All of lore.kernel.org
 help / color / mirror / Atom feed
* Monitoring problems...
@ 2003-10-29 22:52 Mark Webb
  2003-10-31 10:19 ` Vincent Haverlant
  2003-10-31 10:27 ` Chris Brenton
  0 siblings, 2 replies; 4+ messages in thread
From: Mark Webb @ 2003-10-29 22:52 UTC (permalink / raw)
  To: netfilter

[-- Attachment #1: Type: text/plain, Size: 1257 bytes --]

I was asked by the powers that be to set up some monitoring of our workplaces internet traffic. Basically a breakdown of the volume used and what protocol is using it.  i.e. 20% mail, 30% web, 10% ftp, etc.... 
I have installed a RH9 box and installed it onto a hub that also has the internal interface of our router and the connection to our internal network.  By my understanding this is the spot to "sniff" all traffic entering or leaving the internal network.

On the box I have iptables running using the following:

iptables -A INPUT -j LOG --log-level 7 --log-prefix '[MONITOR]'

I have also altered the syslog to send kern.* to a new log file.


Now all this seems to be working (sort of).   If I compare the log to a tcpdump output the log is only capturing about 5%.  On looking closer the log is only filing local and broadcast traffic.  It is not recording any traffic from other hosts out.  Perhaps I am using the wrong tool for the job or am just missing a step, something easy.  Any help is greatly appreciated.

Oh I also tried setting the interface on the RH box via: ifconfig eth0 promisc
This seemed to increase the amount of traffic logged but makes all traffic appear to be for the local machine.


Thanks in advance. 

[-- Attachment #2: Type: text/html, Size: 2017 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Monitoring problems...
  2003-10-29 22:52 Monitoring problems Mark Webb
@ 2003-10-31 10:19 ` Vincent Haverlant
  2003-10-31 12:37   ` Alistair Tonner
  2003-10-31 10:27 ` Chris Brenton
  1 sibling, 1 reply; 4+ messages in thread
From: Vincent Haverlant @ 2003-10-31 10:19 UTC (permalink / raw)
  To: Mark Webb; +Cc: netfilter

"Mark Webb" <webb@mmspl.com.au> writes:

> I was asked by the powers that be to set up some monitoring of our
workplaces internet traffic. Basically a breakdown of the volume used
and what protocol is using it.  i.e. 20% mail, 30% web, 10% ftp, etc....

Hi Mark,

You might want to have a look at ntop (http://www.ntop.org/) which looks
like it does exactly what you want.

Vincent.
-- 
   .~.     Vincent Haverlant  -- Galadril -- #ICQ: 35695155   
   /V\      http://www.haverlant.org/
  /( )\      Parinux (http://www.parinux.org/)
  ^^-^^       MUD -- FranDUMII (http://perso.enst.fr/~frandum/)


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Monitoring problems...
  2003-10-29 22:52 Monitoring problems Mark Webb
  2003-10-31 10:19 ` Vincent Haverlant
@ 2003-10-31 10:27 ` Chris Brenton
  1 sibling, 0 replies; 4+ messages in thread
From: Chris Brenton @ 2003-10-31 10:27 UTC (permalink / raw)
  To: Mark Webb; +Cc: netfilter

On Wed, 2003-10-29 at 17:52, Mark Webb wrote:
>
> I was asked by the powers that be to set up some monitoring of our
> workplaces internet traffic. Basically a breakdown of the volume used
> and what protocol is using it.  i.e. 20% mail, 30% web, 10% ftp,
> etc....

I would use ntop for this. Its specifically designed for this type of
activity and creates pretty pie charts with lots of colors. ;-)

http://www.ntop.org/

> On the box I have iptables running using the following:
> 
> iptables -A INPUT -j LOG --log-level 7 --log-prefix '[MONITOR]'
>
> Now all this seems to be working (sort of).   If I compare the log to
> a tcpdump output the log is only capturing about 5%.

Try:
iptables -A FORWARD -j LOG --log-level 7 --log-prefix '[MONITOR]'

but as I said, I would use ntop.

HTH,
C




^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Monitoring problems...
  2003-10-31 10:19 ` Vincent Haverlant
@ 2003-10-31 12:37   ` Alistair Tonner
  0 siblings, 0 replies; 4+ messages in thread
From: Alistair Tonner @ 2003-10-31 12:37 UTC (permalink / raw)
  To: Vincent Haverlant, Mark Webb; +Cc: netfilter

On October 31, 2003 05:19 am, Vincent Haverlant wrote:
> "Mark Webb" <webb@mmspl.com.au> writes:
> > I was asked by the powers that be to set up some monitoring of our
>
> workplaces internet traffic. Basically a breakdown of the volume used
> and what protocol is using it.  i.e. 20% mail, 30% web, 10% ftp, etc....
>
> Hi Mark,
>
> You might want to have a look at ntop (http://www.ntop.org/) which looks
> like it does exactly what you want.
>
> Vincent.

	Mark:
	Essentially what is happening is that although you are on a hub and can 
technically see all the traffic for the pipe you are attached to, the box 
does not see all that traffic as being destined for your box, thus is 
ignoring packets NOT a) addressed to the box itself b) addressed to 
broadcast.

  Don't know about ntop myself, but it seems to have a number of fans on this 
list (Hey ...look theres one now... its Vincent)

	*shrugs* ... there are those that swear by other tools too... and difficult 
as ethereal is ... with careful configuration and a few good scripts... 
	

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-10-31 12:37 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-10-29 22:52 Monitoring problems Mark Webb
2003-10-31 10:19 ` Vincent Haverlant
2003-10-31 12:37   ` Alistair Tonner
2003-10-31 10:27 ` Chris Brenton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.