LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-02-2017, 04:56 PM   #1
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,327

Rep: Reputation: 54
Network software to monitor network usage/packets, does something like this exist?


I was thinking it would be neat to have a device that sits at the gateway and basically sniffs all packets coming in/out. It would then group them in various ways, allow you to setup rules etc so they show up as different colors, or what not. Maybe even generate graphs and such. Basically, a fancy packet sniffer/analyzer, if you will. It could either sit between internet and firewall, or sit behind firewall so it can also be aware of all the vlans. it would use a read only approach where it's simply on the same bus as the trunk port and listens to all the traffic. Could probably use port mirroring or some kind of hub/splitter etc. Idealy it would require a box with two nics, as the other nic would be management (access web interface and such).

It would be used to get an idea of what traffic is going in/out of your network, while allowing you to easily filter out certain types of traffic like http so you can easily find anything that is odd/not right. Perhaps it could even do real time packet sniffing with a rolling log that just deletes older sniffs. Rules could be used so it only sniffs stuff that you did not set as an exception (ex: torrent traffic). Basically kinda like a firewall, but only for analyzing and categorizing traffic.

Does such software exist? If not I wonder how hard it would be to make something like that. I imagine there must be premade libraries that would do the hard work of capturing packets and deciphering the basic metadata.
 
Old 01-02-2017, 07:14 PM   #2
af7567
Member
 
Registered: Nov 2012
Posts: 281

Rep: Reputation: 97
It sounds like you were describing Wireshark, I'm not sure about the making graphs though
https://www.wireshark.org/
 
Old 01-02-2017, 09:12 PM   #3
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,327

Original Poster
Rep: Reputation: 54
I know about wireshark, but I'm talking about something that runs more in the background 24/7 on a server. Something that will allow me to do analytics and such on traffic. Perhaps even alert for weird patterns. Ex: connectivity on a port that has never been connected to before.
 
Old 01-03-2017, 12:21 PM   #4
Ellendhel
Member
 
Registered: Aug 2015
Location: Wilmington, NC
Distribution: Slackware
Posts: 64

Rep: Reputation: 51
What you are looking for could be SiLK; this set of tools can collect traffic information a from a piece of network equipment (switch, router) that can be analyzed later on. It doesn't generate graphs, but you can probably build them from the gathered data.

I have no experience with this (I have learned about it from this book); it probably requires some time and resources to give you the results that you are looking for.

Generally speaking, you may want to look at similar tools able to manage NetFlow (for Cisco equipment) or sFlow (from other vendors). SiLK is one solution, there is probably other ones available.
 
Old 01-03-2017, 01:25 PM   #5
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Rep: Reputation: Disabled
Does this sound like what you want?

-- Bro is an analysis framework "Bro is not trying to tell you what is bad, it tries to tell you what is happening." It also has a scripting language "Bro-Script" for custom automation. The advantages of Bro is that it records all traffic, so if something happens you can look in detail what it was, and the records dont lie.
-- Suricata is an enhancement to exsisting infranstucture (logging critical componets, hardware acceleration, firewall integration, *NIX socket mode for automated PCAP file processing, etc) Also has a scripting language "Lua" that can be used with information obtained from packets for complex matching to detect complex threats

Last edited by linux4evr5581; 01-03-2017 at 01:35 PM.
 
Old 01-03-2017, 03:28 PM   #6
Red Squirrel
Senior Member
 
Registered: Dec 2003
Distribution: Mint 20.1 on workstation, Debian 11 on servers
Posts: 1,327

Original Poster
Rep: Reputation: 54
Thanks those two sound interesting, I may check them out. This is more just something I was thinking it would be nice to have, idealy I'd probably want to setup a dedicated box for that but might play with it in a VM too.
 
Old 01-03-2017, 04:46 PM   #7
linux4evr5581
Member
 
Registered: Sep 2016
Location: USA
Posts: 275

Rep: Reputation: Disabled
no problemo glad to help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Byobu reports different numbers from system monitor for network usage javascriptninja Linux - Newbie 1 01-28-2012 11:47 AM
Need software to monitor network usage cdhgee Linux - Networking 5 01-12-2007 11:25 AM
monitor network packets jwijesundra Linux - General 4 01-19-2005 04:34 AM
Network Monitor Software supertechmyers Linux - Networking 2 03-30-2004 10:00 PM
Do programs to monitor disk usage exist? Thrifty Linux - Software 12 02-06-2004 04:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration