traffic monitoring

Brent Bice bbice at sgi.com
Thu Aug 7 13:33:47 CDT 2008 

ammad shah wrote:
> how do i find; the workstation on lan uploading/downloading from 
> internet real time using "iptraf" or some other software. All traffic is 
> passing through "linux (squid and iptables masquerade).

    There's a tool called etherape that is similar to the old 
Solaris-only etherman/interman tools. It shows you a graphical map of 
the traffic it sees and can give you an idea of what different systems 
are transmitting/receiving.  You'd run this on the linux firewall 
through which all your traffic is passing.

    If your linux gateway is headless or if you don't have all the 
requisite graphics libraries to run it remotely via ssh/X11 tunneling, 
then you can run tcpdump -w /tmp/something.pcap -s 0 -i eth0   (or 
whatever interface you want it to monitor), let it run for a few 
minutes, then kill it with Ctrl-C and copy the /tmp/something.pcap file 
over to a machine where you do have etherape installed. Then you can 
tell etherape to read that file and replay it and get a graphical view 
of that traffic.

    This is ok in the short-term.  In the long-term, what you probably 
ought to do is set up a monitoring system (perhaps this is a good 
opportunity to set up a network intrusion detection system like snort) 
and then set up a SPAN port in your switch. That way you can have your 
monitoring system see all the traffic to/from your firewall's inside 
interface or perhaps all the traffic to/from a specific VLAN.  Even 
better, have your monitoring system have several different interfaces 
jacked into different SPAN ports and then your monitoring system can 
watch multiple things.

    For instance, at my last job, I used to monitor all traffic hitting 
the outside of the firewall interface (so I could see trends and watch 
what ports were being hit the most this week), all the traffic on the 
inside interface of the firewall (I ran a snort NIDS sensor here to look 
at what got inside the firewall and what was going out), and another 
interface watching ALL traffic to any port in the DMZ lan segment (so I 
could watch both for people trying to compromise a machine or for 
possible malicious traffic between machines in the DMZ segment). The 
nice thing about this was that at a moment's notice I could also run 
etherape or tcpdump on any of these SPANned interfaces and see just what 
was going on in my networks.

    'Hope this helps...

Brent

More information about the Linux-PowerEdge mailing list