[rtg] detecting exponential jumps in packets per interface between 5 minutes poll intervals.

Brandon Ewing marlboro at warningg.com
Wed Dec 19 11:52:03 EST 2007 

On Wed, Dec 19, 2007 at 11:20:21AM -0500, Drew Weaver wrote:
>                    Would RTG be the right tool to use to detect large jumps
>    in packets between 5 minute polling intervals.
> 
>    Say on polling interval 1 - 99999999 the packet counts were < 9000 but on
>    interval 100000000 the packet counts were > 9000.
> 
>    Basically I'm trying find a way to detect and notify myself of things
>    which I would like to know about as they are emerging as issues.
> 
>    Is anyone doing something like this?

This might not be exactly what you're looking for, but I have a script that
does something similar -- using statistics to locate anomalies in packet
counts on interfaces.  The logic itself is mostly in SQL:

SELECT router.rid, router.name AS routerName, interface.name as port,
interface.id as iid, STD(rate) as rateDeviation, AVG(rate) AS rateAverage
FROM ifInUcastPkts_1, router, interface WHERE router.rid = 1 AND
interface.id = ifInUcastPkts_1.id AND dtime >
FROM_UNIXTIME((UNIX_TIMESTAMP() - 60 * 30)) GROUP BY ifInUcastPkts_1.id
HAVING rateDeviation > X AND rateAverage > Y;

Where X is the standard devation level you find anomalous, and Y a packet
rate high enough to filter out single or double orders of magnitute change
on interfaces that average 10-99 pps. 

You'll need a recent version of MySQL to support some of the SQL syntax
above (namely, HAVING). 

We have a script that walks through all our UcastPkts tables every five
minutes, looking for anomalies in the past 30 minutes.  It's quite effective
for alerting us immediately to packet flooders and whatnot on the network.  

-- 
Brandon Ewing                                        (nicotine at warningg.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grdata.com/pipermail/rtg/attachments/20071219/bda646e5/attachment.bin

More information about the RTG mailing list