Subject: Re: ipf counting and rrdtool
To: NetBSD User's Discussion List <netbsd-users@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 07/12/2001 01:01:27
[ On Wednesday, July 11, 2001 at 17:54:34 (+0200), Michael Kukat wrote: ]
> Subject: Re: ipf counting and rrdtool
>
> RRDtool uses a round-robin-database (as the name tells you), and you can
> create more of these being a kind of "interleaved". So you can create one DB
> keeping the values per hour of the last month, and another one to keep the
> averages or min/max values or so per day of the last year, and maybe even
> another one to keep the weekly values over the last 10 years.

Oh, yes, but it can't count bytes and keep a running tally when given
counter values as input.  RRDtool is *way* over-kill for that purpose,
while at the same time not really addressing many of the issues (for
example it leaves all the collection up to external programs)!

Even ipacct is way over-kill for basic byte-count accounting (and it's
written in perl, so might not be as good for a non-perl hacker...).

IPF includes two features that to make dumping counters relatively
fool-proof and accurate.  One feature is 'ipf -z', which doesn't seem to
work for me right now on -current for some reason.  The other features
is that the stats are kept in both the active and inactive rules, so by
reloading the inactive rules to match the current rules (which zeros the
counters associated with the new inactive rules, then swapping the
active and inactive rules, the counters on the newly inactive rules can
be sampled in a stable state without losing a byte (since the new active
rules will begin counting right away).  So all you really need is a cron
script called every 20 minutes or so (I think the counters are 64-bit,
but I'm not sure) that does something like this:

	/etc/rc.d/ipfilter reload; ipfstat -aio | ipaccumulate

where ipaccumulate is of course a program you'd write to sum the totals
using at least 64-bit arithmetic....  (Of course then you can't reload
without losing data, so /etc/rc.d/ipfilter really needs to have the
hook to call ipaccumulate edited right into it, and it needs to be made
a shutdown script too if you want to collect the final counter values
upon shutdown; and of course you have to train everyone to only ever use
that script to reload filters, etc.)

The only trick is to accumulate the totals frequently enough that either
a crash or counter overflow won't wipe out too much data.  You don't
even have to keep the samples to do accurate byte counting this way.
All you've got to be sure to do is use

> I like rrdtool, had it running under NetBSD/vax here a long time to keep
> statistics generated by iostat and some scripts around it. So i had the
> disk i/o and cpu-load values per second over an hour, per minute over a day,
> and per hour over a month or so.

I use RRDtool under Cricket -- it's quite a wonderful combination!

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>