Traffic Monitoring

[groovin]

I have a few servers plugged into a hub in our DMZ, i want to monitor the number of bytes that flow in and out of the DMZ (or servers plugged into it) at any arbitrary time. I want to use opensource software if possible (can snort do this?)

any suggestions?

thanks

 

[Homerboy]

MRTG

 

[reicherb]

Originally posted by: Homerboy
MRTG

 

[Fuzznuts]

Originally posted by: groovin
I have a few servers plugged into a hub in our DMZ, i want to monitor the number of bytes that flow in and out of the DMZ (or servers plugged into it) at any arbitrary time. I want to use opensource software if possible (can snort do this?)

any suggestions?

thanks

as mentioned mrtg along with antg2 make a poweful combo check out http://fuzznuts.no-ip.com/monitors/antg2 and http://fuzznuts.no-ip.com/monitors/router for a better idea

 

[groovin]

wow, those look pretty nice... so if i have servers 1,2,and 3, i can have servers 1 and 2 send the snmp's to server 3 which then creates the graphs?

 

[Fuzznuts]

Originally posted by: groovin
wow, those look pretty nice... so if i have servers 1,2,and 3, i can have servers 1 and 2 send the snmp's to server 3 which then creates the graphs?

yep you certainly can

it is all done with simpl config files for mrtg and you can poll remote hosts as long as they are snmp aware. will these be linux or windows boxes? eitehr way it is very simple to setup.

 

[exx1976]

MRTG is useful for monitoring tha AMOUNT of traffic, but if you actually want to look at the traffic, I'd use Ethereal. It's a nice open source packet analyzer (sniffer).


Yes, it's been ported to Win32 for those of you that are afraid of *nix/XWindows..

 

[groovin]

linux and freeBSD. FreeBSD has a mrtg port so installation should be a snap. i want the freeBSD box to make the charts and graphs and have the only the linux boxes send snmps - theres already too many web services running on these boxes for me to feel comfortable adding yet another.

how secure is mrtg? The freebsd box will just be a monitoring machine, but the linux boxes are quite critical.

docs are also scarce, like all OSS. do you know of any how-to's?

thanks!

 

[Fuzznuts]

Originally posted by: groovin
linux and freeBSD. FreeBSD has a mrtg port so installation should be a snap. i want the freeBSD box to make the charts and graphs and have the only the linux boxes send snmps - theres already too many web services running on these boxes for me to feel comfortable adding yet another.

how secure is mrtg? The freebsd box will just be a monitoring machine, but the linux boxes are quite critical.

docs are also scarce, like all OSS. do you know of any how-to's?

thanks!

mrtg is fine security wise as its a local app that is away form the web. as long as you snmp (chnage the default public community) and http are secure youll have no worries at all. as for how-to's the mrtg site it self has a few. it is available as rpm not sure about ports for bsd.

to compile form source is very simple and there is a great guide on the mrtg site. the lists are also very active and very helpful.

 

[groovin]

fuzz, it is in the BSD ports collection. hopefully ill have some time during the new year break to start on this.

 

[cleverhandle]

Funny, I just happen to be implementing something like this myself at this very moment. MRTG can definitely do what you need, but you might also look at tcpstat. It's a simpler tool, but it may be enough for what you need and it doesn't require SNMP. You can either run it directly on an interface, or run it over a raw (-w) tcpdump output. It can output all the usual statistics and can analyze certain types of traffic according to the standard tcpdump filtering rules.

I'm sure that MRTG is better in a strict sense, but I don't understand SNMP and don't want to deal with it right now. Tcpstat is good enough for me.

 

[groovin]

clever, thanks for the info...

regarding tcpstat, what does the interface look like? text only? like a cleaned up tcpdump? does it give any kind of charts and graphs so i can see how many KB's are leaving in and out of an interface at a given moment?

 

[cleverhandle]

It's a typical UNIX command - plain text output that can be munged in all sorts of ways to pipe somewhere else. If you really need up-to-the-moment graphs, MRTG would be better, though you can find a Howto to run tcpstat through gnuplot here.

I just went with the following shell script, run by cron every 10 minutes. I haven't written in any fancy filter rules yet, but they'd go at the bottom. The nice thing about working with a raw dump is that you get minimal overhead on the wire and can do all sorts of fancy processing later. Probably I'll generate stats for http/s, smtp, other, and total and call a perl script in the daily reports to gather up the stats and report them in a pretty form.

#!/bin/sh
#
# trafmon - use tcpdump to create a raw dump of traffic on an interface,
# rotate that dump at each invocation, and analyze it with tcpstat

PATH=/bin:/sbin:/usr/bin:/usr/sbin

INT=tun0
OUTPUT=/var/log/traffic
STATS=/var/log/stats

# For rc.local at boot-time
if [ "$1" == "start" ]; then
touch ${OUTPUT}
chmod 600 ${OUTPUT}
tcpdump -i ${INT} -w ${OUTPUT} > /dev/null 2>&1 &
return 0
fi

PID=`fstat ${OUTPUT} | grep tcpdump | awk {'print $3'}`

# Stop the current dump, rename the file, and restart
kill ${PID}
mv ${OUTPUT} ${OUTPUT}.tmp
touch ${OUTPUT}
chmod 600 ${OUTPUT}
tcpdump -i ${INT} -w ${OUTPUT} > /dev/null 2>&1 &

# Analyze the dump with tcpstat
/usr/local/bin/tcpstat -r ${OUTPUT}.tmp -o "packets=%n\tbytes=%N\n" -1 >> ${STATS}

# Remove the old dump
rm ${OUTPUT}.tmp

 

[groovin]

awesome! thanks clever. ill look into tcpstat and let u know if i use/modify your script.