[SOLVED] Network software to monitor network usage/packets, does something like this exist?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,327
Rep:
Network software to monitor network usage/packets, does something like this exist?
I was thinking it would be neat to have a device that sits at the gateway and basically sniffs all packets coming in/out. It would then group them in various ways, allow you to setup rules etc so they show up as different colors, or what not. Maybe even generate graphs and such. Basically, a fancy packet sniffer/analyzer, if you will. It could either sit between internet and firewall, or sit behind firewall so it can also be aware of all the vlans. it would use a read only approach where it's simply on the same bus as the trunk port and listens to all the traffic. Could probably use port mirroring or some kind of hub/splitter etc. Idealy it would require a box with two nics, as the other nic would be management (access web interface and such).
It would be used to get an idea of what traffic is going in/out of your network, while allowing you to easily filter out certain types of traffic like http so you can easily find anything that is odd/not right. Perhaps it could even do real time packet sniffing with a rolling log that just deletes older sniffs. Rules could be used so it only sniffs stuff that you did not set as an exception (ex: torrent traffic). Basically kinda like a firewall, but only for analyzing and categorizing traffic.
Does such software exist? If not I wonder how hard it would be to make something like that. I imagine there must be premade libraries that would do the hard work of capturing packets and deciphering the basic metadata.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,327
Original Poster
Rep:
I know about wireshark, but I'm talking about something that runs more in the background 24/7 on a server. Something that will allow me to do analytics and such on traffic. Perhaps even alert for weird patterns. Ex: connectivity on a port that has never been connected to before.
What you are looking for could be SiLK; this set of tools can collect traffic information a from a piece of network equipment (switch, router) that can be analyzed later on. It doesn't generate graphs, but you can probably build them from the gathered data.
I have no experience with this (I have learned about it from this book); it probably requires some time and resources to give you the results that you are looking for.
Generally speaking, you may want to look at similar tools able to manage NetFlow (for Cisco equipment) or sFlow (from other vendors). SiLK is one solution, there is probably other ones available.
-- Bro is an analysis framework "Bro is not trying to tell you what is bad, it tries to tell you what is happening." It also has a scripting language "Bro-Script" for custom automation. The advantages of Bro is that it records all traffic, so if something happens you can look in detail what it was, and the records dont lie.
-- Suricata is an enhancement to exsisting infranstucture (logging critical componets, hardware acceleration, firewall integration, *NIX socket mode for automated PCAP file processing, etc) Also has a scripting language "Lua" that can be used with information obtained from packets for complex matching to detect complex threats
Last edited by linux4evr5581; 01-03-2017 at 01:35 PM.
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,327
Original Poster
Rep:
Thanks those two sound interesting, I may check them out. This is more just something I was thinking it would be nice to have, idealy I'd probably want to setup a dedicated box for that but might play with it in a VM too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.