LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Linux box to Monitor Network Traffic only (http://www.linuxquestions.org/questions/linux-networking-3/linux-box-to-monitor-network-traffic-only-845374/)

jpat1023 11-19-2010 01:49 PM

Linux box to Monitor Network Traffic only
 
Hello all,

I manage a small business network with about 35 users. We have a T1 line, going into a hardware firewall/router, and then into our main switch. I want to setup a box between the router and the switch to monitor all incoming and outgoing traffic.

We already have a spare server with two nics and ubuntu server 10.10 installed. I just want to place this computer inline between the router and switch to monitor traffic only. I don't wanna mess with iptables or anything else because all that is already handled elsewhere on the network. I just want an inline box to monitor traffic.

How can I go about doing this??

Thanks in advance for your time.

TB0ne 11-19-2010 02:17 PM

Quote:

Originally Posted by jpat1023 (Post 4164674)
Hello all,

I manage a small business network with about 35 users. We have a T1 line, going into a hardware firewall/router, and then into our main switch. I want to setup a box between the router and the switch to monitor all incoming and outgoing traffic.

We already have a spare server with two nics and ubuntu server 10.10 installed. I just want to place this computer inline between the router and switch to monitor traffic only. I don't wanna mess with iptables or anything else because all that is already handled elsewhere on the network. I just want an inline box to monitor traffic.

How can I go about doing this??

Thanks in advance for your time.

You've got several options. They depend on how far you want to go, and if you want other monitoring options as well.

First thing I'd check out if I was you, would be ntop (http://www.ntop.org/overview.html). Just does network monitoring. If you want to monitor other things (like disk, CPU, etc.), on other machines, check out Nagios, Munin, or Zenoss. They can not only monitor network traffic, but other machine stats too, and they can run in conjunction with ntop.

sys64738 11-19-2010 02:55 PM

Hi
I am not quite sure about your intention. Please take no offense but I am not quite sure if it is a good idea to put a Linux system between Router and LAN.
1. How fast is your Linux box? Fast enough for routing or switching and monitoring?
2. How calm are "your" 35 users when something goes wrong?

I don't know your switch, but if it is a managed switch the switch it is maybe possible to monitor (mirror) the Router port to the second NIC of your Ubuntu system. Then you can have one NIC for your LAN and one NIC for monitoring.
If something goes wrong you only loose your monitoring not your net. In my eyes much safer.

You can use ntop, iptraf, tcpdump, wireshark whatever you want. It depends what you want to see.

jpat1023 11-19-2010 04:17 PM

Quote:

Originally Posted by TB0ne (Post 4164699)
You've got several options. They depend on how far you want to go, and if you want other monitoring options as well.

First thing I'd check out if I was you, would be ntop (http://www.ntop.org/overview.html). Just does network monitoring. If you want to monitor other things (like disk, CPU, etc.), on other machines, check out Nagios, Munin, or Zenoss. They can not only monitor network traffic, but other machine stats too, and they can run in conjunction with ntop.

Yea I know some about ntop, ethereal, etc......I guess my question is how will the machine pass all traffic from one nic to the other?? I just want the traffic running through the machine, it doesn't need to do any sort of routing as that is already takin care of elsewhere on the network.

Quote:

Hi
I am not quite sure about your intention. Please take no offense but I am not quite sure if it is a good idea to put a Linux system between Router and LAN.
1. How fast is your Linux box? Fast enough for routing or switching and monitoring?
2. How calm are "your" 35 users when something goes wrong?
The intention is to monitor all network traffic, specially web traffic.
Linux systems often function as a router themselves,and routing takes little resources from the computer. Besides that fact, the computer being used is a dual processor rack server with plenty of resources. I figure setting it up to simply monitor and capture traffic is perfectly viable.
Quote:

I don't know your switch, but if it is a managed switch the switch it is maybe possible to monitor (mirror) the Router port to the second NIC of your Ubuntu system. Then you can have one NIC for your LAN and one NIC for monitoring.
If something goes wrong you only loose your monitoring not your net. In my eyes much safer.
I like this idea, but our switch is not managed and has no mirror port....plus, the linux box will add much more functionality than simply mirroring traffic, the linux box will give me control over the traffic if I need it.


I basically want the linux box to be an inline trasparent traffic sniffer.

never say never 11-19-2010 05:29 PM

Best solution I can think of it to setup your linux box as a router. If you have good NICs and a fair box you can run some router software such as PFSense (actually based on FREEBSD), Smoothwall, or several other linux firewall routers that will allow you to do the monitoring you want . . .

If all you are wanting to do is monitor web traffic, you could setup a transparent proxy (squid) and just force all internet traffic through that.

I use PFSense as routers at three locations, with a fiber 1GB connection and I have no problems routing traffic at all. The trick is to use good gear. I run Squid set up with transparent proxy and lightsquid for reporting. (you can also filter logs yourself).

I have been using them for about 3 years with zero problems at three locations routing Fiber internet, 1GB LAN, and 2 T1s.

user100 11-19-2010 07:12 PM

You could use a network sniffer, software like dSniff or ngrep or the other very good softwares mentioned above.

If you manage to route or link the traffic to another computer "sideways" from your network like sys64738 mentioned than that would be best. But I'm not sure how you would do that exactly.

The first example would be easiest to create. Than you would just create a forward machine while it logs. And using iptables for that would be best, not to make a firewall but just send bulk traffic through (from eth card to eth card). Without blocking or modifying or whatever it. And of course sniff or log/analyze it.


All times are GMT -5. The time now is 10:10 AM.