0

I have an install of MRTG that I put together some years ago which graphs bandwidth use on our PAN firewalls' outside interfaces. It runs as a service on our Windows management box, and the results are displayed in an IIS site on that same box.

Recently, we've been told that in order to detect irregularities or possible exfiltration of data, it would be a good idea to do a similar thing based on the amount of data (bytecount) egressing and ingressing those same firewall interfaces, perhaps using ifHCInOctets & ifHCOutOctets? I've Googled and Googled and not really found much that would be of use to someone with limited MRTG skills like myself. The most promising post I've found is this one:

https://marc.info/?l=mrtg&m=126376490605781&w=2

Which talks about getting daily graphs of traffic. Since I'm already collecting data from these interfaces to display bandwidth, is there a way to leverage that existing data or infrastructure to make a graph of this type? Could it use the same installation of Perl & MRTG to do that? Can anyone suggest anything or any resources I might look at to get me started? Thanks for your time!

Edited to included a crap little paint pic to demonstrate what I envisioned:Traffic Graph

ianc
  • 1
  • 1
  • The new graph image shows a mirror graph, which native MRTG cannot do. However, you can get this by using RRDTool as the backend and Routers2 as a frontend. – Steve Shipway Aug 29 '23 at 10:30

1 Answers1

0

Your existing MRTG is collecting and graphing the Incoming and Outgoing throughput, in bytes (or bits) per second, and your graphs are showing this averaged up over progressively larger time windows as you move from Daily through Weekly to Yearly.

What you're asing for is a way to identify the difference between the total inbound and outbound traffic; the example you link does this at a Daily level. So, you're really interested in seeing the total in 1-day increments of (inbound-outbound), or to put it another way,

86400 * ( avg[1day](inbound) - avg[1day](outbound) )

The MRTG Yearly graph already averages the per-second rates of Inbound and Outbound to a 1-day granularity, but you need to get the difference and multiply it up by the number of seconds in a day (86400) to get the daily total difference.

To do this in MRTG, you will need to

  • Define a new Target that is defined as (incomingcount-outgoingcount)
  • Suppress Daily and Weekly graphs for this
  • Set an 86400 multiplier
  • Update the labels and so on so that they make sense

Note that this will mean you don't have historical data (its a new Target rather than a new way to display the existing Target data) but that may not be a bit problem. If you're using the Routers2 frontend then there are other ways to achieve this using the existing Targets but we'll stick with plain MRTG for now.

In MRTG, you will need to define a new Target similar to this:

Target[xxxx]: ifHCInOctets.1&PseudoZero:community@router - ifHCOutOctets.1&PseudoZero:community@router
Factor[xxxx]: 86400
Title[xxxx]: Net traffic difference per day
Suppress[xxxx]: dwm
YLegend[xxxx]: bytes/day
ShortLegend[xxxx]: /d
Options[xxxx]: noo nopeak
Legend1[xxxx]: Traffic difference
LegendI[xxxx]: Net

In this case, the database will hold the average traffic difference per second for interface 1; the graph will show this for Yearly only, multiplied by 86400 to show the total for the Day (suppressing the second value and the peak lines, as they are meaningless).

There's another important point to remember here as well. Since outbound rate may be temporarily higher than inbound (unlikely, but possible) you might get negative values. These cannot be stored in vanilla MRTG and so you would have to have RRDTool as your backend, and be configured to allow negatives, otherwise you'll just see 'unknown's - and the totals graphed would be incorrect.

Steve Shipway
  • 3,754
  • 3
  • 22
  • 39
  • Thanks Steve for the great post! A little confused at paragraph 2. I'm interested in both egress and ingress totals per day, so I'm not following your formula there. Specifically, why you would be subtracting outbound from inbound? At any rate, there are times when outbound data flow does exceed inbound (eg. sending backups to Azure), so it appears MRTG will not be suitable, and I'll need to migrate to RRDTool. Trying to research that now, but finding a similar dearth of material on it; how to install on Windows, coexistence with MRTG, migrating MRTG to RRDTool, etc. Thanks for the help tho! – ianc Aug 24 '23 at 20:39
  • I'd (possibly incorrectly?) thought that you were trying to identify *difference* between inbound and outbound flows. Since MRTG works on Rates, you need to calculate the average difference in *rate* and then multiply it up for display to get the daily totals. If you want the daily totals separately then you can avoid having to set up a new Target. Note RRDtool works *with* MRTG as an alternative backend to the native MRTG .log files, so you can continue to use MRTG, just with RRDTool as the backend. You can then also use graph-on-demand frontends such as Routers and 14all over the top. – Steve Shipway Aug 25 '23 at 23:16
  • Hi Steve, edited my original post with a quick paint pic to show what I was envisioning for this. Could inbound and oubound be combined in a single target with something like: – ianc Aug 28 '23 at 23:09
  • ifHCInOctets&fHCInOctets.500010000:router_read@10.10.10.1:::::2? This would then just graph daily inbound and outbound traffic totals using the target values above as a template? – ianc Aug 28 '23 at 23:15
  • @ianc Looks like you want a mirror style graph of in vs. out. You can't do this with native MRTG, but it you switch to using RRDtool as the backend for mrtg, then you can use the Routers2 frontend and it will make this sort of graph for you. https://github.com/sshipway/routers2 – Steve Shipway Aug 29 '23 at 10:29
  • Am looking into Cacti now. Thanks for your help Steve! – ianc Aug 30 '23 at 15:27