instructors only

cr

Multi Router Traffic Grapher

MRTG

ASSIGNMENT : Report
INSTRUCTOR : Aiko Pras
DATE : August, 2000
COURSE : Internet Management Protocols
COURSE CODE : 265310
GROUP : 1
STUDENTS : Gunes Acar, 9816747
Tjaja H. Jonatan, 9816801
Table of contents
1. INTRODUCTION .......................................................................................................................1
1.1 HISTORY 1
1.2 CURRENT VERSION 1
1.3 ADVANTAGES 2
1.4 DISADVANTAGES 2
2. INSTALLATION AND CONFIGURATION .............................................................................4
2.1 DOWNLOADING 4
2.2 INSTALLATION AND CONFIGURATION 4
3. OPERATION SAMPLE..............................................................................................................5
3.1 DISPLAY OF DAILY GRAPH (5 MINUTES AVERAGE) 5
3.2 DISPLAY OF WEEKLY GRAPH (30 MINUTES AVERAGE) 6
3.3 DISPLAY OF MONTHLY GRAPH (2 HOURS AVERAGE) 7
3.4 DISPLAY OF YEARLY GRAPH (1 DAY AVERAGE) 7
4. NEW VERSION ..........................................................................................................................9
5. OTHER APPROACHES........................................................................................................... 10
6. REFERENCES .......................................................................................................................... 11

i
1. Introduction
Among many network management solutions, Web based monitoring tools have become popular in the
last few years with the benefit of remote and easy access. A successful example is the Multi Router
Traffic Grapher (MRTG). MRTG is a free, customizable and high-performance network monitoring
tool which generates HTML pages containing simple but detailed graphics representing the network
traffic. These images are updated every five minutes.

This paper aims to give an overview on MRTG; including the history, installation and configuration
details, evaluation, and operation samples. The targeted readership consists of technical managers and
consultants, network administrators, professors and graduate level computer engineers. It is assumed
that the readers are familiar with the subjects TCP/IP and SNMP.

1.1 History
MRTG dates back to 1994. Tobias Oetiker, the Unix System Manager trainee at De Montfort
University in Leicester, UK, observed that people on campus were curious about the current network
status. He developed MRTG-1.0 using Perl, totally unaware of the worldwide need for such a tool.

Tobias Oetiker has been employed by the Department of Electrical Engineering of the Swiss Federal
Institute of Technology, Zurich (ETHZ) as a toolsmith and system manager since 1995.

When MRTG was first published on the Internet in Spring 1995, it attracted much more attention than
expected. By the end of 1995, it was being used at many sites. Nevertheless, scalability and portability
problems limited this rapid span. At that time, MRTG was unable to monitor more than ten links and it
was using external SNMP packages, which were difficult to compile on various platforms.

In January 1996, Dave Rand sent him a C program, which did the log file rewriting process and the
graph generation. It also increased the speed of MRTG by a factor of 40. In the meantime the SNMP
portability problem was solved by Simon Leinen’s SNMP module written in Perl.

With these improvements, MRTG-2.0 was released in January 1997. MRTG-2.0 was not only faster
than the previous one, but it was also more user friendly. Even the users who did not know much about
SNMP were able to configure MRTG successfully.

Due to these features and its high performance, more and more sites started to use MRTG. According
to an analysis in August 1998, 17500 different hosts had been using MRTG. The most favorite
operation areas of MRTG are monitoring the system load, login sessions, and modem availability.

1.2 Current Version

The current version of MRTG is MRTG-2.9.0pre6 and it is a result of collaboration of people from all
around the world.

MRTG 2.9.0pre6 is written in Perl and C. It uses the Simple Network Management Protocol (SNMP)
to read the traffic counters (even the new SNMPv2c 64bit counters) of the routers or other SNMP
enabled devices.

A fast C program logs the traffic data. One might argue that there is a huge amount of data accumulated
during the monitoring. However, with the use of a unique data consolidation algorithm, the data files
do not grow. With this algorithm, the data are thrown away after recording the peak information and
averaging. This means the highest five minute sample is recorded, and the rest of the data are deleted.
In this way, it is possible to view the past two years’ data in the log files stored in plain ASCII.
 MULTI ROUTER TRAFFIC GRAPHER

MRTG does not require any external SNMP package, which makes it portable. With MRTG it is
possible to accumulate two or more data sources into a single graph. MRTG is also scalable up to 50 or
more network links.

