Server monitor Internet traffic

GioBonvi · 10-23-2015, 12:34 PM

Hey there! I'm working again on my server at home and I came up with the idea of adding a network usage manager service to it.
I have the server (Ubuntu 14.04.3 LTS) running on a laptop which is connected via Ethernet to the router with a static IP.
I'd like the server to monitor all the packets in the network disaplying some information to the user.

I've done some research and found some software but some refused to install properly (bandwithd for example) and some other did not meet my requirements.

Id' like the service to:

exclude internal traffic (e.g: from my PC to my NAS)
output usage since a date
output the usage per day and the usage per client

Where the first and the second are really required, the third is somehow optional.

In the evenience such a program is hard to find or doesn't even exist: is there a program I can use simply to monitor all the packets and then using something like filters I can count only needed packets and serve the information through Apache to the LAN? This would let me to build a fully personal network monitor...

Thank you in advance

berndbausch · 10-24-2015, 05:53 AM

Have a look at iptraf.

wroom · 10-25-2015, 09:44 AM

Yes, the applications 'iptraf' (or 'iptraf-ng'), and wireshark are good applications for network monitoring. There are much more. But 'iptraf' is a simple to setup/use, network monitor.

If you want to monitor all the traffic going to the internet through the router, you should do one of the following:

Either put the monitor node in between the router and modem or other connection to the internet.
Or, (if the router supports it), setup a port on the router as a monitoring port, and connect the laptop (monitoring node) directly to that port with one dedicated NIC. Then you can select in the router what traffic to copy to the monitoring port, where you have connected your laptop as a "lan station monitor". (Easy setup with 'iptraf').

If you put the monitor node in between the router and modem or other connection to the internet, you should probably put all this behind a firewall somehow. One solution is to have the laptop running the firewall, and have all the monitoring in that. One NIC to the internet, and one NIC serving "first stage firewalled internet", aka DMZ, to the router, which in turn connect to your private network, (maybe having a "second stage firewall" to further protect the private network).

So, either put the monitor "in the chain", or use a router that supports setting up a dedicated monitoring port, having the network monitor separated from everything else.

A more elaborate setup of a dedicated network monitor is to use something like 'tcpdump' or 'tshark' to record all traffic. And possibly put the traffic dumps on tape using a tape robot. It all depends on the level of paranoia.

GioBonvi · 10-25-2015, 02:15 PM

Thank you for your answers!
I checked and my monitor doesn't support anything like "monitor port" furthermore my laptop doesn't have two NICs

My idea is: connect the server to the router, monitor all the packets, filter out unwanted packets and save results so that they can be used by an Apache site. If this can be accomplished then great, if not: no problem. It's not life or death

I will have a look at iptraf, wireshark and tcpdump.

wroom · 10-26-2015, 09:17 PM

Quote:

Originally Posted by GioBonvi

...I checked and my monitor doesn't support anything like "monitor port" furthermore my laptop doesn't have two NICs

My idea is: connect the server to the router, monitor all the packets, ...

If the laptop is the only equipment communicating to the internet through the router:

Then you are good with 'iptraf' or 'wireshark'. You can filter out the localnet packets in 'wireshark'.

-

If there are other equipment than your laptop communicating to the internet through the router, (how can you be sure?):

Only one thing you can do then. Set everything to route to a gateway using a default route. The gateway being your monitoring laptop. Then setup the laptop to route all outgoing traffic out on the internet port, and set the internet port to route all incoming traffic to your laptop.
We don't know how your router is connected to the internet, so we really don't know how to isolate the internet (WAN) traffic to go only through the laptop.
And you will miss lots of traffic with such a monitor setup. It is simply not safe.
But maybe you only want to monitor certain TCP/HTTP traffic?

-

Port isolation:
A router or switch with traffic between port A and port B will not show the A/B traffic on port C.
If you have your monitoring laptop on port C, then A and B can talk all day without you seeing it, except for some broadcast packets.
Unless you can setup a monitoring port in the router, to snoop the WAN traffic. Or at least get some of the traffic by setting the laptop on C as default gateway for all traffic going through the router. Anyway, the router will then become a HUB, and its total bandwidth be limited to the speed of the laptops port speed.
Could be half decent for a very small home network. But maybe not so good for the NAS bandwith?

-

Basically, you will need a dedicated computer with two NICs. One for the LAN (local network), and one for the WAN (internet connection) - Preferably with a good linux firewall on it. Both to be safe, and to be able to monitor all the traffic towards the internet.

Historical: Once upon a time we all had 10 Mbit/s coaxial ethernet, and all computers hang on the same cable. Then it was easy to setup a 'lan station monitor', since anybody could go promiscuous, (that is the NICs), and listen in on all traffic on that cable. Nowadays, with routers and switches isolating traffic, it just isn't that simple anymore.

-

And here's an excellent link on the topic, that i have "sniffed up":

http://www.noah.org/wiki/Packet_sniffing