I wrote the netlogger package in order to have an extremely lightweight toolset for basic network monitoring of my home network. Several of my computers are rated at 3-5 bogoMips, and any intrusive logging is fatal to their usability. The package relies on features of the Linux kernel and I'm using it on i386, Sparc, Sparc64, m68k, Alpha, PowerPC, ARM, MIPS, IA64.
The latest version of this package can be downloaded from:
ftp://arcana.linux.it/pub/netlogger/
The scripts that are included in the package rely on ettclsh th be installed. Ettcl is Tcl-7.6 extended with a few low-level commands, including UDP support. It is extensively used in the Etlinux embedded system, which I designed in its 1.0 and 1.1 versions, when I was working in Prosa. The ettcl package can be dowloaded from ftp://ar.linux.it/pub/ettcl .
The programs have been run on the PC using libc version 5 and 6 (glibc). On the other platforms using whatever I found there (usually glibc)
The Netlogger is a simple tool based on UDP. It is made up of the following components:
messages read from /proc/kmsgs. klogd must not be running.
memory and swap usage every N seconds. It uses /proc/loadavg and /proc/meminfo.
script. Doesn't depend on ettclsh.
workstation.
refined.
stdin. It is written in Tcl, as such it has problems with '\0' bytes and can't send to broadcast addresses (I'll fix the broadacast issue in the next release of ettcl.
default.
to stdout. It is the natural mate of netlog-rawsend, as it removes the leading/trailing markers added by that tool.
udp-send (no hairy markers to remove here).
``make'' builds the C programs, and ``make install'' copies the tools to /usr/local/bin. ``make uninstall'' removes everything that was (or would have been) installed.
The network packets sent/received by the scripts are very simple: they are ASCII UDP packets with no trailing newline; each packet is a Tcl list made up of two items: a symbolic identifier for the sender and the actual data. Packets sent/received by the C programs are binary.
More details on individual tools:
NETLOG-KSEND:
Invoke the command with two arguments: the symbolic identifier
and the destination UDP address (in the form IP:PORT).
Example:
netlog-ksend pico-kernel 192.168.16.1:3210
If your ettcl is recent enough (newer than release 12), you
can use host names instead of IP numbers and omit the hostname
altogether to use the broadcast address 255.255.255.255.
There is currently no support for broadcast using the local
broadcast address.
Examples:
netlog-ksend pico-kernel server:3210
netlog-ksend pico-kernel 3210
NETLOG-STAT
Invoke the command with two or three arguments: the symbolic
identifier, the destination UDP address (in the form IP:PORT)
and optionally the number of seconds (default is 5) between
packet transmission. The data field of each packet includes:
- the loadavg (1-minute average)
- the number of running processes
- the total number of processes
- used memory (kB)
- free memory (kB)
- used swap (kB)
- free swap (kB)
Example:
netlog-stat pico-stat 192.168.16.1:3210 1
Example data packet:
pico-stat {0.70 2 16 15424 3520 1324 13672}
Note that the number of running processes is always at least 1,
as netlog-stat is running while reading /proc.
If your ettcl is recent enough (newer than release 12), you
can use host names instead of IP numbers and omit the hostname
altogether to use the broadcast address 255.255.255.255.
There is currently no support for broadcast using the local
broadcast address.
Examples:
netlog-stat pico-stat server:3210
netlog-stat pico-stat 3210
NETLOG-STATC
Same as above, but implemented in C (no need to have ettclsh).
NETLOG-GET
Invoke the command with one argument, the UDP port to listen
to. The program will print to stdout any packet it receives
as a Tcl list of four items: the current time (HH:MM:SS), the
sender host:port, the sender's symbolic name, the sender's
data.
Example invocation:
netlog-get 3210
Example data line (shown as two lines to fit in 70 columns):
18:30:20 192.168.16.12:60003 pico-stat
{0.70 2 16 15424 3520 1324 13672}
NETLOG-IF
The program offers a simple frontend to show collected data.
It is implemented in Tcl/Tk and uses netlog-get internally to
collect information (so you still need ettclsh to run
netlog-if).
Sources of information are told apart using their name, not
their IP:port address, so several sources may be considered
one (this will be either a bug or a feature, I'm uncertain).
Each source of information is allocated a line of information
in the main application window. The line is composed of a
checker (green for active sources of information and red for
those that have been silent for a while), a label with the
name of that source of information, another label that shows
the loadavg and the number of processes for netlog-stat
sources (it currently doesn't show anything for other sources)
and a checkbutton that can be used to open the text window
associated to that source. The second label gets red when the
loadavg goes bigger than a predefined threshold and gets red
when it goes lower. When the color is changed, the window gets
raised to catch the user's attention. Clicking on the label
turns it back to the default color (black).
The text window is currently only a text widget that shows the
last lines of information printed by that source. The number
of lines is currently limited to 5000 (set g(nlines) to change
it).
The main window has two extra buttons: ``Reset'' is used to
forget about all connections, (currently the only mean to
dispose of dead connections) and quit terminates the
application.
Future features (plans):
- ``save-to-file'' feature for each source of information
- different number of active lines for each source
- a way to draw a diagram on selectable fields of the data
UDP-SEND
Invoke the command with a single argument: the destination UDP
address. The program accepts <hostname>:<port>, where hostname
can be either a name (looked up using DNS) or an IP address.
It also accepts <port> alone; in that case it transmits to
broadcast (255.255.255.255).
It may be useful, for example, to replicate a tty session.
Example:
telnet localhost | tee /dev/tty | udp-send 12345
broadcasts the session to port 12345. You can
also use the tool to broadcast kernel messages.
Example:
cat /proc/kmsg | udp-send 6666
UDP-GET
Invoke the program with a single argument: the UDP port it
should listen to. For example, to replicate the tty section
broadcast by the example above (about udp-send) you can issue:
udp-get 12345
NETLOG-RAWSEND
Invoke the command with a single argument: the destination UDP
address (in the form IP:PORT). This is similar to ``udp-send''
but is written in ettcl. Since ettcl support for UDP is
text-only, the tool can't work with null bytes, and adds
delimiters to the packet in order to preserve newlines.
There is no support for broadcast, as udp-send already performs
the tast much better than this tool.
NETLOG-RAWGET
Invoke the command with a single argument: the UDP port it
should listen to. This is similar to ``udp-send'' but is
written in ettcl. Since ettcl support for UDP is text-only,
the tool can't work with null bytes. It removes the
delimiters added by ``netlog-rawsend''.
WHOSUP
The program draws a Tk window showing which hosts are up. It
collects information by sending ping packets to the broadcast
address. The destination of the ping is by default
255.255.255.255, but you can specify an address on the command
line (the 255.255.255.255 address is sent according the your
default route, and you might want to use a LAN broadcast like
192.168.16.255 if your default gateway is behind a ppp
interface or otherwise).
The program sends a ping every 5 seconds, and uses the
difference in the response to successive pings in order to
show which hosts get shut down or brought up.
Enjoy
/alessandro (alessandro.rubini@linux.it)