You could contrive some netfilter
rules with iptables
, which would selectively log the traffic of interest. The results can be inspected using the '-L -v' commands of iptables
. This can be done with a script that parses the resulting output of iptables
to maintain history logs, etc.
iptables -t filter -N HOSTX
iptables -t filter -I HOSTX --source hostx.your.domain
iptables -t filter -I HOSTX --dest hostx.your.domain
iptables -t filter -I INPUT -j HOSTX
iptables -t filter -I OUTPUT -j HOSTX
This script creates a chain 'HOSTX', which does nothing, but is invoked every time a packet passes the INPUT or OUTPUT chain of the filter table. These rules would cause all traffic to or from the host named 'hostx.your.domain' to be seen by the chain 'HOSTX'. A side effect of this is that the packet and byte count of the chain 'HOSTX' is accumulated by the filter. Later, perhaps on a scheduled interval, we can inspect the packet and byte count:
iptables -t filter -L -v
The accumulated counts can be zeroed with the -Z switch.
For your application, you would want to create rules in the INPUT, OUTPUT, or FORWARD chains that are selective about hosts, domains and ports of interest to you.
This would run on an individual server, monitoring only traffic seen on the server. If you actually want to monitor your network at large, you will need to use some kind of sniffer, like tcpdump
(or it's GUI cousin, wireshark
), but this also requires assistance from a smart switch on a switched ethernet network.