From f4efd9725f17f97d01be5be43fdf6dd7da8819a5 Mon Sep 17 00:00:00 2001 From: Jon Schipp Date: Fri, 24 Jul 2015 14:38:41 -0500 Subject: [PATCH] add check_traffic plugin --- README.md | 2 + check_traffic.sh | 134 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 136 insertions(+) create mode 100755 check_traffic.sh diff --git a/README.md b/README.md index c3155e2..e8ce608 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,8 @@ one cannot simply update the scripts with malicious code. **check_filesystem_stat.sh** - Recursively checks for filesystem input/output errors by directory using stat. +**check_traffic.sh** - Check rate of traffic type by bpf using tcpdump for interface + **negate.sh** - Checks exit code of another program and returns a custom Nagios status code based on the result. #### OSX only: diff --git a/check_traffic.sh b/check_traffic.sh new file mode 100755 index 0000000..2ee5f8c --- /dev/null +++ b/check_traffic.sh @@ -0,0 +1,134 @@ +#!/usr/bin/env bash + +# Author: Jon Schipp + +######## +# Examples: + +# 1.) Return critical if there's more than 10k PPS +# $ ./check_pps.sh -i eth0 -w 8000 -c 10000 -p +# +# 2.) Return critical if there's more than 1m BPS +# $ ./check_pps.sh -i eth0 -w 500000 -c 1000000 -b +# +# 2.) Return critical if we've reach 70% of the NIC's line-rate capacity +# $ ./check_pps.sh -i eth0 -w 50 -c 70 -r +# + +# Nagios Exit Codes +OK=0 +WARNING=1 +CRITICAL=2 +UNKNOWN=3 + +usage() +{ +cat < Filter in libpcap syntax + -t Time interval in seconds (def: 1) + -w Warning threshold + -c Critical threshold + +EOF +} + +argcheck() { +if [ $ARGC -lt $1 ]; then + echo "Please specify an argument!, try $0 -h for more information" + exit 1 +fi +} + +depend_check(){ + bin=$(which tcpdump) + [[ -f $bin ]] || { echo "UNKNOWN: $bin not found in ${PATH}" && exit $UNKNOWN; } + [[ -d /tmp ]] && DIR=/tmp && return + [[ -d /var/tmp ]] && DIR=/var/tmp && return + DIR=. +} + +check_bpf () { + [ "$1" ] || { echo "No BPF specified, use \`\`-f''" && exit $UNKNOWN; } + exp='\0324\0303\0262\0241\02\0\04\0\0\0\0\0\0\0\0\0\0377\0377\0\0\01\0\0\0' + echo -en "$exp" | tcpdump -r - "$*" >/dev/null 2>&1 || { echo "UNKNOWN: Invalid BPF" && exit $UNKNOWN; } +} + +get_packets() { + timeout -s SIGINT $TIME tcpdump -nni $INT "$FILTER" 2>/dev/null > $BEFORE + timeout -s SIGINT $TIME tcpdump -nni $INT "$FILTER" 2>/dev/null > $AFTER + ! [ -f $BEFORE ] && echo "UNKNOWN: $BEFORE doesn't exist!" && exit $UNKNOWN + ! [ -f $AFTER ] && echo "UNKNOWN: $AFTER doesn't exist!" && exit $UNKNOWN +} + +get_counts() { + START=$(cat $BEFORE | wc -l) + STOP=$(cat $AFTER | wc -l) + [[ $START -gt $STOP ]] && RESULT=$((START-STOP)) + [[ $STOP -gt $START ]] && RESULT=$((STOP-START)) +} + +traffic_calculation() { +if [ $1 -gt $CRIT ]; then + exit $CRITICAL +elif [ $1 -gt $WARN ]; then + exit $WARNING +else + exit $OK +fi +} + + +PPS=0 +BPS=0 +LINERATE=0 +TIME=1 +WARN=0 +CRIT=0 +ARGC=$# +BEFORE=$DIR/check_traffic1.txt +AFTER=$DIR/check_traffic2.txt +# Print warning and exit if less than n arguments specified +argcheck 1 +depend_check + +# option and argument handling +while getopts "hi:c:f:t:w:" OPTION +do + case $OPTION in + h) + usage + exit + ;; + i) + INT=$OPTARG + ;; + f) + FILTER="$OPTARG" + ;; + t) + TIME=$OPTARG + ;; + c) + CRIT=$OPTARG + ;; + w) + WARN=$OPTARG + ;; + *) + exit $UNKNOWN + ;; + esac +done + +[ -d /sys/class/net/$INT ] || { "UNKNOWN: $INT does not exist" && exit $UNKNOWN; } +[ -d /proc ] && check_bpf "$FILTER" +get_packets +get_counts +echo "Traffic rate is ~${RESULT}/${TIME}" +traffic_calculation $RESULT