Ethical IT for International Development
Contact

pmGraph - Network monitoring tool

Nov 2006 to Dec 2006

pmGraph is an open source, visualisation and graphing tool that helps network administrators monitor bandwidth

Purpose-icon

Purpose

pmGraph is a visualisation and graphing tool that is designed to complement pmacct, a network monitoring and auditing tool. The two tools are supplied together as a debian package, and instructions for installing pmGraph cover the installation of both tools.

pmacct monitors traffic on a firewall, router or bridge, or collects information from multiple routers, and stores the network data in a database. The database permits powerful analysis, however there is no user-friendly interface to access the data.

pmGraph addresses this issue by providing a graphical overview of the pmacct data, with a user friendly interface. It shows a graph of data transferred between remote and local machines, and ports used. It has a host name resolution using DNS and DHCP servers, and shows usage for a specific IP address or port and a configurable number of results.

top
People-icon

People

pmGraph was developed by Aptivate staff and volunteers to be a flexible and powerful tool for network and systems administrators, with advanced user-friendly graphing capabilities.

Main features

  • User friendly, simple interface
  • Shows info about the connections between remote and local machines, and ports used
  • Host name resolution using DNS and DHCP servers
  • Shows usage for a specific IP address or port
  • Configurable number of results

If you investigate pmGraph and decide not to use it, please let us know why in order to help us to improve it.

top
Process-icon

Process

pmGraph is platform independent software. It has been developed in Java and is designed to work in a servlet container such as Tomcat, which is available for all common platforms. pmGraph is quite lightweight, and requires only 8MB of disk space. However, it relies on other, bulkier programs. If you don’t already have Tomcat, Java, MySQL server and pmacct, you will have to install them as well, which may take around 300 MB of disk space. These components will be installed for you if you use the package installation and you can install pmGraph without learning much about them.

Known limitations of pmGraph at present:

  1. Proxy servers interfere with network monitoring
  2. Would be useful to classify hosts into groups (e.g. departments or customers)
  3. Pmacct database size grows without bounds unless pruned

Collaborators on the project are both welcome and important for further development. Please contact us if you’d like to get involved, or see our more detailed developers’ guide.

top
code-icon

Code

pmGraph installation

These instructions are also under development. If you need help getting pmGraph working, please contact us.

In this section we’ll cover the steps needed to successfully install pmGraph and get it running. We’ll also list the third-party software that is needed to get started.

Planning your Installation

Before you install pmGraph, it is essential to understand how you are going to capture your network traffic. Otherwise you might waste a lot of time installing it on the wrong computer.

Unless you’re already familiar with network maps, monitoring and topology, please read Chapter 3 of the Bandwidth Management Book before continuing.

pmGraph relies on pmacct to capture network traffic. They can be installed on different computers, but the simplest installation process is to put them both on the same computer. Unless you already have pmacct installed and configured, you will need to do so before you can make pmGraph do anything useful. In that case, you will need to understand how pmacct will capture your network traffic in order to configure it correctly.

Where to capture network traffic

First you need to choose where to place your sensor, which will record traffic passing through it. Usually, it is not possible or desirable to monitor every packet on your network, as the volume of local traffic can be enormous (much more than your Internet traffic) and this would place a heavy burden on your monitoring system. The sensor will be most efficient if you place it so that it only sees the traffic that you want to record and graph, and as little as possible else.

Often you are most concerned with your Internet traffic, since your Internet bandwidth is much less than your local bandwidth. In this case, you might want to place the sensor at the interconnection point, exactly where your network connects to your Internet Service Provider (ISP), and record all traffic crossing this point, which is therefore entering or leaving your domain of control (your own network).

The interconnection point may be a router, modem, bridge, firewall, switch or access point. Chapter 3 of the Bandwidth Management Book explains network monitoring in more detail.

If the interconnection point is a router, firewall or switch, then it may already be capable of monitoring traffic. For example, some routers support Netflow or sFlow, some firewalls run Unix, and some switches have monitoring ports. If your interconnection point does not have any of these, you will need to insert a new device into the network as the sensor.

pmacct has two ways to receive network traffic information:

  • By sniffing traffic passing through the network ports of the computer on which it’s running. To do this, you will have to install pmacct on a router or transparent bridge on your network. If your network doesn’t have one of these, you will need to add it.
  • By receiving Netflow or sFlow data from a router on your network. If your network doesn’t have a router that supports Netflow or sFlow, you will need to add one, or replace an existing router.

