[Nagiosplug-devel] Plugin to monitor abnormal traffic behavior

[William Leibzon]

I dont think its worth the effort (but cost-effectivness is really up to the
client, if someone paid me to do it, I would but I'd not on my own add such
feature to check_snmp_netint which I maintain). Your idea on how to do it is
wrong - you can not just look at traffic level 1 day ago because maybe
exactly at the moment one day ago it was higher or lower then normal. So
what it requires is calculating 1 day (and most likely really 2 day since
maybe it began bursting today) traffic average in additional to immediate
traffic. This requires large historic data file - with 5 minute checks this
gets to be at least 300 entries for each interface for one day and most
likely 600 if you want either average of traffic from yesterday as base or
average for last 2 days. You may think this can be done quickly and easily
by just looking up octet data count 1 or 2 days ago, but no so fast - you
may have had router reboots or counter overflow, possibly more then one. So
you end up having to go through all those likely 600 entires to calculate
the average while also accounting for such events.

Now the above probably sounds a lot like fixed-size average values db which
if you know is exactly what RRD is all about. So instead of in actual
network check plugin if you really really need such a feature I'd recommend
you put data from network check into RRD (as you would to plot performance
data) and then have separate check that specifically looks up one day ago
average in RRD and compares it to most recent data put in the same RRD file.
This can be done with either existing plugins or with just minimum extra
programming and is mostly a matter of configuration to make it all work
together.

On 2/4/08, chiel <chiel at gmx.net> wrote:
>
>  Hello,
>
> The bandwidth of some of our routers is pretty the same every day at a
> specific time. Max in is about 1.2 Gb and min 40 Mb.
> I want to monitor any strange behavior in this traffic. But with normal
> interface plugins that monitor traffic you can only set one max (and
> sometimes min). With those scripts we can't monitor if bandwidth is higher
> for example 90Mb where it's normally 40Mb at a particular time.
> I don't know if there is a plugin already availible for this (I have
> searched nagiosexchange)? And I'm not such a great coder myself, so maybe
> someone can help me?
> I think this can be done with using a table where it stores the traffic
> output of the last 24 hours. It can then check the current traffic with the
> one it monitored 24 hours ago.
>
> Maybe you can set warning and critical in % for example "-w 5 -c 10" to
> use 5% and 10% difference in traffic.
>
> What do you think of this?
>
> chiel
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________________
> Nagios Plugin Development Mailing List
> Nagiosplug-devel at lists.sourceforge.net
> Unsubscribe at
> https://lists.sourceforge.net/lists/listinfo/nagiosplug-devel
> ::: Please include plugins version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-plugins.org/archive/devel/attachments/20080204/d5b120dc/attachment.html>