(long) MRTG :: SELECT suggestions,recommendations,configurations FROM%expert_users

Mark Johnston mjohnston at skyweb.ca
Thu Apr 10 07:16:31 PDT 2003

Sêrêciya Kurdistanî wrote:
>  1) On my FreeBSD router, do I need to install any snmp tools,
>     ie ucd-snmp-4.2.6, net-snmp-5.0.6 etc in order to use
>     mrtg and/or cricket? 
>  Suggestions/Recommendations:
>  Look outs, pitfalls etc... please let me know ;)

Well, maybe.  MRTG, in its regular configuration, uses SNMP to pull data
from routers, so to use it in the standard way you'll need an SNMP
daemon on your router.

However.  If you want to get away without SNMP, it's also possible to
run MRTG with arbitrary data.  (q.v. RRDTool, a program from the MRTG
author that's much more flexible for this kind of situation.)  You can
use a periodic script to take data from ipfw show/netstat/whatever and
put it into your MRTG/RRD database on the same host, then generate your
graphs from that.  As a bonus, you can graph other useful things like
load averages, mbufs, or vmstat.

To add a bit of complication, you probably don't want to install a bunch
of graphing software and store your data right on your routers.  Here's
what I'd do:

Add a user account to each router.  Set the password so the user can't
log in, but make a .ssh/authorized_keys file in the home directory, and
in that file specify 'command="stats_collect.pl"' before the key (see
sshd(8) for more info.)  That way, the user can log in only with the
key, and can only execute the stats_collect.pl command.  You may also
want to use 'no-port-forwarding', 'no-X11-forwarding', and the like for
better security.

Then, from your centralized host, use a periodic process to ssh into
your routers with your key and collect the output from stats_collect.pl.
You can then insert it into MRTG or RRDTool.

Keep in mind that if you want to use ipfw in your data collection
script, you'll need to do some suid tricks (perhaps mode 4750 and a
special ipfw group.)  You can probably get all the data you're looking
for from netstat if you don't want to do that.

I like this setup because you can collect data more flexibly than you
can with SNMP, you get all the security of ssh, and you don't have to
run another daemon on your routers.  Bear in mind, though, that it's a
significantly heavier load on your network (a full TCP connection
instead of a couple of UDP packets) and CPU (SSH negotiation isn't
cheap) than using SNMP.


More information about the freebsd-isp mailing list