Network device configuration

You will probably have to do one of the following to monitor your network:

  • Configure the existing router to enable Netflow or sFlow.
  • Replace the existing router with one that supports Netflow or sFlow.
  • Configure your existing switch to enable a monitoring port, and attach a sensor to that port.
  • Replace your existing switch with one that supports monitoring ports, and attach a sensor to that switch.
  • Build a Unix machine as a transparent bridge and sensor, and insert it next to your Internet router.
  • Build a Unix machine as a router, and use it to replace your Internet router.
  • Build a Unix machine as a router, insert it next to your Internet router, and renumber some networks.

Using Netflow or sFlow

You can use a Cisco or Juniper router to send Netflow or sFlow network accounting records to your Unix server. This removes the need to connect the Unix server directly to the point where the networks meet, as long as the router is already there, or you replace your existing router with one of these.

In this case, you will need to install and configure the nfacct component of pmacct. This usually means just running nfacctd instead of pmacctd. Since nfacct doesn’t support the pcap_filter directive, you will have to modify your pmacctd.conf file manually.

You will also need to enable Netflow or sFlow on your router, and configure it to export flows to the computer where you installed pmacct (nfacctd).

Running pmacct in Promiscuous Mode

You can use pmacct to monitor passing network traffic in promiscuous mode. Most Unix servers can do this. The sensor will only see packets which pass though it, so this will only work if you combine it with either the monitoring port or the transparent bridge configurations below. It is the default configuration of pmacct generated by installing the pmGraph package.

Using a Monitoring Port

Check the manual for your switch to see if it’s a managed switch. If not, you probably won’t be able to configure it. If it has a console port, you could try connecting it to a PC using a serial null modem cable.

The process to enable a monitoring port depends on the switch. Please check the switch manual for details. You may be able to guess by navigating the web interface, or textual menus on the serial console port.

Using a Transparent Bridge

For more information about configuring a Unix machine as a transparent bridge, please see Chapter 4 of the Bandwidth Management Book, from page 130 onwards.

Installation Methods

There are three options available for installing pmGraph:

  • Use a debian package supplied by us which installs all the software needed. This is the recommended method, and the instructions are just below this section.
  • Use this install script. Note: This installer will need root privileges to run.

Package installation

Third-Party software included

Using this package the following software will be installed automatically:

  • mysql database
  • pmacct network traffic logger
  • tomcat web serverWiki
  • Java Sun Development Kit
  • pmGraph

Steps to install the software using the debian package

Install pmGraph using an APT repository:

1. Add the pmGraph project repository. To do so add the following lines to your /etc/apt/sources.list file

# app repository for PMGRAPH
deb http://ppa.launchpad.net/pmgraph/ppa/ubuntu lucid main
deb-src http://ppa.launchpad.net/pmgraph/ppa/ubuntu lucid main

2. Import the PGP key of the repository

To import this key you will have to use the following command.

sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 72318B8DAC9C70E6

The code at the end of the command is the PGP key needed for the repository.

3. Update the list of available packages:

sudo apt-get update

4. Make a search for “pmgraph”

apt-cache search pmgraph

you should receive a line like this:

pmgraph -pmGraph is a software application for network monitoring to work with pmacct

5. Download and install pmGraph

sudo apt-get install pmgraph

6. Restart Tomcat server and pmacct

sudo /etc/init.d/tomcat6 restart

- you may need to change the tomcat version depending on what you have installed.

sudo /etc/init.d/pmacct restart

7. Now you should be able to access the pmGraph page at:

http://{yourbridgemachine}:{yourtomcatport}/pmgraph/

For example, if you are running tomcat on the same machine as your web browser and using the default port, try to open:

http://localhost:8180/pmgraph

8. To get pmGraph working for your network, you will need to change the parameter “LocalSubnet”. It lets pmGraph know which IPs belong to your local network.

Go to the link ‘Configure’ on your pmGraph page. Then modify the parameter LocalSubnet to make it match your local network. For example if your local network is 192.168.1.0/24 the value of the parameter has to be:

LocalSubnet = 192.168.1.

On clicking ‘Save Configuration’, this parameter will be updated both in pmGraph configuration file database.properties and pmacct config file /etc/pmacct/pmacctd.conf.

In pmacctd.conf

pcap_filter: not (src and dst net 10.0.156.0/24)

updated to match your local subnet which for the above example will be:

pcap_filter: not (src and dst net 192.168.1.0/24)

For security reasons you need to change the default password by editing the configuration file. This also contains other parameters which you may wish to configure.

If you have any trouble with installing pmGraph, please get in touchand let us know about it. We will try to help you out with it.

top