Basic traffic logging
 

I've been interested in logging internet traffic continually at my gateway server. I've come across a program called 'ifstat' that shows traffic in kb/sec for each network interface at 1sec (default) intervals.

This displays a running table of (for me) eth0 and eth1 inteface traffic both in and out (pretty cool, and looks very accurate).

So ive started this program to run in the background, with output to a log file:

ifstat -tq > /var/log/ifstat.log &

I logged out of the server and checked back later, and sure enough it was still running and the logfile was exactly as I expected. This would allow me to monitor my own usage, as well as to check for any unusual stuff. Granted, i'd not know anything about the nature of the traffic but it would help to identify weird stuff occuring when im not actually using the internet.

My questions are:

1) might there be a better way, a better tool to do this? Im running an old pc for the gatway and it is headless without any GUI.

2) Is there a better way to run 'ifstat' - ie. the command that i use to start it is pretty simple. How would one normally run something like this in the best way...?

Thanks!

don't know of ifstat but you might use the built-in command "tcpdump". This one really "dumps" the traffic as stated so it's not very accurate.

Ever heard of Ethereal ? This one is great for it truly capture every single frame and details it. The only thing is that the captured file is dynamic, that means that you need Ethereal viewer to use it plus since they detail every frame the capture are quite heavy in terms of size.

Hope this helps,

Cheers

You could be thinking about SNORT. A nice IDS, which will keep an eye on who is trying to hack your box. The only problem is that your are going to get a lot of warning so you need to edit the config files or it will fill your disk pretty quick.

Thanks for the replies ... :)