WHODO
This is Whodo 1.11.
Whodo is a set of Perl scripts to analyse IP accounting data from a cisco
router. The stats for each traffic source are fed into mrtg. Whodo also
generates pie graphs showing traffic split by source or destination.
HOW TO
1. Put the scripts in the appropriate directories. There are 3 sets of files in
whodo.
(i) Whodo/gifgraph contains a perl module written by Martien Verbruggen.
I've made some changes to it so it does what I need. However I haven't
been able to contact Martien & get them included in his distribution. GIFgraph
is used by “pie.pl”. You'll need to copy this to wherever you put
your Perl modules. Note that gifgraph uses another module GD.pm. GD is
available in/for the standard Perl distribution and ActivePerl. However if
you use Perl for Win32, you are on your own.
(ii) Whodo/wwwscripts contains 2 CGI script. Put them wherever your CGI
scripts live.
(iii) Whodo/* contains everything else. I keep this stuff under
mrtg/contrib/whodo.
You'll also need the module SNMP_Session. If you don't have it, get it from
ftp://ftp.switch.ch/software/sources/network/snmp/perl/
2. Start IP accounting on the router. If you don't know what you are doing
here, tread carefully – you can bring the router to its knees.
The community string that you will supply in the next step, for the $HOST
variable, must have READ-WRITE access to the router. COLLECT.PL clears
the accounting list (SNMPSET) once the data is collected to not be double
counted and surely to keep reduce the memory requirements on the router.
To do this at the (config) prompt type : snmp-server community (your
community name) RW. DO NOT do it to the community public, this will
leave your router open to attack.
3. You'll need to customise some constants at the start of collect.pl. You'll
need to change $HOST & $SOURCEDIR. $LOGPATH isn't relevant until step 6
but you should set it up now. $BIGBYTES you'll probably need to keep
tweaking. Basically, any source that generates more than $BIGBYTES
between polls will get its own MRTG graph for ever more. Sources that
never generate this much traffic will be grouped together as
“Miscellaneous”.
$LOGPATH also occurs in pie.pl & makeanalyse.pl
4. You'll want to create a networks file – such as the standard “networks” file
found in C:\winnt\system32\drivers\etc or /etc/networks. Collect.pl scans the
file including comments following a normal line of data. The file is used to map
destination addresses to network names. Which makes the output (see step 6) much
more user friendly.
The file has a second function. If a trailing comment includes a “/” followed
by a number, this is taken as the classless representation of the subnet mask
size. If not, the network/subnet is assumed to be Class C.
A sample networks file is included.
5. Set collect.pl up to run periodically. I run it every 30 minutes with
something like:
collect.pl -a c:\perl\mrtg\contrib\whodo\sources.cfg -n \
c:\winnt\system32\drivers\etc\networks
mrtg c:\perl\mrtg\contrib\whodo\sources.cfg
I've included a vestigial “sources.cfg”. You can use it to get you started.
Collect.pl maintains the file automatically.
You should now be getting mrtg graphs showing traffic generated by your
traffic sources over time. Bask in it for a day.
6. collect.pl generates a new log/csv file every time it runs. By now you are
probably up to your armpits in these files. I've included a script
(summarise.pl) that I run every night to condense the day's log files into a
single file. It doesn't need any arguments to run. However it does include a
constant ($LOGPATH) that you'll need to change. Try running it.
7. So now you want to generate pie graphs breaking down traffic by source
or destination? OK. You'll need to run makeanalyse.pl. It generates an
HTML page that is used to generate the graphs. For example:
perl c:\perl\mrtg\contrib\whodo\makeanalyse.pl >d:\www\analyse.html
The page generated contains drop down lists containing the current sources
and destinations. Since these will change over time, I run makeanalyse
every night.
8. What's that? You want a more flexible way of mapping source addresses
to text? You'd like to group multiple addresses under the same name? You
want to use a name other than that in DNS?
OK. Create a file with two columns – the address and then name you want.
In place of an address, you can use regular expressions. Thus the line
“203.167.223.13[456] Exchange” maps addresses 203.167.223.134,
203.167.223.135 and 203.167.223.136 to the name “Exchange”. Note that the
character “.” has its literal meaning – it is not a metacharacter.
If a source address does not appear in the sources file, it will be looked up
with a normal reverse lookup. If that fails, the address is used. A sample
sources file is included.
To make use of a sources file, change the command running collect.pl to
something like:
collect.pl -a c:\perl\mrtg\contrib\whodo\sources.cfg -n \
c:\winnt\system32\drivers\etc\networks-s c:\perl\mrtg\contrib\whodo\sources
Mind you, if you'd had any sense you would have done this before step 5.
VOODOO
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free
Software Foundation; either version 2 of the License, or (at your option) any
later version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.
YOU TOO
Tobi has agreed to include this set of scripts in the mrtg distribution. So, if
you make any improvements or bug fixes, please provide them to him. But
please be aware that he can't support the scripts himself.
Tony Farr
24/3/99