Currently, MRTG is the most widely used network management tool in the IP environment. In the next
sections, some major advantages and disadvantages of MRTG will be outlined.

1.3 Advantages
MRTG is totally free; there is no financial cost included in any stage of MRTG. It can be downloaded
at http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/pub/. For more information, the GNU General Public
License Web site at http://www.gnu.org/copyleft/gpl.html can be visited.

MRTG is customizable. Any desired SNMP variable can be monitored. Network manager has the
opportunity to choose which point(s) on the network will be monitored. Most options can be turned on
and off without affecting stored data. Moreover the appearance of HTML pages can be configured by
network manager.

One of the essential functions of network management is the data collection process, which can be
time-consuming without efficient tools. MRTG is a high performing tool which monitors the traffic at
selected routers, generates HTML pages every five minutes, and stores the monitored traffic data in a
file with the help of a fast C program.

Any external program can be used to collect data. MRTG can plot the results if provided with the
system name, and system uptime which can be suppressed.

The configuration is semi-automatic. Once the user has administrative privileges, or is a network
administrator, it is quite straightforward. The configuration is done through simple ASCII text files.
However current installation and configuration guides which can be found on the Web are not up to
date and may cause confusion. MRTG’s query engine checks for port reconfigurations on the router and
warns the user when they occur.

Network traffic can be monitored from everywhere at anytime. Since all the data are presented as Web
pages, people can view the graphs via their Web browsers. The graphics representing the network
traffic are simple, user friendly, and easy to interpret. It does not require a highly trained staff to
operate. There is no need for a routine maintenance. Web pages are automatically updated and useful
data is stored.

Log files do not grow due to a unique consolidation algorithm. They are automatically consolidated
while they continue to offer a valuable overview on the network traffic for the past two years. MRTG
does not consume too much system resources and does not require high performance systems to
operate. Any Pentium PC can be used to operate it. MRTG supports SNMP and there is no need for
external SNMP packages. Everything is included within MRTG. Data collection, storage, consolidation
and visualization in offered in a single package.

1.4 Disadvantages
MRTG compresses the data before logging by averaging the peaks and throwing the rest of the data
away. This causes a data loss. Moreover data files display the data only for the past two years.

Although online installation and configuration guides are available, they are not currently up to date
and quite confusing. The latest version cannot be found on the download list, and some of the steps of
installation and configuration cannot be applied to all users.

2
Graphs must display two variables. Two lines will be drawn even if only one variable is desired.
Multiple interfaces cannot be displayed on the same plot. Variables must have the same scale and
limits.

MRTG cannot monitor more than 600 router ports in a five minute period, which is due to the way the
log files are updated. Consolidation algorithm is run each time the data is updated, which means every
five minutes, thus make it difficult to monitor large number of ports.

Installation and configuration requires administrative privileges. Configurability of MRTG is limited

when it comes to monitoring time-series data. Furthermore, MRTG does not deal with router
unresponsiveness well.

3
 MULTI ROUTER TRAFFIC GRAPHER

2. Installation and Configuration

Although many MRTG installation guides are available on the Web, most of them are outdated and not
reliable. This section therefore discusses how to install and configure MRTG. While MRTG can run on
various kinds of platforms, the experiment described here is based on WinNT platform. However,
installing MRTG in WinNT workstation is not as easy as one can imagine, especially when the user of
the workstation does not have administrator privilege.

2.1 Downloading
Although it is not the latest version, experiments are done with MRTG-2.8.12. It is also the latest
version available on the Web site. To get MRTG work on WinNT, the following software packages are
necessary:

• The latest version of MRTG for WinNT can be obtained from http://ee-
staff.ethz.ch/~oetiker/webtools/mrtg/pub/. There is a long list of files and somewhat confusing
which one to choose, but look for a file named mrtg-X.Y.Z.zip. The numbers X, Y, Z in the file
name indicate the MRTG version, the higher the numbers the newer the version.

• The “Fiveminute” file (fiveminute.zip) is available in the same site as MRTG file. This is the batch
file that collects traffic data from the network every five minutes.

