How to: Monitor Bandwidth with Tomato Firmware

By Aaron Weiss

January 05, 2009

Looking to track your bandwidth to scope out malware, conform to metering policies from your ISP, better utilize limited resources–or just because you’re curious? Our Wi-Fi Guru walks you through Tomato’s sophisticated bandwidth monitoring tools.

Related Articles

Looking to track your bandwidth to scope out malware, conform to metering policies from your ISP, better utilize limited resources–or just because you’re curious? Our Wi-Fi Guru walks you through Tomato’s sophisticated bandwidth monitoring tools.

In the early days of the Internet, dial-up users were charged based on how many hours per month they spent online. Many of us have become spoiled in the broadband era, with “unlimited” access the norm—measured both in time and bandwidth usage. But with so many subscribers now using so much network capacity, the pendulum may be swinging back toward metered services. In the U.S., major providers Time Warner and Comcast have both introduced efforts to “cap” network use. In the UK, over a million subscribers experience broadband caps, and five out of nine ISP’s offering “unlimited” service impose caps.

Regardless of the merits or lack thereof of metered bandwidth, the reality is that more of us are likely to have to keep track of our online usage. A nifty way to do this is by using a supported wireless router loaded with a firmware, such as Tomato, which includes sophisticated bandwidth monitoring. Auditing bandwidth usage can be useful for any network with limited resources, or even to help spot and diagnose errant activity (such as malware) that may be unwittingly filling up the pipes.

Assuming you have already prepared a wireless router with Tomato, keep in mind that it can only count traffic that flows through it. In most scenarios, your wireless router connects to both your WAN (broadband) and LAN, and so this is the best configuration for accurately monitoring bandwidth. If your Tomato router serves only a subset of your network, though, remember that is the only portion of traffic it will see.

Initial configuration

When you log into the Tomato administration interface, click Administration/Bandwidth Monitoring.

First, you’ll want to be sure that “Enable” is checked. By default, the log used to calculate bandwidth usage is saved to the router’s RAM—but most routers have limited free memory, which means your log will not be saved for very long.

To archive statistics for the long term, you will want to save to a filesystem. The drop-down menu offers two kinds of filesystems—JFFS2 and CIFS. A JFFS2 filesystem can be created using Administration/JFFS2, but it also occupies flash memory, and most routers will not be able to hold very much.

Your best option is to create a CIFS connection through Administration/CIFS Client, which lets you mount a Windows (or Samba) share hosted on an external server. Set the CIFS client that you create in the “Save History Location” and you can store usage logs well beyond the limitations of the router’s internal memory.

Logs can be rotated from every hour to every week, with many intervals in between. “Save On Shutdown” will ensure that the current traffic log is saved in case the router resets in between save intervals. “Create New File/Reset Data” will force a new log to begin when you save this configuration.

“First Day Of The Month” is used by Tomato to calculate monthly usage statistics—the default, 1, seems like a good choice.

As we’ll see in a moment, the bandwidth monitor tracks several interfaces through the router—for example, wired and wireless connections. You can list the names of interfaces that you do not want tracked under “Excluded Interfaces.” But as you’ll see when we look at the monitor itself, this feature may be of limited usefulness in some situations.

Finally, you can backup or restore traffic log files to or from your local PC using the respective forms.

24 hours in the life of your bandwidth

Open the bandwidth monitor itself by clicking Bandwidth in Tomato’s left-hand column. This will actually default to the 24-hour bandwidth view (below).

Across the top of the bandwidth view are the interfaces that Tomato is monitoring. You can click each tab to view the graph for that interface. Of course, it isn’t exactly clear what these interfaces actually mean.

WAN (vlan1)—traffic coming into and going out of the WAN port to your broadband provider. This measures traffic between your router and the outside world, but not traffic flowing within your LAN. WL (eth1)—wireless traffic, which in most scenarios means wireless traffic inside your LAN. This would include wireless clients sending and receiving data to the Internet plus sharing with one another. br0—the bridge between WL(eth1) and the router’s hardwired LAN ports (vlan0). Consequently, br0 shows traffic combined from both your wireless and hardwired connections to the router, both to the Internet and within the LAN. eth0—all of the router’s hardwired ports, shows traffic flowing through both the LAN via Ethernet plus the Internet via the WAN port. vlan0—the router’s hardwired LAN ports, shows traffic to the Internet and within the LAN.

Because of the way the interfaces are designed inside the router, it is not possible to monitor traffic for a specific client—unless you can isolate that client to one of the above interfaces. For example, if you have only one wireless client associated with the router, you know that WL(eth1) traffic represents only this client.

Tomato renders the graph display using SVG (scalable vector graphics), an image format with built-in support using Firefox or Safari; Internet Explorer users can download a plug-in (or else you will see an empty space where the graph is).

The graph displays both incoming (RX) and outgoing (TX) data, rendered in color pairs, which are configurable by clicking the “Color” link in the options on the right. Moving your mouse pointer over the graph will display details for the specific data point you hover over in the upper right.

Other options along the lower right let you modify the timescale of the graph (from 4 to 24 hours), how broadly to average out the data, how to scale the maximum height of the graph, and how to render the visuals (shape and color).

For most of us, the “Total” bandwidth reading for the measured time period will be the most useful piece of information. But you may also find it helpful to look for spikes in usage, particularly those that may be occurring at unexpected times—for example, late at night. In some cases, these could represent malware or other unwanted network activity.

In our sample image, the heavy usage at the left edge of the graph represents BitTorrent traffic. You can see that outgoing traffic exceeds incoming traffic during this period, which is atypical for most types of network activity, but not unsurprising for P2P activity.

Bandwidth live

Click on the Bandwidth/Real-Time link and you’ll see a graph display just like the 24-hour version—but updated live. Technically, it is updated every two seconds, and the entire graph represents a window of the last ten minutes.

Using the real-time bandwidth monitor can be a helpful way to troubleshoot network problems. For example, if there is unexplained network activity and you are not sure which client is its origin, you could disable and enable clients in sequence while monitoring the real-time monitor.

The bottom line

Clicking on Daily, Weekly, or Monthly bandwidth views trades the graph for much simpler data. Here, you see just the total traffic count broken down by selected time period. You can display the totals in Kilobytes, Megabytes, or Gigabytes—most users will care about GB, especially if the goal is to avoid an ISP usage cap.

Hopefully, a future version of Tomato will be able to track usage by client IP or MAC address. Until then, though, the current monitor is a handy tool both for network diagnostics and avoiding wrist-slaps, nasty letters, or potential overage charges from the increasing number of broadband providers clamping down on bandwidth hogs—er, I mean, reasonable users.

Latest posts by Eric Sandler (see all)

Give a Comment