B.2. Collecting and Graphing SmallWall Interface Statistics with ifgraph

ifgraph is a nice utility that you can run on a machine on your LAN to query SNMP on your SmallWall and graph its interfaces. Note that you may be able to hack SmallWall to run this locally, but if you have a connection with moderate bandwidth and are running on low end hardware like a Soekris 4501, this could limit the device's throughput.

Sample of the web page output of ifgraph on a m0n0wall.

FreeBSD is used in the demonstrated installation as the OS performing the monitoring and hosting the graphs. This will work on other BSD's, Linux or any other Unix OS, but the installation procedures and configuration file locations may vary.

Prerequisites:

1. Install ifgraph.

We'll install ifgraph from FreeBSD ports using binary packages, unless you want to wait for it to compile (doesn't take horribly long). It'll automatically install all the prerequisites either way you do it.

From binary packages

su-2.05b# pkg_add -r ifgraph

Compiling yourself

su-2.05b# cd /usr/ports/net-mgmt/ifgraph
su-2.05b# make install clean

2. Query for interfaces

After the successful ifgraph installation, we will use ifgraph's find-if.pl to find the interface numbers on your SmallWall. Replace 192.168.1.1 with the LAN IP of your SmallWall, and 'public' with the SNMP community of your firewall.

su-2.05b# /usr/local/bin/find-if.pl -mi 192.168.1.1 public
OK: session created, getting info from 192.168.1.1
Showing up interfaces of: 192.168.1.1
Interface total: 8
OK: Collecting info on each interface, wait...
Warn: Could NOT get ifPhysAddress table
OK: Data collected
System Description: FreeBSD m0n0wall.local 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Fri Au i386
System Uptime: 3 days, 06:10:58.33
| If #    | Description | Stat | Octets In     | Errors  | Octets Out    | Errors  | IP Address       | MAC Address     |
| ------- | ----------- | ---- | ------------- | ------- | ------------- | ------- | ---------------- | --------------- |
| (1)     | wi0         | up   | 0             | 0       | 11538828      | 0       | not set          | not set         |
| (2)     | sis0        | up   | 3234568017    | 0       | 1783247523    | 0       | 62.22.130.150    | not set         |
| (3)     | sis1        | up   | 0             | 0       | 42            | 0       | 10.1.0.1         | not set         |
| (4)     | sis2        | up   | 1743313091    | 0       | 3020545424    | 0       | 192.168.1.1      | not set         |
| (5)     | lo0         | up   | 732           | 0       | 732           | 0       | 127.0.0.1        | not set         |

You'll see the names of your interfaces under the description column. Make note of the interface number (first column) for your interfaces.

3. Edit ifgraph.conf file.

Copy the sample ifgraph.conf file (ifgraph.conf.sample) to ifgraph.conf.

su-2.05b# cp /usr/local/etc/ifgraph.conf.sample /usr/local/etc/ifgraph.conf

Use the following ifgraph.conf as a template. You will need to replace 192.168.1.1 with the LAN IP address of your SmallWall, "public" with the SNMP community configured on your SmallWall, and the "interface=" line to the number of the interface to be graphed.

# [global] target
# This target is mandatory
# The directives of this target are:
# rrdtool = /path/to/rrdtool - full path to rrdtool
# rrddir = /path/to/rrddir - full path to a writeable dir, where
#                     rrd files and logs will be created
# graphdir = /path/to/public_html - full path to a writeable dir,
#                     where png and html will be created
# template = /path/to/template_dir - full path to a directory
#                     containing template files
# imgformat = the image format. You may choose:
#               PNG - Portable Network Graphics
#               GIF - Graphics Interchange Format
#               iGIF - Interlaced GIF
#               GD - Boutell GD
# Defaults: You can define default configurations in the global
# target, but, for this to work, it must be the first target always.
# If [global] is after another target, default configurations
# will not work as expected.
    
