Re: Traffic monitoring

To: debian-security@lists.debian.org
Subject: Re: Traffic monitoring
From: George Georgalis <george@galis.org>
Date: Fri, 14 Mar 2003 15:16:48 -0500
Message-id: <[🔎] 20030314201648.GA11972@trot.local>
In-reply-to: <[🔎] 39365.192.168.1.11.1047668597.squirrel@nilsson.intranet.pr>
References: <[🔎] 39365.192.168.1.11.1047668597.squirrel@nilsson.intranet.pr>

On Fri, Mar 14, 2003 at 08:03:17PM +0100, Nils wrote:

>We have two computer labs, with its respective ISP-connections, both with
>volume based rates. These two sites are also connected to each other
>through a VPN. The volume between the two sites should really be marginal.
>Due to what we get charge by the ISP, we suspect a lot of non-sanctioned
>material (mp3..) being transported over smb. I would like to at least be
>able to monitor the volume from respective computer going through the
>firewall (and the VPN).

Here is a quick and dirty method.  I wanted to see what ICMP types where
being used so I created a rule on my firewall for each type. The rule just
returns, but the statistics (iptables -vnL) reveal the frequency of
each type:

# Not sure about these, start logging them...
# find them in stats...
iptables -N icmpwach
for n in `seq 0 255`; do echo -n "."
    iptables -I icmpwach -p icmp --icmp-type $n -j RETURN
done ; echo
iptables -I INPUT -j icmpwach
iptables -I FORWARD -j icmpwach
i="iptables -I INPUT -p icmp"

you might modify the loop to generate a return rule for each ip 
    iptables -I bandwatch -s $n -p all -j RETURN
    iptables -I bandwatch -d $n -p all -j RETURN

Then you could look at the iptable stats and see which ip is using the
gateway.  This might be more politically desirable than knowing the IP
and the port ;)

On the other hand you could come up with some ports and port ranges to
monitor too.

There are tons of software to calculate and make presentations of this
kind of info.

http://ipaudit.sourceforge.net/ipaudit-web/
Would you like to summarize and/or log network activity down to the ip
address and port level of detail, but not record every packet?

http://freshmeat.net/projects/traffacct/
www.hughes.com.au/products/traffacct/ 
TraffAcct is a network traffic accounting package designed
to simplify the process of tracking and billing network usage.

http://bubba.sourceforge.net/
Bandwidth Utilization Billing and Basic Accounting

http://netacct-mysql.sourceforge.net/
bandwidth utilization, accounting
Netacct-mySQL is a monitor which can log traffic generated by a specific network
(incoming/outgoing). In fact it works like sniffer, puts network
interface in PROMISC mode and collects traffic.

http://torus.lnet.lut.fi/vnstat/
vnStat is a network traffic monitor for Linux that keeps a log of daily
network traffic for the selected interface.

http://ifmonitor.preteritoimperfeito.com/
ifmonitor is a simple network interface traffic logger and grapher for linux.

gkrellm
mrtg

The list goes on, let us know what you come up with.

// George

-- 
GEORGE GEORGALIS, System Admin/Architect    cell: 347-451-8229 
Security Services, Web, Mail,            mailto:george@galis.org 
Multimedia, DB, DNS and Metrics.       http://www.galis.org/george

Reply to:

Follow-Ups:
- Re: Traffic monitoring
  - From: "Stefan Neufeind" <stefan@neufeind.net>

References:
- Traffic monitoring
  - From: "Nils" <debian@fnen.eu.org>

Prev by Date: Re: Traffic monitoring
Next by Date: Re: Traffic monitoring
Previous by thread: Re: Traffic monitoring
Next by thread: Re: Traffic monitoring
Index(es):
- Date
- Thread