• The latest version of Perl can be downloaded from ActiveState

(http://www.ActiveState.com/Products/ActivePerl/Download.html). Choose the appropriate file for
WinNT (ActivePerl-5.6.0.615-MSWin32-x86-multi-thread.msi, 8,584 KB). For installing Perl
software from ActiveState, it is also required to download Windows Installer version 1.1 or later.
This file is available at this site as well and must be installed before installing the ActivePerl.
However, other version of Perl can also be used, see for example http://perl.com.

2.2 Installation and Configuration

The installation of MRTG in WinNT platform is not as straightforward as installing other windows
based applications. Several factors that complicate the installation of MRTG in WinNT are listed
below:

• MRTG requires Perl software to be installed on the workstation that will run MRTG. WinNT users
who do not have administrator privileges will need help from the administrator to install it.

• WinNT users usually have restricted access right to some of the services within WinNT depending
on the policy defined by network administrator. For instance, “Scheduler Service” that is required
by MRTG for executing the Fiveminute batch files for collecting traffic data every 5 minutes, may
be unavailable to the users due to security reason. In this case a workaround solution is needed to
run MRTG in a workstation that does not have administrator privilege.

• The installation guide on the MRTG Web site is based on the author’s directory. Therefore the
structure of the directory may be different from other users. This factor will also influence the
installation procedure of MRTG. Simply following the available installation guides will not work.

For a complete guide for installation and configuration, please refer to the MRTG Web site:
http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html

4
3. Operation Sample
Some results of traffic monitoring using MRTG will be described in this part. As already mentioned
before, in this experiment, a Fast Ethernet Switch in the ANTC laboratory at the University of Twente,
the Netherlands is used. There are two ports to be monitored in this device: Port 1 and Port 2. Detailed
information about devices being monitored is given in the head of each MRTG Web page. This
experiment only represents a very basic MRTG capability which is to monitor traffic going in and out
in both ports of the Fast Ethernet. However, by configuring some parameters, MRTG is also capable to
monitor CPU usage, disk space usage, number of users log on a Web server, average load of a server,
number of messages through a Web server, number of messages in buffer, etc. In principle, MRTG can
monitor any kind of SNMP object ID with the help of additional scripts. Many of these scripts are also
available on the Internet for free.

The graphical display of MRTG is very easy to understand as shown in the subsection below. It is also
quite flexible, it can be resized and the color of the graph can be changed according to user’s
preference. By analyzing the graphics generated by MRTG, network managers can obtain a better
understanding on the performance and behavior of their networks. For example, information on
common busy time, event-generated traffic, and long-term traffic overview can be interpreted from
MRTG graphical display. This information is important for network managers to define user and
network policies for short and long term network planning. Furthermore, this information can be used
as a base for defining the level of service that will be offered to the users. This is usually written
officially in SLA (Service Level Agreement) between users and network provider.

3.1 Daily Graph

In the below figures, the daily number of bytes going in and out of the ports is graphed. MRTG takes
the traffic sample every five minutes, logs the data, processes it and then plots the result in the GIF
format. The horizontal axis represents time, with the most left point is the most recent time (see the red
arrow sign). The vertical axis represents the amount of traffic going in and out.

The interpretation of the graph is quite straightforward. For port 1, at time 10:30 there is a sudden
increase of incoming traffic (green color) from almost zero to some 280 Kbytes/s. For outgoing traffic
(blue color) there is a sudden drop from around 1100 Kbytes/s to around 620 Kbytes/s at 10:00 o’clock.
The maximum recorded sample, the average traffic value and the current traffic value of both outgoing
and incoming bytes are indicated below the figure.

For port 2, the incoming traffic drops suddenly from around 1100 Kbytes/s to around 920 Kbytes/s at
10:00, while there is a sudden increase of outgoing traffic from almost 0 Kbytes/s to around 300
Kbytes/s. The maximum recorded traffic sample, the average sample value and the current sample
value are also indicated below the figure.

Because the device being monitored has only two active ports, the graphs of outgoing and incoming
traffic for both ports (more or less) correspond to each other oppositely. That means, if one port tends
to have more outgoing traffic, the second port will tend to receive incoming traffic with almost the
same value. That is why the graphic plot of outgoing traffic of port 1 has a similar curve with the
graphic plot of incoming traffic in port 2, and vice versa.

