TCP Services Graph with Iptraf and RRDTool

Dieses Dokument zeigt wie man den TCP Traffic nach Ports aufteilt und daraus eine Grafik generiert.
Folgende Programme werden dazu benötigt: iptraf und rrdtool

IPtraf installieren

Installation von iptraf
Die ausführbaren Dateien sollten anschliessend in /usr/local/bin liegen!

tar -xzf iptraf-x.y.z.tar.gz
./setup

Iptraf konfigurieren

RRDTool installieren

tar -xzf rrdtool-1.0.40.tar.gz
./configure --prefix=/usr/local/rrdtool
make
make install

RoundRobinDatabase vorbereiten

rrdtool create /var/log/tcp_services.rrd \
DS:20_in:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:20_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:22_in:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:22_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:25_in:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:25_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:53_in:COUNTER:300:0:1250000 RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:53_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:80_in:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:80_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:110_in:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:110_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:119_in:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \
DS:119_out:COUNTER:600:U:U RRA:AVERAGE:0.5:1:600 RRA:AVERAGE:0.5:6:700 RRA:AVERAGE:0.5:24:775 RRA:AVERAGE:0.5:288:797 \

Datumsformat

Alle werte werden in einem speziellen Unix Format gespeichert. (Sekunden set 1. Jan. 1970 UTC)

IPTraf starten

Am besten gerade ein Script in /etc/init.d/ anlegen und unter /etc/rc.d/rc3.d verlinken, damit beim Systemstart das logging gleich beginnt

#!/bin/sh

IPTRAF_BIN=/usr/bin/iptraf
IPTRAF_PIDFILE=/var/locks/iptraf.pid

if [ ! -x $IPTRAF_BIN ]; then
echo "$0: IPTRAF_BIN: cannot execute"
exit 1
fi

case "$1" in
start)
echo -n "Starting iptraf... "
$IPTRAF_BIN -s eth1 -B &
echo "done!"
;;
stop)
if [ -n "$smbd_pid" ]; then
echo -n "Stopping iptraf... "
kill -TERM $iptraf_pid
echo "done!"
else
echo "$0: IPTRAF not running"
exit 1
fi
;;
restart)
if [ -n "$pid" ]; then
echo -n "Restarting iptraf... "
kill -HUP $smbd_pid
echo "done!"
fi
;;

*)
echo "Usage: $0 {start|stop|restart}"
exit 1
;;

esac
exit 0

Database updaten

Mit einem einfachen Perl Script kann man die Daten aus dem Iptraf Logfile (/var/log/iptraf/tcp_udp_services-eth1.log) auslesen und in die RoundRobinDatabase (RRD) abspeichern.

[/etc/crontab]
00-59/5 * * * * root /usr/local/scripts/iptraf.pl >/dev/null 2>&1
00-59/5 * * * * root /usr/local/scripts/rrdgraph.sh >/dev/null 2>&1

RRDTool Datenbank prüfen

Mit untenstehendem Befehl wird die DB abgefragt und die Werte werden and der Konsole ausgegeben.

# Dezember 2002 Andres Bohren
rrdtool fetch /var/log/rrd/tcp_services.rrd AVERAGE --start -86400

RRDTool Grafik erzeugen

# Dezember 2002 Andres Bohren
# http://home.icewolf.ch/linux
# Erzeugt eine Grafik mittels RRDTool aus einer RoundRobinDatabase
#
CDATE=`date +%Y%m%d%H%M`

# FTP
echo 'FTP: '
rrdtool graph /web/rrd/ftp.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:20_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:20_out:AVERAGE AREA:in#0000ff:"FTP in" LINE1:out#00ff00:"FTP out" -v 'Bytes per second' COMMENT:'Created at '$CDATE
#
# SSH
echo 'SSH: '
rrdtool graph /web/rrd/ssh.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:22_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:22_out:AVERAGE AREA:in#0000ff:"SSH in" LINE1:out#00ff00:"SSH out" -v 'Bytes per second' COMMENT:'Created at '$CDATE
#
# SMTP
echo 'SMTP: '
rrdtool graph /web/rrd/smtp.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:25_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:25_out:AVERAGE AREA:in#0000ff:"SMTP in" LINE1:out#00ff00:"SMTP out" -v 'Bytes per second' COMMENT:'Created at '$CDATE
#
# DNS
echo 'DNS: '
rrdtool graph /web/rrd/dns.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:53_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:53_out:AVERAGE AREA:in#0000ff:"DNS in" LINE1:out#00ff00:"DNS out" -v 'Bytes per second' COMMENT:'Created at '$CDATE
#
# HTTP
echo 'HTTP: '
rrdtool graph /web/rrd/http.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:80_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:80_out:AVERAGE AREA:in#0000ff:"HTTP in" LINE1:out#00ff00:"HTTP out" -v 'Bytes per second' COMMENT:'Created at '$CDATE
#
# POP
echo 'POP: '
rrdtool graph /web/rrd/pop.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:110_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:110_out:AVERAGE AREA:in#0000ff:"POP in" LINE1:out#00ff00:"POP out" -v 'Bytes per second' COMMENT:'Created at '$CDATE
#
# NEWS
echo 'NEWS: '
rrdtool graph /web/rrd/news.png --imgformat=PNG --start -86400 DEF:in=/var/log/rrd/tcp_services.rrd:119_in:AVERAGE DEF:out=/var/log/rrd/tcp_services.rrd:119_out:AVERAGE AREA:in#0000ff:"NEWS in" LINE1:out#00ff00:"NEWS out" -v 'Bytes per second' COMMENT:'Created at '$CDATE