WHODO

This is Whodo 1.11.

Whodo is a set of Perl scripts to analyse IP accounting data from a cisco 
router. The stats for each traffic source are fed into mrtg. Whodo also 
generates pie graphs showing traffic split by source or destination.


HOW TO

1. Put the scripts in the appropriate directories. There are 3 sets of files in 
whodo.
(i) Whodo/gifgraph contains a perl module written by Martien Verbruggen. 
Ive made some changes to it so it does what I need. However I havent 
been able to contact Martien & get them included in his distribution. GIFgraph
is used by pie.pl. Youll need to copy this to wherever you put 
your Perl modules. Note that gifgraph uses another module GD.pm. GD is 
available in/for the standard Perl distribution and ActivePerl. However if 
you use Perl for Win32, you are on your own.
(ii) Whodo/wwwscripts contains 2 CGI script. Put them wherever your CGI 
scripts live.
(iii) Whodo/* contains everything else. I keep this stuff under 
mrtg/contrib/whodo.

You'll also need the module SNMP_Session. If you don't have it, get it from
ftp://ftp.switch.ch/software/sources/network/snmp/perl/

2. Start IP accounting on the router. If you dont know what you are doing 
here, tread carefully  you can bring the router to its knees.

3. Youll need to customise some constants at the start of collect.pl. Youll
need to change $HOST & $SOURCEDIR. $LOGPATH isnt relevant until step 6 
but you should set it up now. $BIGBYTES youll probably need to keep 
tweaking. Basically, any source that generates more than $BIGBYTES 
between polls will get its own MRTG graph for ever more. Sources that 
never generate this much traffic will be grouped together as 
Miscellaneous.

$LOGPATH also occurs in pie.pl & makeanalyse.pl

4. Youll want to create a networks file  such as the standard networks file 
found in C:\winnt\system32\drivers\etc or /etc/networks. Collect.pl scans the 
file including comments following a normal line of data. The file is used to map
destination addresses to network names. Which makes the output (see step 6) much
more user friendly.

The file has a second function. If a trailing comment includes a / followed 
by a number, this is taken as the classless representation of the subnet mask 
size. If not, the network/subnet is assumed to be Class C.

A sample networks file is included.

5. Set collect.pl up to run periodically. I run it every 30 minutes with 
something like:

collect.pl -a c:\perl\mrtg\contrib\whodo\sources.cfg -n \
c:\winnt\system32\drivers\etc\networks
mrtg c:\perl\mrtg\contrib\whodo\sources.cfg

I've included a vestigial sources.cfg. You can use it to get you started.
Collect.pl maintains the file automatically.

You should now be getting mrtg graphs showing traffic generated by your 
traffic sources over time. Bask in it for a day.

6. collect.pl generates a new log/csv file every time it runs. By now you are 
probably up to your armpits in these files. Ive included a script 
(summarise.pl) that I run every night to condense the days log files into a 
single file. It doesnt need any arguments to run. However it does include a 
constant ($LOGPATH) that youll need to change. Try running it.

7. So now you want to generate pie graphs breaking down traffic by source 
or destination? OK. Youll need to run makeanalyse.pl. It generates an 
HTML page that is used to generate the graphs. For example:
perl c:\perl\mrtg\contrib\whodo\makeanalyse.pl >d:\www\analyse.html

The page generated contains drop down lists containing the current sources 
and destinations. Since these will change over time, I run makeanalyse 
every night.

8. Whats that? You want a more flexible way of mapping source addresses 
to text? Youd like to group multiple addresses under the same name? You 
want to use a name other than that in DNS?

OK. Create a file with two columns  the address and then name you want. 
In place of an address, you can use regular expressions. Thus the line 
203.167.223.13[456]  Exchange maps addresses 203.167.223.134, 
203.167.223.135 and 203.167.223.136 to the name Exchange. Note that the 
character . has its literal meaning  it is not a metacharacter.

If a source address does not appear in the sources file, it will be looked up 
with a normal reverse lookup. If that fails, the address is used. A sample 
sources file is included.

To make use of a sources file, change the command running collect.pl to 
something like:
collect.pl -a c:\perl\mrtg\contrib\whodo\sources.cfg -n \
c:\winnt\system32\drivers\etc\networks-s c:\perl\mrtg\contrib\whodo\sources

Mind you, if youd had any sense you would have done this before step 5.


VOODOO

This program is free software; you can redistribute it and/or modify it under 
the terms of the GNU General Public License as published by the Free 
Software Foundation; either version 2 of the License, or (at your option) any 
later version.

This program is distributed in the hope that it will be useful, but WITHOUT 
ANY WARRANTY; without even the implied warranty of 
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  
See the GNU General Public License for more details.


YOU TOO

Tobi has agreed to include this set of scripts in the mrtg distribution. So, if 
you make any improvements or bug fixes, please provide them to him. But 
please be aware that he cant support the scripts himself.



Tony Farr
24/3/99