Open source network administration with MRTG

115

Author: James M. Kretchmar

MRTG is the Multi Router Traffic Grapher, a piece of free software released under the GNU General Public License. It was written primarily by Tobias Oetiker and Dave Rand. MRTG produces Web pages that display graphs of bandwidth use on network links on daily, weekly, monthly, and yearly scales. This can be an invaluable tool for diagnosing network problems because it not only indicates the current status of the network but also lets you visually compare this with the history of network utilization.

This article is excerpted from the newly published book Open Source Network Administration.

MRTG relies on SNMP version one, and optionally SNMP version two, to obtain data from routers or other network hardware. MRTG sends SNMP requests every five minutes and stores the responses in a specialized data format. This format allows MRTG to present the daily, weekly, monthly, and yearly graphs without the data files forever growing larger. It does this by summarizing the older data as necessary. The graphs themselves are created in Portable Network Graphics (PNG) format and can be included in Web pages or used in other applications.

In the middle of a crisis, or when you are debugging an immediate network problem, MRTG will allow you to view the traffic patterns of many networks at once and quickly determine if one or more is experiencing an abnormal traffic load. The fact that the graphs display the history of the network is key. In practice, it can be difficult to tell from immediate bandwidth and packet-per-second counts alone whether a network is operating normally. If a 100Mb/s link is carrying 85Mb/s of traffic, is this heavy but normal use or is the network straining under an attack? By having the history of the network available, you can look for sudden changes that might account for an operational problem. A denial-of-service attack that attempts to exhaust the available bandwidth on a network nearly always presents as a sudden, sustained increase in traffic levels; the attackers do not have much to gain by slowly ramping up the attack over a period of time.

When you are not tending to an immediate problem, MRTG is useful for studying trends in traffic on your network. It will help you understand how traffic is distributed across your network, plan capacity needs for the future, and so on.

While MRTG is most often used to collect data from router interfaces, it can also collect traffic data from switches or servers. In this way, you can monitor the bandwidth use of a particular machine. In fact, MRTG can be configured to collect any statistical data that a device makes available via SNMP.

Installing MRTG

MRTG relies on a few pieces of software not included in the distribution. In particular, it requires:

  • Perl 5.005 or greater
  • The GD library
  • The PNG library
  • The zlib library
  • You will not need external SNMP software because MRTG comes with its own SNMP implementation. Begin by unpacking the source in a convenient location:

    % gunzip -c mrtg-2.9.25.tar.gz | tar xvf -
    % cd mrtg-2.9.25
    

    Install documentation is available from the doc/ directory in the distribution, but on a modern Linux system, MRTG will build without any special instructions:

    % ./configure
    % make
    

    Then as root you may log in and execute the command make install if you would like to install MRTG in the default location, /usr/local/ mrtg-2/. If you are building MRTG for other platforms, you may find that a couple of necessary components are not already installed on your system. On Solaris, for example, you will first have to build the PNG and GD libraries before you can successfully build MRTG.

    The book from which this article is extracted has pages more information about configuring and using MRTG. A simple Web search will also turn up details on those topics.

    Maintaining MRTG

    MRTG requires more maintenance than many open source network administration tools. Each time you move a network or router interface, you have to make sure the change is reflected in the MRTG configuration. Moving networks and interfaces can wreak havoc with MRTG’s sense of which data files belong to which network.
    In the event that you do make a change that causes MRTG to lose its sense of which data belongs to which network, you can attempt to remedy the situation by finding the appropriate .log file under /usr/ local/apache/htdocs/mrtg/router* and renaming it to be the data file that MRTG expects for the new network.