1

I'd like to monitor bandwidth usage of my Linux servers, but there's a catch: traffic between my two servers is not counted against me, only traffic to the internet at large. However, my servers have only a single network interface, and pretty much everything I've tried measures on a per-interface basis. Does anyone know of a tool that can generate bandwidth graphs, while not counting traffic to/from certain IP ranges?

Bonus points if it generates RRD files (I can already graph them easily) and double bonus points if it works with collectd (either configuration of the standard collectd, or a plugin to it).

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
davr
  • 1,729
  • 3
  • 14
  • 25

5 Answers5

4

Assuming you have no access to an upstream router or switch that provides the same view of this data that your ISP sees, you can use iptables accounting to on each host to count bytes/packets destined for anything other than your other IP address (or IP range), and then poke this into an RRD yourself.

EDIT

As an example, you could use some rules like these ones in iptables to create the accounting:

iptables -N ACCOUNT_IN
iptables -N ACCOUNT_OUT
iptables -I INPUT -j ACCOUNT_IN
iptables -I OUTPUT -j ACCOUNT_OUT

iptables -I ACCOUNT_IN -s ! 10.66.1.0/24
iptables -I ACCOUNT_OUT -d ! 10.66.1.0/24

This creates two new chains, ACCOUNT_IN and ACCOUNT_OUT. I then insert jumps to these at top of the INPUT and OUTPUT chains. Inside each chain, I add a rule with no jump target to match on remote addresses - for input, anything that doesn't have an address on my local /24 as source; for output, anything that doesn't have an address on my local /24 as destination. Packets then return from this chain back into your normal INPUT/OUTPUT chains, as there is no jump rule.

To check the accounting data:

# iptables -L ACCOUNT_IN -n -v
Chain ACCOUNT_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    5  2138            all  --  *      *      !10.66.1.0/24         0.0.0.0/0 

# iptables -L ACCOUNT_OUT -n -v 
Chain ACCOUNT_OUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   15  2846            all  --  *      *       0.0.0.0/0           !10.66.1.0/24

From there you can pull out those pkt/byte counts and pass to rrdupdate (I assume that you're OK with passing data into an rrd, as you've said you're ok with pulling data out of an rrd. If not, that question has probably already been asked here).

If you want to zero the counters each time you read them, pass the -Z command (zero counter) to zero the byte counters.

If any of your hosts are routers, you'll need to do accounting on the FORWARD chain as well - you can probably just insert a jump to both ACCOUNT_IN and ACCOUNT_OUT from the top of the FORWARD chain and it'll do the right thing, but I haven't thought about that enough to be 100% sure it'll work

Daniel Lawson
  • 5,476
  • 22
  • 27
  • Can you give me some more info on using iptables accounting? Maybe an example or pointer to a tutorial or something? thanks. – davr Feb 16 '11 at 04:02
  • How can I use this for more than one subnet, so I don't want to count traffic to 192.168.1.0/24 and 172.16.1.0/24? Do I need an ACCOUNT_IN and ACCOUNT_OUT table per source/destination subnet? – jwbensley Apr 10 '12 at 15:01
  • If your subnets are on different physical interfaces, you can match on that as well. EG, if eth0 is 192.168.1.0, eth1 is 172.16.1.0, and eth2 is your external interface: iptables -I ACCOUNT_IN -s ! 192.168.1.0/24 -i eth0 ; iptables -I ACCOUNT_OUT -d ! 192.168.1.0/24 -i eth0 – Daniel Lawson Apr 11 '12 at 01:34
  • `-d ! 192.168.1.0/24` didn't work for me, but `! -d 192.168.1.0/24` did. Likewise for `-s`. Version difference, typo, something else? – Izkata Nov 29 '16 at 00:04
  • Possible bug? I've been toying with this, and I think these numbers include the loopback interface for anything connecting to `localhost`. I tried adding another rule for `127.0.0.1/8`, but rules aren't filters, are they? The bytes count is just the match for that one rule, independent of the others in that chain. – Izkata Dec 01 '16 at 08:34
  • Not sure what I was seeing in the prior comment, but adding `-i wlan0` and `-o wlan0` to what's in the answer results in numbers extremely close to what I see in `ifconfig` without making any connections between computers; there's a discrepancy I can't figure out (usually ifconfig is larger, I assume from communication directly with the router, but today upload was larger on iptables - roughly around a 1% difference either way). – Izkata Dec 08 '16 at 06:14
2

You should be able to do this through IPTables. However, I really doubt you are going to find any prewritten software that can do this. http://wiki.openvz.org/Traffic_accounting_with_iptables would be a good start for doing this via IPTables.

I'm guessing you don't have access to the switch you are hosted on, which makes most of the other suggestions so far useless.

devicenull
  • 5,622
  • 1
  • 26
  • 31
2

You can use bandwithd. It allows you to pass a pcap filter, so you can exclude traffic between your servers.

Community
  • 1
Steven
  • 3,029
  • 20
  • 18
0

I would pull this off using a switch that supports Netflow. Netflow tools aren't always free, but this should do what you're looking for.

SpacemanSpiff
  • 8,753
  • 1
  • 24
  • 35
0

Sounds like you want something like ntop. There are lots of other tools out there, but this is probably the quickest to getting what you want. It can collect off the wire and report on that, or use other inputs like Netflow and sFlow.

Jed Daniels
  • 7,282
  • 2
  • 34
  • 42