Re: how can I setup a network monitoring station

To: Rory Campbell-Lange <rory@campbell-lange.net>
Cc: Debian User List <debian-user@lists.debian.org>
Subject: Re: how can I setup a network monitoring station
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Thu, 18 Apr 2002 14:52:57 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.1020418145110.14353A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20020418160802.GA10561@campbell-lange.net>

hi ya

something trivial/simple .... nothing fancy...

you can just use trafshow  to see which machines is talking
to the other machines... and what kind of traffic..
( udp, tcp... ssh, dns, http, smtp.... )
	- only the highest usage users will show in the list

c ya
alvin


On Thu, 18 Apr 2002, Rory Campbell-Lange wrote:

> I wish to setup a network monitoring machine to track network traffic
> in an office of about 100 users. The main focus of attention is the
> traffic passing between our router and the network, as we recently and
> inexplicably had most of the bandwidth of our half meg leased line
> saturated by network traffic for over a day.
> 
> The router is a proprietary network appliance providing NAT/VPN and a
> firewall.
> 
> I have tested tcpdump at another smaller office where I was able to
> trace all the network traffic between the gateway and workstations all
> linked on the same small switch. However in the larger office the Bay
> 450-24T (now Nortel) managed switches we use appear to confound tcpdump
> so that only traffic between the localhost and the targeted system
> appear, even if I place a mini-hub between the tracing machine and the
> switch (which also provides the network connection to the router). 
> 
> I get a message from tcpdump saying that eth0 has entered promiscuous
> mode so I guess that the capabilities of the ethernet card aren't the
> problem.
> 
> Is the solution to use the Bay switch port mirroring feature? If this is
> the thing to do, would I need another ethernet interface to connect to
> the network normally? I would like to run arpwatch on the same machine
> (so only one machine in the office is in promiscuous mode) - is that
> feasible?
> 
> I hope to hold 3 day's tcpdump information on disk, and analyse this
> with Ethereal or some similar tool if necessary. I'm hoping not to lose
> too much of the information, so I wasn't thinking of filtering much. I'd
> be grateful for some expert advice on the suitability of this approach.
> The disk of the network monitoring machine has about 15G free.
> 
> I'm running Debian woody on i386.
> 
> [ps I posted this to the tcpdump workers list, but haven't had any
> replies, so I thought I'd try here!]
> 
> Thanks for any help
> Rory
> 
> -- 
> Rory Campbell-Lange 
> <rory@campbell-lange.net>
> <www.campbell-lange.net>
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- how can I setup a network monitoring station
  - From: Rory Campbell-Lange <rory@campbell-lange.net>

Prev by Date: Raid 5 and recoving from a crash
Next by Date: Re: Conflicts
Previous by thread: how can I setup a network monitoring station
Next by thread: Re: how can I setup a network monitoring station
Index(es):
- Date
- Thread