Figure 6. ‘Daily’ Graph Port 1

5
 MULTI ROUTER TRAFFIC GRAPHER

Max In: 278.5 kB/s (2.2%) Average In: 76.4 kB/s (0.6%) Current In: 278.3 kB/s (2.2%)
Max Out: 1126.0 kB/s (9.0%) Average Out: 976.6 kB/s (7.8%) Current Out: 627.8 kB/s (5.0%)

Figure 7. ‘Daily’ Graph Port 2

Max In: 1125.5 kB/s (9.0%) Average In: 1059.7 kB/s (8.5%) Current In: 927.4 kB/s (7.4%)
Max Out: 278.3 kB/s (2.2%) Average Out: 76.0 kB/s (0.6%) Current Out: 278.3 kB/s (2.2%)

3.2 Weekly Graph

After 600 times collecting 5-minutes samples, MRTG takes 6 of the samples and writes one 30 minutes
average for the weekly graph. The weekly display of incoming traffic (green color) and outgoing traffic
(blue color) for both port 1 and port 2 are shown in the below figure. For other general explanation
about the graph (meaning of color, axes, how to interpret, etc.), please refer to subsection 3.1.

Figure 8. ‘Weekly’ Graph Port 1

Max In: 277.9 kB/s (2.2%) Average In: 29.4 kB/s (0.2%) Current In: 276.7 kB/s (2.2%)
Max Out: 1125.0 kB/s (9.0%) Average Out: 1046.3 kB/s (8.4%) Current Out: 628.8 kB/s (5.0%)

Figure 9. ‘Weekly’ Graph Port 2

Max In: 1124.5 kB/s (9.0%) Average In: 1072.9 kB/s (8.6%) Current In: 928.1 kB/s (7.4%)
Max Out: 277.6 kB/s (2.2%) Average Out: 28.9 kB/s (0.2%) Current Out: 276.6 kB/s (2.2%)

6
3.3 Monthly Graph
After 600 times 30-minutes samples, MRTG averages the 30-minutes samples into 2-hours sample for
the monthly graph. The following figures show weekly graph of incoming traffic (green color) and
outgoing traffic (blue color) for both port 1 and port 2. Please refer to subsection 3.1, for other general
explanation about the graph (meaning of colors, axes, how to interpret, etc.).

Figure 10. ‘Monthly’ Graph Port 1

Max In: 277.2 kB/s (2.2%) Average In: 21.5 kB/s (0.2%) Current In: 277.2 kB/s (2.2%)
Max Out: 1121.2 kB/s (9.0%) Average Out: 1059.6 kB/s (8.5%) Current Out: 629.1 kB/s (5.0%)

Figure 11. ‘Monthly’ Graph Port 2

Max In: 1120.7 kB/s (9.0%) Average In: 1077.5 kB/s (8.6%) Current In: 927.7 kB/s (7.4%)
Max Out: 276.9 kB/s (2.2%) Average Out: 21.0 kB/s (0.2%) Current Out: 276.9 kB/s (2.2%)

3.4 Yearly Graph

Finally, after 600 times 2-hours samples, MRTG averages these 2-hours samples into 1 day sample for
the yearly graph. As can be seen in both figures below, there is not too much traffic recorded for yearly
display as we run the MRTG for less than one week. Please refer to subsection 3.1 for general
explanation about the graph.

Figure 12. ‘Yearly’ Graph Port 1

Max In: 8757.0 B/s (0.1%)Average In: 4836.0 B/s (0.0%) Current In: 179.0 B/s (0.0%)
Max Out: 1114.1 kB/s (8.9%) Average Out: 904.7 kB/s (7.2%) Current Out: 1111.5 kB/s (8.9%)

Figure 13. ‘Yearly’ Graph Port 2

7
 MULTI ROUTER TRAFFIC GRAPHER

Max In: 1113.4 kB/s (8.9%) Average In: 904.3 kB/s (7.2%) Current In: 1111.0 kB/s (8.9%)
Max Out: 8305.0 B/s (0.1%) Average Out: 4409.0 B/s (0.0%) Current Out: 640.0 B/s (0.0%)

8
4. New Version
Upcoming version of MRTG is MRTG-3.0. The most important changes in this new version are
configurability and data logging speed.

