Saturday, April 08, 2006

Simple Bandwidth Measurement

If you read my first book you know I prefer small applications that run in Unix terminals to more complicated programs. I decided to get a sense of the bandwidth being monitored at several sensors deployed at client sites. I did not want to install MRTG or Ntop to answer simple questions like "What is the maximum bandwidth seen by the sensor?" or "What is an average amount of traffic seen?"

I decided to try bwm-ng. It's in the FreeBSD ports tree as bwm-ng. (Don't think I'm abandoning FreeBSD for Debian. Nothing can beat FreeBSD's package system in terms of number and variety of applications and up-to-date versions.)

Start bwm-ng by telling it the interface you want monitored.

# bwm-ng -I em2

The default screen looks like this.

bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: rate
| iface Rx Tx Total
===========================================================================
em2: 8.27 KB/s 0.00 KB/s 8.27 KB/s
---------------------------------------------------------------------------
total: 8.27 KB/s 0.00 KB/s 8.27 KB/s

This screen shows the instantaneous traffic rate as measured by bwm-ng in KBps. Instantaneous rates aren't that helpful. To learn more options, I hit the 'h' key.

lqbwm-ng v0.5 - Keybindings:qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x x
x 'h' show this help x
x 'q' exit x
x '+' increases timeout by 100ms x
x '-' decreases timeout by 100ms x
x 'd' switch KB and auto assign Byte/KB/MB/GB x
x 'a' cycle: show all interfaces, only those which are up, x
x only up and not hidden x
x 's' sum hidden ifaces to total aswell or not x
x 'n' cycle: input methods x
x 'u' cycle: bytes,bits,packets,errors x
x 't' cycle: current rate, max, sum since start, average for last 30s x
x x
mq press any key to continue... qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

On screen the qqqqq and such is a line, not letters.

The 't' options looks helpful. If I hit the 't' key three times, I end up with the following display.

bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
/ iface Rx Tx Total
===========================================================================
em2: 9.70 KB/s 0.00 KB/s 9.70 KB/s
---------------------------------------------------------------------------
total: 9.70 KB/s 0.00 KB/s 9.70 KB/s

Now I have a 30 second average. I prefer to see bits, not bytes, so I hit the 'u' key once.

bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
- iface Rx Tx Total
===========================================================================
em2: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
---------------------------------------------------------------------------
total: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s

Now I have a 30 second average measured in Kbps.

For a sensor, the max traffic measured is very important. If I leave bwm-ng running for a while (perhaps in a screen(1) sessions), I can see surges. To have bwm-ng show me those maximum events, I can hit the 't' key to cycle through to the max report.

bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: avg (30s)
- iface Rx Tx Total
===========================================================================
em2: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s
---------------------------------------------------------------------------
total: 91.68 Kb/s 0.00 Kb/s 91.68 Kb/s

If I hit the 'd' key bwm-ng will switch from using Kilo units to something it considers more appropriate.
 
bwm-ng v0.5 (probing every 0.500s), press 'h' for help
input: getifaddrs type: max
/ iface Rx Tx Total
===========================================================================
em2: 4.69 Mb/s 0.00 b/s 4.69 Mb/s
---------------------------------------------------------------------------
total: 4.69 Mb/s 0.00 b/s 4.69 Mb/s

Here we see this interface topped out at 4.69 Mbps.

This is the sort of data I need to determine if my sensor can handle this sort of load. The longer I leave bwm-ng running, the more I will know about this site's traffic characteristics.

If you read bwm-ng's man page you'll see you can also run the program as a daemon and output measurements to .csv and other formats.

Remember you can also use Bpfstat on FreeBSD 6 and higher to get Bpf performance data from the kernel. Here I measure every 10 seconds. Notice that the drop figures aren't changing.

# bpfstat -i 10 -I em2
pid netif flags recv drop match sblen hblen command
91593 em2 p--s- 156908 0 156908 1012 0 snort
18669 em2 p--s- 73065540 47 73065540 928 0 snort
33252 em2 p--s- 253633385 429 253633385 424 0 sancp
91593 em2 p--s- 157501 0 157501 750 0 snort
18669 em2 p--s- 73066133 47 73066133 662 0 snort
33252 em2 p--s- 253633978 429 253633978 326 0 sancp
91593 em2 p--s- 158625 0 158625 11355 0 snort
18669 em2 p--s- 73067257 47 73067257 10051 0 snort
33252 em2 p--s- 253635102 429 253635102 2927 0 sancp
91593 em2 p--s- 161417 0 161417 11838 0 snort
18669 em2 p--s- 73070049 47 73070049 11838 0 snort
33252 em2 p--s- 253637894 429 253637894 6530 0 sancp
91593 em2 p--s- 162303 0 162303 166 0 snort
18669 em2 p--s- 73070935 47 73070935 166 0 snort
33252 em2 p--s- 253638780 429 253638780 414 0 sancp

6 comments:

Anonymous said...

>> Nothing can beat FreeBSD's package system in terms of number and variety of applications and up-to-date versions.)

http://www.gentoo.org/

Richard Bejtlich said...

Not like Portage is just like the FreeBSD ports tree or anything...

I will check it out though. :)

ryanstuartjordan [at] gmail.com said...

I've used both for a while.
In my experience, tracking CURRENT introduces fewer show-stoppers then running 'unstable' in Gentoo.
The only thing I don't like about Gentoo in general is it's lack of binary package repositories.
On the other hand, it would be nice to see more ports include the selectable build options that some of them have.

Also, I use pfTop and pfstat and they work very well.

Richard Bejtlich said...

So Gentoo does not offer pre-built binary packages? Forget it then. :) FreeBSD does. pkg-add -r blah

Ryan Jordan ryanstuartjordan@gmail.com said...

To be fair, Portage does have the concept of binary packages built into it.
It just doesn't make much sense for Gentoo though, everyone has a more or less unique system.
Hosting packages for everyone with every different --configure option would be a daunting task indeed.

Gentoo does however have the GRP, a 'reference platform' which is essentially a frozen set of prebuilt packages that is available in iso form on the mirrors. That helps to get up and running.

One can always recompile later :)

Joe said...

Hmmm. I like Gentoo also, but I'll refrain from commenting...heh heh.


I just installed bwm-ng (openbsd). Its nice so far. Thanks for the tip.

MRTG and NTOP are way too big for my likings...