip bandwidth monitoring in the tomato UI, but until then I use this all the time to yell at people in our office :).

    http://github.com/steviec/blamewidth/tree/master

    stevie
     
  36. AF35

    AF35 LI Guru Member

    great job you've done there yourbull1 :)

    currently I'm using similar script (even less user-friendly :p) to generate the quota /IP

    you can also use cron to reset the iptable every month

    I don't know if Tomato will support ssmtp package. but you can put them in cifs

    DD-WRT has the ability to install ipkg which has ssmtp and thus you can add a cron job to send you a mail of the stats everyday :)

    So now i get an email about all the usages per IP in my mailbox everyday and it resets every month :)

    [​IMG]

    Cheers!
     
  37. mikester

    mikester Network Guru Member

    For a network of 250 PC's I'd recommend using a PC based firewall running IPCOP or Endian and adding NTOP. You can also add better content, spam, email and AV filters as well as complete logging and graphing of traffic patterns.

    Tomato works great for SOHO but is limited for the stuff you are looking for.

    Cheers,
    Mike
     
  38. esaym

    esaym LI Guru Member

    Honestly if you have more than a couple of computers I would get an old computer and a smoothwall cd http://www.smoothwall.org/

    I spent about 60 hours hacking on a WRT54GL a few weeks ago to just end up being disappointed and I went back to smoothwall lol
     
  39. Gewehr98

    Gewehr98 LI Guru Member

    Can the logs sit for a while?

    None of the 5 workstations on my network are on 24/7. I do have 5 each Adaptec Snap Server NAS devices that are running constantly and could be used to stash log data remotely, but I'm curious if Tomato can buffer that data if the WallWatcher monitoring workstation is not running all the time.

    Also, I noticed that the Tomato status logs got very busy when I first started running WallWatcher and capturing traffic data. I run a WRT-54G v1.0, which is somewhat dated in the general scheme of all things WRT-54G both in memory and CPU speed. Am I at risk to overflow something in memory?
     

Share This Page