MRTG-3.0 is developed to be more than just a traffic monitoring tool and this requires high
configurability. A tool called Round Robin Database (RRD) is implemented in MRTG-3.0 for this
purpose. RRD can be configured to monitor a number of data sources in parallel and store the data in a
more flexible way. Data is stored in Round Robin Archives (RRA). An RRD can contain many RRAs,
each with different time resolution, size and consolidation methods. For example, one RRA can be
configured to store data at the base resolution of the RRD for a few days, while another stores the daily
averages for 5 years.

Moreover RRD stores the data faster than MRTG-2 did. Higher logging performance is achieved since
RRD reduces the amount of data that has to be transferred between memory and disk. With this new
design, it is possible to store one thousand data values per second in an RRD.

In fact, RRD is so successful itself that it is also offered out of MRTG package. It has proved to be a
high performance tool for large data gathering and complex monitoring operations.

Another advantage of MRTG-3.0 is the improved SNMP data gathering performance. It is planned to
issue several SNMP requests in parallel. This is expected to solve the network latency and router
unresponsiveness problems.

Finally, MRTG-3.0 is easier to customize. Graphs are generated whenever the user wants. The design
of the HTML pages can be configured in a simpler way since MRTG-3.0 offers template files.

9
 MULTI ROUTER TRAFFIC GRAPHER

5. Other Approaches
There are many network management solutions in the market. Among them, Web based monitoring
tools have become popular in the last few years with the benefit of remote and easy access. A
successful example is the Multi Router Traffic Grapher (MRTG). MRTG is a free, customizable and
high-performance network monitoring tool which generates HTML pages containing simple but
detailed graphics representing the network traffic.

There are some free tools such as NeTraMet (a network traffic accounting meter for PC and UNIX),
Scotty (a Tcl Extensions for Network Management), CMU SNMP, with the common function of data
gathering on the current network status. However, they lack the long term analysis and user-friendly
presentation features of MRTG.

Today, Scion by NetSCARF, appears as a tool to query SNMP-aware network equipment for
performance information, and make that information available on the Web. It provides a similar
solution to MRTG. BigBrother (a tool for proactive network monitoring) and Cflowd (an experimental
software to collect data from Cisco’s flow-export feature) are also applied in the same area.

10
6. References
[Ref 1] Stallings, William. SNMP, SNMPv2, SNMPv3, and RMON 1 and 2. Addison-Wesley, USA,
1999.

[Ref 2] Hughes, Gary Veum, NASA Goddard Space Flight Center,

http://corn.eos.nasa.gov/talks/mrtg_esdis/sld001.htm

[Ref 3] Oetiker, Tobias, MRTG, 12th Systems Administration Conference (LISA ’98), 1998
http://www.usenix.org/publications/library/proceedings/lisa98/full_papers/oetiker/oetiker_html/oetiker.
html

[Ref 4] Oetiker, Tobias and Rand, David, MRTG Homepage,

http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/mrtg.html

[Ref 5] Zawada, Paul J., MRTG Overview,

http://www.ncne.org/news/workshop/vbns-techs2/Talks/zawada/tsld001.htm

[Ref 6] Oetiker, Tobias, Tobi’s Projects Page, http://ee-staff.ethz.ch/~oetiker/

[Ref 7] Divins, David S., The Windows NT Guide to MRTG, 1999

http://ee-staff.ethz.ch/~oetiker/webtools/mrtg/nt-guide.html

[Ref 8] Brownlee, Nevil, NeTraMet,

http://www.auckland.ac.nz/net/Accounting/

[Ref 9] Schönwälder, Jürgen, Scotty,

http://www.ibr.cs.tu-bs.de/projects/scotty/

[Ref 10] Adams, W. Nortongand A.. Scion,

http://www.merit.edu/net-research/netscarf/

[Ref 11] McRobb, Daniel W., Hawkinson, John. Cflowd,

http://engr.ans.net/cflowd/

[Ref 12] MacGuire, Sean. Big Brother,

http://www.iti.qc.ca/users/sean/bb-dnld/

11