{"id":269,"date":"2005-02-23T21:05:50","date_gmt":"2005-02-23T20:05:50","guid":{"rendered":"http:\/\/wp.devco.net\/?p=269"},"modified":"2009-10-09T17:08:19","modified_gmt":"2009-10-09T16:08:19","slug":"ipfw_rule_counters_via_snmpd","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2005\/02\/23\/ipfw_rule_counters_via_snmpd.php","title":{"rendered":"ipfw rule counters via snmpd"},"content":{"rendered":"<p>I have a number of <a href=\"http:\/\/www.freebsd.org\/\">FreeBSD<\/a> machines with jails on them that require me to keep stats and graphs of their bandwidth usage.<br \/>\nThe solution I came up with is to add counter rules in the kernel IPFW firewall table and then plug a simple perl script into <a href=\"http:\/\/www.net-snmp.org\/\">Net SNMP<\/a> which will put each ipfw counter rule&#8217;s current byte count on a unique OID that you can query and graph using something <a href=\"http:\/\/www.cacti.net\/\">Cacti<\/a>.<br \/>\nThis same technique can be used to graph things like only HTTP, SMTP, etc traffic, or infact anything that you can express as a IPFW counter rule.<br \/>\nRead the full entry for details on how I implemented this.<\/p>\n<p><!--more--><br \/>\nA number of components make up the final working solution:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.freebsd.org\/\">FreeBSD<\/a><\/li>\n<li><a href=\"http:\/\/www.freebsd.org\/doc\/en_US.ISO8859-1\/books\/handbook\/firewalls-ipfw.html\">IPFW counter rules<\/a><\/li>\n<li>A working installation of <a href=\"http:\/\/www.net-snmp.org\/\">Net SNMP<\/a><\/li>\n<li>A tool to collect and graph the data, I use <a href=\"http:\/\/people.ee.ethz.ch\/~oetiker\/webtools\/rrdtool\/\">RRDtool<\/a> and <a href=\"http:\/\/www.cacti.net\/\">Cacti<\/a> but you can also use <a href=\"http:\/\/people.ee.ethz.ch\/~oetiker\/webtools\/mrtg\/\">MRTG<\/a><\/li>\n<li>A script to integrate into Net SNMP, I will provide a sample below.<\/li>\n<\/ul>\n<p>I will not get into setting up the OS, Jails or base IPFW functionality, you can use the <a href=\"http:\/\/www.freebsd.org\/doc\/en_US.ISO8859-1\/books\/handbook\/\">Handbook<\/a> for that.<br \/>\nMy example will have two jails configured with IP addresses 192.168.1.10 and 192.168.1.11.  You will need counter rules that resemble these, my network interface is fxp0, replace with yours:<\/p>\n<blockquote><p>\n00100  67118324  49154926178 count ip from 192.168.1.10 to any out via fxp0<br \/>\n00110  59209784  11219191580 count ip from any to 192.168.1.10 in via fxp0<br \/>\n00120  59861887  21490069162 count ip from 192.168.1.11 to any out via fxp0<br \/>\n00130  60701763  10491223999 count ip from any to 192.168.1.11 in via fxp0\n<\/p><\/blockquote>\n<p>The format of these rules are pretty simple, the first numbers (100, 110 etc) are the unique rule number, followed by a accumulating packet count that this rule has counted and then a accumulated byte counter.  I will use the byte counter as source but you can also use the packet counter if you wanted to count packets.<br \/>\nOnce you have these setup and working we should explore some other required bits, again I am not going to show you how to setup and configure <a href=\"http:\/\/www.net-snmp.org\/\">Net SNMP<\/a>.  There are a number of ways to integrate into snmpd, you can use the supplied perl API&#8217;s to write an AgentX plugin or you can simply execute a script and send the output back via snmp, I opted for the much simpler second option.<br \/>\nThe <a href=\"http:\/\/www.net-snmp.org\/docs\/man\/snmpd.conf.html\">snmpd.conf man page<\/a> details all about the exec parameter and explains that calling a script with a line like <i>exec MIBNUM NAME PROG ARGS<\/i> will result in each line of STDOUT being returned in the MIBNUM.101 table with each line of STDOUT being one entry in this table.<br \/>\nThe MIBNUM above should look something like .1.3.6.1.4.1.xxxx where the xxxx can be a number assigned to you by <a href=\"http:\/\/www.iana.org\/\">IANA<\/a>, they assign them for free and you can apply <a href=\"http:\/\/www.iana.org\/cgi-bin\/enterprise.pl\">here<\/a>.  If this is only a internal small scale thing, just choose something like 9999, I will use 9999 in my example.<br \/>\nA good thing about the Net SNMP exec method is that output from the script gets cached for 30 seconds before the perl script will get called again, therefore the moment your Cacti or MRTG hits it for the first query the output will get cached and all further queries in the next 30 seconds will get answered from the cache, the hit on your CPU therefore is very low.<br \/>\nWe now know how to use ipfw to count the data, we will write a simple script to parse the output from <i>ipfw show<\/i> and we can plug it into snmpd using the exec call as above.<br \/>\nI have a <a href=\"http:\/\/www.devco.net\/code\/getMultiIPFWByteCount.pl\">simple script<\/a> that you can use or base your own on, I placed mine in <i>\/usr\/local\/bin\/getMultiIPFWByteCount.pl<\/i>.  The sample script can be plugged into snmpd.conf with the following line in the config:<\/p>\n<blockquote><p>\nexec .1.3.6.1.4.1.9999.1 ipfwCounters \/usr\/local\/bin\/getMultiIPFWByteCount.pl\n<\/p><\/blockquote>\n<p>A quick note about my script, it is hardcoded to only find <i>count<\/i> rules, if you want to match all rules simply change the parameters that gets called.<br \/>\nIf you did all of this correctly and restarted your snmpd you can now make graphing queries to .1.3.6.1.4.1.9999.1.101.100 and .1.3.6.1.4.1.9999.1.101.110 for the ip address 192.168.1.10&#8217;s traffic.  Similarly you can use .1.3.6.1.4.1.9999.1.101.120 and .1.3.6.1.4.1.9999.1.101.130 for 192.168.1.11.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have a number of FreeBSD machines with jails on them that require me to keep stats and graphs of their bandwidth usage. The solution I came up with is to add counter rules in the kernel IPFW firewall table and then plug a simple perl script into Net SNMP which will put each ipfw [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[7],"tags":[121,62,33],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/269"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=269"}],"version-history":[{"count":1,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/269\/revisions"}],"predecessor-version":[{"id":707,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/269\/revisions\/707"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=269"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=269"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=269"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}