Remote NIC monitoring with Ethereal
 

I have four network monitoring boxes, each with a passive ethernet port monitoring a different network. These networks cannot be merged.

Presently, I run a main monitoring station with KDE. This station accesses a monitor port in the following manner:

1) ssh to the remote monitor box.
2) run ethereal installed on the monitor box.

This generates a lot of spurious X traffic on the local network, and requires me to upgrade ethereal 4 times.

I would like to create a "shared" ethernet port on each monitor box to do the following:

1) Run ethereal on the main station
2) monitor the "shared" port on the remote box.

In this way, I can keep the monitor boxes lean and mean (ie. no XWindows required, no separate ethereal, etc), and focus any display changes and upgrades on the main monitor box.

Can this be done?

Thanks in advance...

Mark.

if you want to keep things lean an mean then you do NOT want to run ethereal as your capture. Run tcpdump -w and dump to a file something like -r dumpfile.dump.

Tcpdump is low in over head and text based. Then when you want to interprit the output just use Ethereal on your local box (x-windows or MS Windows) by importing the remote dump file. You can set a cron job to archive dumps on the remote boxes hourly, daily or whatever floats your boat.

That's how I'd do it anyway.

-b

edit: sorry I didn't answer your question about watching all boxes at once. A suggestion would be to append all the live dumps to the same file. >> should work. And then monitor that file with ethereal. Not sure if ethereal will continually reload the file though.

Thanks for the reply.

What I am looking for, though, is something that would allow me to capture from a port remotely, I think. In that way, I would not have to run either ethereal or tcpdump on the monitor boxes (PII 350's, so every CPU cycle is important).

I have thought of an approach similar to what you are suggesting, and it would add a historical functionality, but Ethereal does allow more interactive trace capabilities, and that is what my users require.

I found rpcap on Sourceforge, which purports to allow one host to capture from another host's port, but it seems to have been in alpha since October 2002. I don't really want to risk that...

I have investigated tunneling, but that seems to require an IP address on the passive port, and I want to keep the port truly passive (absolutely NO TX data).

Any ideas?

Thanks,

Mark.