Re: [squid-users] Monitor Bandwidth Usage.

"Manjunath H N" wrote:
> MRTG cannot monitor on a per user basis, I have restricted bandwidth usage
> to all users using Delay Pools, but sometimes the bandwidth is very slow,
> when I ask my ISP they say full bandwidth usage from my side. So I want to
> identify the culprit which is using up the bandwidth. Sometimes it can be
a
> virus or some other application which keeps sending the requests, is there
> any application which monitors the bandwidth usage on a per user basis on
> LAN.

I may have completely misunderstood your question (wouldn't be the first
time :) but the way we do this is two-fold:
You would still use MRTG as your first point of monitoring. We have MRTG
monitoring our two T-1's to the internet. That way we don't need to rely on
our ISP for such stats, we have up to the 5minute snapshots. After you get
a feel for normal bandwidth usage (who knows maybe your line is
oversubscribed - ours was, hence we split half the traffic to the other
T-1), then once we notice a spike or rise (both lines usually hover between
800 and 900K) we can then do one of two things:

1.) use cachemgr.cgi's filedescriptor's menu and look under *nwrite/*nread
for high value processes. In our case these are usually streaming media
users.
2.) use the faq's tip of sorting the log file by value to get large
downloads or closed/completed streaming media:
http://www.squid-cache.org/Doc/FAQ/FAQ-7.html#ss7.2 (basically says to do
"sort -r -n +4 -5 access.log | awk '{print $5, $7}' | head -25" on the log
file).

One other thing that I have been doing lately is copying the log file onto a
separate server and then running the excellent Calamaris perl script on it -
it provides a nice total summary of your top talkers, hence likely
candidates to check out. The line I like to use is "cat access.log |
calamaris -a -O -c -U M | mailx -s proxy_report your.name" as it gives all
reports (-a), sorts by size (-O), is case insesitive (-c), and switches from
K to MB, making for cleaner tables.

Of course if you are using delay_pools and have properly tuned/tweaked it,
then it may be possible that something not going through your proxy is
causing the spike Like you said a virus, or yesterday, in our case, a user
was doing an ftp to our public ftp server which does not go through the
proxy. That was only traceable/troubleshootable because the network group
has mirrored the port to the internet and put a sniffer on it. Great
product but apparently a lot of money.

hth,

Adam
Received on Thu May 15 2003 - 10:59:55 MDT