Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Red Hat 9, Ubuntu 10; Windows Server 2003 and XP
Posts: 34
Rep:
Linux box to Monitor Network Traffic only
Hello all,
I manage a small business network with about 35 users. We have a T1 line, going into a hardware firewall/router, and then into our main switch. I want to setup a box between the router and the switch to monitor all incoming and outgoing traffic.
We already have a spare server with two nics and ubuntu server 10.10 installed. I just want to place this computer inline between the router and switch to monitor traffic only. I don't wanna mess with iptables or anything else because all that is already handled elsewhere on the network. I just want an inline box to monitor traffic.
I manage a small business network with about 35 users. We have a T1 line, going into a hardware firewall/router, and then into our main switch. I want to setup a box between the router and the switch to monitor all incoming and outgoing traffic.
We already have a spare server with two nics and ubuntu server 10.10 installed. I just want to place this computer inline between the router and switch to monitor traffic only. I don't wanna mess with iptables or anything else because all that is already handled elsewhere on the network. I just want an inline box to monitor traffic.
How can I go about doing this??
Thanks in advance for your time.
You've got several options. They depend on how far you want to go, and if you want other monitoring options as well.
First thing I'd check out if I was you, would be ntop (http://www.ntop.org/overview.html). Just does network monitoring. If you want to monitor other things (like disk, CPU, etc.), on other machines, check out Nagios, Munin, or Zenoss. They can not only monitor network traffic, but other machine stats too, and they can run in conjunction with ntop.
Hi
I am not quite sure about your intention. Please take no offense but I am not quite sure if it is a good idea to put a Linux system between Router and LAN.
1. How fast is your Linux box? Fast enough for routing or switching and monitoring?
2. How calm are "your" 35 users when something goes wrong?
I don't know your switch, but if it is a managed switch the switch it is maybe possible to monitor (mirror) the Router port to the second NIC of your Ubuntu system. Then you can have one NIC for your LAN and one NIC for monitoring.
If something goes wrong you only loose your monitoring not your net. In my eyes much safer.
You can use ntop, iptraf, tcpdump, wireshark whatever you want. It depends what you want to see.
Distribution: Red Hat 9, Ubuntu 10; Windows Server 2003 and XP
Posts: 34
Original Poster
Rep:
Quote:
Originally Posted by TB0ne
You've got several options. They depend on how far you want to go, and if you want other monitoring options as well.
First thing I'd check out if I was you, would be ntop (http://www.ntop.org/overview.html). Just does network monitoring. If you want to monitor other things (like disk, CPU, etc.), on other machines, check out Nagios, Munin, or Zenoss. They can not only monitor network traffic, but other machine stats too, and they can run in conjunction with ntop.
Yea I know some about ntop, ethereal, etc......I guess my question is how will the machine pass all traffic from one nic to the other?? I just want the traffic running through the machine, it doesn't need to do any sort of routing as that is already takin care of elsewhere on the network.
Quote:
Hi
I am not quite sure about your intention. Please take no offense but I am not quite sure if it is a good idea to put a Linux system between Router and LAN.
1. How fast is your Linux box? Fast enough for routing or switching and monitoring?
2. How calm are "your" 35 users when something goes wrong?
The intention is to monitor all network traffic, specially web traffic.
Linux systems often function as a router themselves,and routing takes little resources from the computer. Besides that fact, the computer being used is a dual processor rack server with plenty of resources. I figure setting it up to simply monitor and capture traffic is perfectly viable.
Quote:
I don't know your switch, but if it is a managed switch the switch it is maybe possible to monitor (mirror) the Router port to the second NIC of your Ubuntu system. Then you can have one NIC for your LAN and one NIC for monitoring.
If something goes wrong you only loose your monitoring not your net. In my eyes much safer.
I like this idea, but our switch is not managed and has no mirror port....plus, the linux box will add much more functionality than simply mirroring traffic, the linux box will give me control over the traffic if I need it.
I basically want the linux box to be an inline trasparent traffic sniffer.
Best solution I can think of it to setup your linux box as a router. If you have good NICs and a fair box you can run some router software such as PFSense (actually based on FREEBSD), Smoothwall, or several other linux firewall routers that will allow you to do the monitoring you want . . .
If all you are wanting to do is monitor web traffic, you could setup a transparent proxy (squid) and just force all internet traffic through that.
I use PFSense as routers at three locations, with a fiber 1GB connection and I have no problems routing traffic at all. The trick is to use good gear. I run Squid set up with transparent proxy and lightsquid for reporting. (you can also filter logs yourself).
I have been using them for about 3 years with zero problems at three locations routing Fiber internet, 1GB LAN, and 2 T1s.
You could use a network sniffer, software like dSniff or ngrep or the other very good softwares mentioned above.
If you manage to route or link the traffic to another computer "sideways" from your network like sys64738 mentioned than that would be best. But I'm not sure how you would do that exactly.
The first example would be easiest to create. Than you would just create a forward machine while it logs. And using iptables for that would be best, not to make a firewall but just send bulk traffic through (from eth card to eth card). Without blocking or modifying or whatever it. And of course sniff or log/analyze it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.