I have a linux machine set up running network monitoring - I have tried ifstat, bmon and iftop all of which give similar figures.

I am trying to view the total amount of traffic flowing over the network ie how many kb/Mb are flowing over the network. I am able to generate packets on another device and send them onto the network - TCP and UDP and the monitoring machine sees this data. I have set the network card on the monitoring device to promiscuous mode. I found a noticeable difference if this is set on and off so I am assuming that I am then seeing all of the data when promiscuous mode is set to on.

My question is when I go to another computer and say download a very large file over the internet I do not appear to see the traffic associated with this download on the monitoring machine.

FYI - I have a router connected to the Internet and then a network switch connected to the router. All of the above mentioned computers connect to the network switch. I am trying to monitor all network traffic over the local network.

Can anyone suggest why I dont see this "internet traffic" on the monitoring computer?

What application(s) are you using to monitor the traffic?

This article looks as if might prove useful: https://www.binarytides.com/linux-co...nitor-network/

No expert here but when you turn on promiscuous mode your seeing the additional broadcast and multicast traffic but not "all" network traffic. The problem I believe is the switch can "route" traffic so that the linux computer does not see what is happening between the router and the other computer.

https://wiki.wireshark.org/CaptureSetup/Ethernet

Most network switches are not promiscuous (link about bridges (switches are a special kind of "bridge")). Occasionally, traffic will leave most ports, but most of the time they are "point-to-point", so a Linux box listening passively to all traffic on a port will typically receive:

* Broadcast frames that every node will get
* Frames destined for that Linux box

Some advanced network switches allow a "copy port" or "monitor" mode where frames from another port(s) on the switch can be sent to a particular place (such as the port that your Linux box is attached to).

If this doesn't work and you need monitoring, it may make sense to reconfigure your Linux box as the default gateway (and configure it as the router), then configure it to forward traffic to your real router on a modified network.

So if you started with a network of:
192.168.0.x with a default gateway of 192.168.0.1

You might change your Linux box to be 192.168.0.1 and then tell it to forward to 192.168.0.217 (the new IP address of the real router). This is definitely a "hack", but a cheap one that can work for some networks.

Pros:
You'll see almost all of the local net traffic
You don't have to change the networking on most of the hosts

Cons:
You have to setup a Linux router (this is usually easy, but there can occasionally be wrinkles in setting this up)
You have to make a change on the "real" router
It is not the same as a copy port (but it all depends on what you hope to capture and why you are doing it).

Hopefully this helps!

1 members found this post helpful.