I've tried IPtraf, but that doesn't show (that I know of) traffic sorted by Ip and volume (it does do MAC addresses, but that doesn't help with switches etc in between). Arpwatch will show fake IP headers, snort does work, but takes a while to set up. In the end, using Ethereal and sorting by source was the answer. That, however is a fairly manual process, so not the best.
Well, it depends on how long you are planning on doing this for. How much work do you want to put into finding a solution which you run once every (say) two months for the latest worm?
So, what tools do you folks use? Any suggestions as to what to try?
I take it you're looking for some kind of traffic flows, or heavy use hosts. Try ntop http://www.ntop.org/
It was a little tricky to get going though, but it's been a while since i've used it, but that only means it should have gotten better. :)
Regards
Daniel