[global]
rrdtool = /usr/local/bin/rrdtool
rrddir = /usr/local/var/ifgraph
graphdir = /usr/local/ifgraph/htdocs
template = /usr/local/ifgraph/templates/en
imgformat=PNG
# those are the default configurations, should be
# overriden in each target
    
host = your.main.router.com
community = public
port =161
max=100M
dimension=550x200
colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF0000,out#FFFFFF
options=noerror
hbeat=600
retry=2
timeout=5
    
[m0n0wall-wan]
host=192.168.1.1
community=public
port=161
interface=2
max=100M
dimension=550x200
title=In/Out data for m0n0wall WAN interface
colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF0000,out#FFFFFF
options=noerror
ylegend=kbits per second
legends=kbits entering our network,kbits leaving our network
shortlegend=kbits/sec
hbeat=600
retry=2
timeout=5
step = 300
periods = -1day, -1week, -1month, -1year
    
[m0n0wall-dmz]
host=192.168.1.1
community=public
port=161
interface=3
max=100M
dimension=550x200
title=In/Out data for m0n0wall DMZ interface
colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF0000,out#FFFFFF
options=noerror
ylegend=kbits per second
legends=kbits entering DMZ network,kbits leaving DMZ network
shortlegend=kbits/sec
hbeat=600
retry=2
timeout=5
step = 300
periods = -1day, -1week, -1month, -1year
    
[m0n0wall-lan]
host=192.168.1.1
community=public
port=161
interface=4
max=100M
dimension=550x200
title=In/Out data for m0n0wall LAN interface
colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF0000,out#FFFFFF
options=noerror
ylegend=kbits per second
legends=kbits entering our LAN network,kbits leaving our LAN network
shortlegend=kbits/sec
hbeat=600
retry=2
timeout=5
step = 300
periods = -1day, -1week, -1month, -1year

4. Run tests.

First we'll run ifgraph.pl to collect the data. Run this at least three times, and wait a few seconds in between runs.

su-2.05b# ifgraph.pl -c /usr/local/etc/ifgraph.conf 

Now we'll run makegraph.pl to make the html pages and graphs.

su-2.05b# makegraph.pl -c /usr/local/etc/ifgraph.conf

Check the ifgraph htdocs directory to make sure it contains the png and html files.

su-2.05b# ls /usr/local/ifgraph/htdocs
index.html m0n0wall-lan-1day.png m0n0wall-wan-1month.png
m0n0wall-dmz-1day.png m0n0wall-lan-1month.png m0n0wall-wan-1week.png
m0n0wall-dmz-1month.png m0n0wall-lan-1week.png m0n0wall-wan-1year.png
m0n0wall-dmz-1week.png m0n0wall-lan-1year.png m0n0wall-wan.html
m0n0wall-dmz-1year.png m0n0wall-lan.html
m0n0wall-dmz.html m0n0wall-wan-1day.png

5. Edit Apache config

In the mod_alias section of your httpd.conf file (/usr/local/etc/apache/httpd.conf in FreeBSD)

Alias /ifgraph/ "/usr/local/ifgraph/htdocs/"

Restart Apache for the changes to take effect.

su-2.05b# apachectl restart

6. Open web browser to view graphs.

Open up your web browser and go to http://server/ifgraph/. You should see graphs there, though they probably will not contain any data at this time. If you can't get any web page to appear, you likely have Apache issues. If you see broken images instead of graphs, check step 4 for problems.

7. Add to cron to update automatically.

Open up /etc/crontab in your text editor, and add the following two lines to the bottom of this file.

* * * * * root /usr/local/bin/ifgraph.pl -c /usr/local/etc/ifgraph.conf > /dev/null
*/5 * * * * root /usr/local/bin/makegraph.pl -c /usr/local/etc/ifgraph.conf > /dev/null

This will run the data collection every minute, and make the graphs every 5 minutes. You can change these if you like, but these values generally work out well.

Note that you likely don't have to run this as root. If you want to be cautious, you should create an account with the appropriately limited permissions to run this under.

Make cron re-read its configuration files:

su-2.05b# killall -HUP cron