Re: Traffic monitoring

To: debian-security@lists.debian.org
Subject: Re: Traffic monitoring
From: Christoph Moench-Tegeder <cmt@rz.uni-karlsruhe.de>
Date: Fri, 14 Mar 2003 22:39:59 +0100
Message-id: <[🔎] 20030314213959.GB4603@rz-ewok.rz.uni-karlsruhe.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 39365.192.168.1.11.1047668597.squirrel@nilsson.intranet.pr>
References: <[🔎] 39365.192.168.1.11.1047668597.squirrel@nilsson.intranet.pr>

## Nils (debian@fnen.eu.org):

> How do you monitor what network traffic you have and how much? I want to
> be able to see the origin and destination, type and volume.

If you are using kernel 2.4, you can use ulogd.
If not, there is net-acct. net-acct might apear broken in debian stable,
you may need the patch from http://exorsus.net/projects/net-acct/lockpatch.txt
http://www.nadev.net/thomas/projects/nacctstats/ has a script for
generating "nice" output.
i am using net-acct, perl and PostgreSQL for monitoring about 200 hosts
and about 50 gigabytes of traffic per day. The router is a Pentium-133
(32 MB RAM), the database runs on a PentiumIII-833 (512MB RAM, but there
is a squid cache sitting on the same box). Every morning, the collected
data gets copied to the database machine, where it is processed by a small
(about 4kb, including report generation) perl script. The result are
some tables showing network usage per host  and per port (incoming and
outgoing traffic seperated).
My scripting is somewhat ugly, but perhaps it could be adapted with
little effort. Scripts and some config available on request. There is
currently no documentation as the whole thing was intended as dirty
hack and not a full blown solution.

> Preferably, I would like to have information like:
> ------------------------------------------------
> Date xx/xx/xx
> Workstation A (xxx.xxx.xxx.xxx) (95 MB)
>    SMB.....35 MB
>    HTTP....40 MB
>    RSYNC...10 MB
>    FTP......5 MB
>    SSH...

Generating such output would be a little more CPU intensive.
Beware the amount of data you will generate. Expect several megabytes
summary(!) per day. net-acct samples are about 30 megabytes a day in my
setup.

> If I also could see what files being sent (names and sizes), it would be
> fantastic. Is it possible with SMB? (What about FTP, HTTP, RSYNC...)

That requieres that the accounting tools know about all these protocols.
Some sniffers are able to decode most protocols, but the selden do
accounting.

> Of course I can't see what files get encapsulated in a SSH tunnel, but, I
> still want to know the volume and origin. Of course they can use different
> ports... This is not a police action I want to conduct, I just want a
> really strong position when complaints come from different directions.
> Those who pay say the cost is too high and those who use it say the
> connection is to slow. What the users don't realize is that if the costs
> isn't manageable, the ISP-connection will be cut off. They just blame each
> other for the volume sent/received. I'm just about feed up with it!!!

Just show them the statistics. Or publish the daily Top 50... Be
careful with the privacy of your users. Do not publish anything else
than bytes per workstation. Perhaps it might be better to keep the
statistics for yourself and talk to the biggest offenders directly.
That depends on your environment.

Regards,
cmt

-- 
Spare Space

Reply to:

Follow-Ups:
- Re: Traffic monitoring
  - From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>

References:
- Traffic monitoring
  - From: "Nils" <debian@fnen.eu.org>

Prev by Date: Re: Traffic monitoring
Next by Date: Re: Traffic monitoring
Previous by thread: Re: Traffic monitoring
Next by thread: Re: Traffic monitoring
Index(es):
- Date
- Thread