I don't quite know where to put this as it definitely is not a patch. :-)
So here goes! I have been working on a specialized agent which interfaces directly with LibPcap. The agent will allow you to monitor two types of packets on the wire, TCP/UDP traffic occurring on a particular port or traffic bound to an Ethernet MAC address.
Before using the agent you will need to download and install the Ruby LibPcap libraries from http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap-e.html
Inside the tarball will be instructions for compiling and installing the libraries. Before running the agent you will need to edit line 293 "PacketAgent.new". The first argument is the IP address you want the agent to bind to, the second is the port, and the third is the arguments you wish to pass to the LibPcap libraries, this includes the Ethernet adapter you want the agent to listen on. Also the agent will need to run as root. It may run as another privileged user but I have not tested this.
How it works:
All information regarding what packets are to be captured is stored on the Zabbix server in the item's key. If the agent detects a new filter it will be added dynamically.
*KEY POINT*
In every key there is a field for name, this must be unique for each host you wish to monitor! This is how the agent knows which filter you are looking for. This will likely change in the future, but it made for a faster path to testing. Each filter stores byte and packet information.
There are three key types:
monitor.tcpudp[name,ip,port,p/b]
name: This is a unique name for this filter
ip: The IP address you wish to monitor
port: The port you wish to monitor
p/b: Do you want to store packets or bytes? Only p or b is allowed.
Edit: The filter does not distinguish between TCP or UDP. It matches IP and Port number only, not protocol.
monitor.macaddr[name,macaddr,p/b]
name: The unique name for this filter
macaddr: The mac address for this host
p/b: packets or bytes to be returned
zabbix.agent
This returns some version information about the agent, this will likely change to conform to the standard agent string if it does not already. (I was too lazy to check)
Some examples:
Name: SomeHost Web bytes
Key: monitor.tcpudp[SH_HTTP,1.2.3.4,80,b]
Name: SomeHost Web packets
Key: monitor.tcpudp[SH_HTTP,1.2.3.4,80,p]
Name: SomeHost SSH bytes
Key: monitor.tcpudp[SH_SSH,1.2.3.4,22,b]
Name: SomeHost SSH packets
Key: monitor.tcp.udp[SH_SSH,1.2.3.4,22,p]
*Key: AnotherHost Web bytes
*Key: monitor.tcpudp[SH_HTTP,5.6.7.8,88,b]
Key: Router Mac bytes
Key: monitor.macaddr[RTR_MAC,00:01:02:03:04:05:06,b]
One of the entries is marked with a * for a reason to show a side effect of the name requirement. In the above example "AnotherHost Web bytes" would actually be storing the byte information for "SomeHost." The IP and port information are different but right now the agent keys on the name field.
You will likely want to import the data as a delta over time.
If you have any questions/comments please feel free to ask/say. I will be updating my blog on here as I make progress. Some day I'll probably port this to C for performance reasons.
Attached is a screenshot of some of the graphs, along with some of the items and the ruby agent gzipped.
So here goes! I have been working on a specialized agent which interfaces directly with LibPcap. The agent will allow you to monitor two types of packets on the wire, TCP/UDP traffic occurring on a particular port or traffic bound to an Ethernet MAC address.
Before using the agent you will need to download and install the Ruby LibPcap libraries from http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap-e.html
Inside the tarball will be instructions for compiling and installing the libraries. Before running the agent you will need to edit line 293 "PacketAgent.new". The first argument is the IP address you want the agent to bind to, the second is the port, and the third is the arguments you wish to pass to the LibPcap libraries, this includes the Ethernet adapter you want the agent to listen on. Also the agent will need to run as root. It may run as another privileged user but I have not tested this.
How it works:
All information regarding what packets are to be captured is stored on the Zabbix server in the item's key. If the agent detects a new filter it will be added dynamically.
*KEY POINT*
In every key there is a field for name, this must be unique for each host you wish to monitor! This is how the agent knows which filter you are looking for. This will likely change in the future, but it made for a faster path to testing. Each filter stores byte and packet information.
There are three key types:
monitor.tcpudp[name,ip,port,p/b]
name: This is a unique name for this filter
ip: The IP address you wish to monitor
port: The port you wish to monitor
p/b: Do you want to store packets or bytes? Only p or b is allowed.
Edit: The filter does not distinguish between TCP or UDP. It matches IP and Port number only, not protocol.
monitor.macaddr[name,macaddr,p/b]
name: The unique name for this filter
macaddr: The mac address for this host
p/b: packets or bytes to be returned
zabbix.agent
This returns some version information about the agent, this will likely change to conform to the standard agent string if it does not already. (I was too lazy to check)
Some examples:
Name: SomeHost Web bytes
Key: monitor.tcpudp[SH_HTTP,1.2.3.4,80,b]
Name: SomeHost Web packets
Key: monitor.tcpudp[SH_HTTP,1.2.3.4,80,p]
Name: SomeHost SSH bytes
Key: monitor.tcpudp[SH_SSH,1.2.3.4,22,b]
Name: SomeHost SSH packets
Key: monitor.tcp.udp[SH_SSH,1.2.3.4,22,p]
*Key: AnotherHost Web bytes
*Key: monitor.tcpudp[SH_HTTP,5.6.7.8,88,b]
Key: Router Mac bytes
Key: monitor.macaddr[RTR_MAC,00:01:02:03:04:05:06,b]
One of the entries is marked with a * for a reason to show a side effect of the name requirement. In the above example "AnotherHost Web bytes" would actually be storing the byte information for "SomeHost." The IP and port information are different but right now the agent keys on the name field.
You will likely want to import the data as a delta over time.
If you have any questions/comments please feel free to ask/say. I will be updating my blog on here as I make progress. Some day I'll probably port this to C for performance reasons.
Attached is a screenshot of some of the graphs, along with some of the items and the ruby agent gzipped.
Attached Files
Comment