Edward’s Notes

Technical topics and photos.

Monitoring Traffic With Munin and Shorewall

I have been using munin to monitor servers for some time. Recently I noticed a message in pages generated by network traffic plugin if_ which stated the plugin doesn’t work reliably on 32 bit systems were bursts may exceed 50Mbps. As I was monitoring a 100Mbit and 1Gbit interface this problem could effect my system. This article describes how I resolved the problem.

The message from the if plugin suggested I use the ip plugin which uses iptables to find the packet count and should work on a 32 bit system. The problem with this plugin is that it requires you to add INPUT and OUTPUT tables

$ iptables -A INPUT -d
$ iptables -A OUTPUT -s

to the firewall. I use shorewall to setup the firewall and don’t want to risk messing it up by manually adding rules. A google brought up someone who had the same problem and had written a plugin to use shorewall accounting to track network traffic. This had the added advantage of being able to track anything the shorewall could produce accounting data for.

Adding Shorewall accounting rules

My first step was to setup the accounting data. I started by just checking internet traffic by adding.

totalnet:COUNT - ppp0 - totalnet:COUNT - - ppp0

to /etc/shorewall/accounting file. I then added a rule to check http traffic with.

httpnet:COUNT - ppp0 - tcp 80 httpnet:COUNT - - ppp0 tcp - 80

I then checked the new rules with.

$ /etc/init.d/shorewall check

and then updated the configuration.

$ /etc/init.d/shorewall restart

I then ran some traffic through the network and checked the result with

$ shorewall show accounting

Shorewall 4.2.6 Chain accounting at leviathan - Mon Apr 6 00:21:27 JST 2009

Counters reset Sat Apr 4 22:57:50 JST 2009

Chain accounting (3 references) pkts bytes target prot opt in out source destination
124K 76M totalnet all – ppp0 *
109K 12M totalnet all – * ppp0 1255 131K httpnet tcp – ppp0 * tcp dpt:80 1323 1457K httpnet tcp – * ppp0 tcp spt:80 </typo:code>

Setup shorewall accounting plugin

I copied the code from the website and fixed up all quote characters and other html issues, saved it to /etc/munin/plugins/shorewall_accounting and made it executable. I then added

[shorewall_accounting] user root

to /etc/munin/plugin-conf.d/munin-node so that the plugin would be run as root which is required to get accounting information from shorewall. I then restarted munin-node


  • munin shorewall_accounting plugin
  • shorewall accounting rule reference