This may be a fairly long winded post just to avoid any confusion, that of which I did seem to run into with many people who were helping out on another forum, so please bear with me.
Just to get this on the road, I will summarzie what this is about. We have a single Linux machine on our network (sad, isn't it?
) here at work which is pretty much just a monitoring machine. What it has run in the past is Nagios, MRTG, and a few other less significant applications. For the most part, though, you can see it pretty much just takes up monitoring activities. We want to extend this now to include ntop and Ruquest Tracker 3 (<--- RT3 not really significant to this post, but I figured I would mention it). We decided on ntop after some checking around and a bit of testing with it to act as our Internet bandwidth monitor so we can see who on our network is doing what with our Internet bandwidth and so on. Mostly we're just wanting to see when someone is abusing it and to be able to track what is happening when it does, because it does happen from time to time--sometimes a user, and sometimes a rogue programe, etc.
Now, I would like to mention what the stance is towards Linux / open source / pretty much anything non-MS from the upper management of my company just to avoid useless suggestions. I think bearing this in mind will help get the answers I need. At a prior forum I was getting suggestions that could have been avoided with this information. Upper management, to my misfortune, pretty much takes the stance that we're a MS-only shop. Discussion of Linux / open source matters go nowhere it seems. As a result we are pretty much MS everything. However, the network admin cleared me over a year ago to drop a linux box on our network that would run the applications I already mentioned (Nagios and MRTG) just for our benefit to monitor some things. Essentially it just helps us out tremendously in the IT department with some things--what upper management doesn't know won't hurt us. It is just a monitoring machine, though, so it could spontaneously explode and our network and all activities on the network could continue as if it never knew this happened. I say this all only to mention that I don't want suggestions that would put said Linux machine INTO the network hierarchy in such a way that if it for ANY reason failed it would stop functionality or our day to day operations. I know that the network admin won't allow it (because of upper management) and I know my head could be on the upper management chopping block if the issue was traced back to a Linux machine--not a risk I'm willing to take.
That is out of the way, and onto the real issue
(thanks for staying this long). So far we have just run Nagios and MRTG with the linux machine just plugged into a switching on a port with the local network. This machine has had only a single NIC in it because that is all it has needed. The next big addition to it is ntop. With that I think we really need another NIC to best utilize it with accuracy. Because of the way ntop works with monitoring an ethernet interface, we only want that interface it is monitoring to reflect what we plan to monitor--the traffic that passes through our firewall to our external router on to the Internet. What we have done to start facilitating this is to setup a port on one of our switches that will monitor a port. The port it monitors is the one that the firewall private line comes into. The next step is to properly setup an additional interface on this said Linux machine that ntop can use to monitor the traffic going through the firewall. I'm figuring ntop needs it's own dedicated interface to the firewall monitor port on the switch so it's not also monitoring and logging all the hits made to the machine for Nagios, MRTG, and soon Request Tracker 3 (all which are of course web based).
My question (finally!!!)--how do I properly setup this new interface that is plugged into this switch monitoring port? I have been told and it sounds about right that I need it setup this interface w/o an IP and to run it in promiscuous mode. In regards to the latter, I believe ntop itself will setup the interface to run in promiscuous mode, so I thinks this matter is settled. As far as how to actually setup the interface (in /etc/network/interfaces), I have no idea how to do this. I have never setup an interface in Linux for anything but an IP based (static / dhcp) network connection.
I should also ask--is this how I should be setting all of this up? I do want ntop to only monitor the firewall--not general access to the Linux machine for the other stuff it runs. I also don't want all the firewall private traffic replicated across the network in a loop (via this new interface--will it pass information back to the network again?). I need it to ONLY monitor, not pass any traffic. Someone had mentioned that I would need to setup rules on this machine to make sure it doesn't try to pass any of the information back to the network that our firewall sends to it for monitoring. If it helps, the switch it is plugged into is a Cisco Catalyst 3524XL.
Hopefully this is enough information and I can find out what I need to.