I wish to setup a network monitoring machine to track network traffic
in an office of about 100 users. The main focus of attention is the
traffic passing between our router and the network, as we recently and
inexplicably had most of the bandwidth of our half meg leased line
saturated by network traffic for over a day.
The router is a proprietary network appliance providing NAT/VPN and a
firewall.
I have tested tcpdump at another smaller office where I was able to
trace all the network traffic between the gateway and workstations all
linked on the same small switch. However in the larger office the Bay
450-24T (now Nortel) managed switches we use appear to confound tcpdump
so that only traffic between the localhost and the targeted system
appear, even if I place a mini-hub between the tracing machine and the
switch (which also provides the network connection to the router).
I get a message from tcpdump saying that eth0 has entered promiscuous
mode so I guess that the capabilities of the ethernet card aren't the
problem.
Is the solution to use the Bay switch port mirroring feature? If this is
the thing to do, would I need another ethernet interface to connect to
the network normally? I would like to run arpwatch on the same machine
(so only one machine in the office is in promiscuous mode) - is that
feasible?
I hope to hold 3 day's tcpdump information on disk, and analyse this
with Ethereal or some similar tool if necessary. I'm hoping not to lose
too much of the information, so I wasn't thinking of filtering much. I'd
be grateful for some expert advice on the suitability of this approach.
The disk of the network monitoring machine has about 15G free.
I'm running Debian woody on i386.
[ps I posted this to the tcpdump workers list, but haven't had any
replies, so I thought I'd try here!]
Thanks for any help
Rory