On Wed, 2008-01-09 at 12:05 +1100, Tony Sceats wrote: > firstly you would run any number of the tools already mentioned on the > bridged machine - ntop, ethereal/wireshark, snmp, iptables, use ip > accounting etc etc.. hell even tcpdump would be fine, if a little > ugly.. for a quick & dirty I'd say ntop is your best bet though > > but really, whilst these are all valid, you do only have 8 machines > there, don't you? Depending upon the (political) environment there, > simply running ntop and/or ethereal/wireshark on each of these > machines for 5 minutes may be a better solution than re-wiring the > network, causing an outage, and for a net loss of efficiency (ie, turn > switches to hubs) or going to all the bother of building a dual-homed > machine, setting up bridging, then analysing the traffic etc.. 8 > machines isn't all that many after all.. and if it's not a cumulative > problem - eg, one machine with a virus, then this will identify the > source of the problem pretty quickly and much much easier than > anything else mentioned.. >
Actually the politics isn't difficult - It's my network, so they could either put up with it or get their own ;-) OTOH, if one of the machines is compromised I'm not sure that running any software on that machine is necessarily going to help. I still think that knowing the traffic for the entire network is very useful, and once it's done the tool is there forever. I can see that ideally this would be done from a gateway, but that's not an option. > but as everyone's answers already point to, you're far better off > trying to get access to the gateway or asking whoever manages it to > look into the problem than doing anything else > > > On Jan 9, 2008 11:48 AM, david <[EMAIL PROTECTED]> wrote: > If I understand all this properly, I have two sane choices: > > * put a dumb hub between the router and network switch, plug a > promiscuous box into it and run something like ethereal on it > * put a linux box instead of the dumb hub, set it up as a > bridge and run > (what?) to monitor traffic > > does that sound right? If so, option one sounds a lot easier. > > many thanks... > > David. > > > > On Wed, 2008-01-09 at 09:35 +1100, Dean Hamstead wrote: > > these two links might help > > > > http://tldp.org/HOWTO/Bridge+Firewall.html > > > > http://www.linux-foundation.org/en/Net:Bridge > > > > Dean > > > > Alex Samad wrote: > > > On Tue, Jan 08, 2008 at 06:53:51AM +0000, Visser, Martin > wrote: > > >> This won't work if it is a network with a dumb > (cheap/unmanaged) switch. (An old dumb hub/repeater would be > fine but almost no one uses these nowdays). > > >> > > >> You really either need to get access to the gateway (and > even then it may not support any decent stats or raw capture) > or have a switch that supports port mirroring (where it makes > a copy of all the traffic on all ports to a particular > nominated port). > > > > > > or get a linux box with 2 nic and bridge between the > switch and then gateway > > >> There is a "bad" (read crackers) tool called ettercap > which can trick all your hosts to send their traffic to > another other host by spoofing ARP responses, but in my > opinion it will generally degrade your network and hence > interfere in your measurement, so you probably should ignore > this. > > >> > > >> > > >> Martin Visser > > >> > > >> Technology Consultant > > >> Technology Solutions Group - HP Services > > >> > > >> 410 Concord Road > > >> Rhodes NSW 2138 > > >> Australia > > >> > > >> Mobile: +61-411-254-513 > > >> Fax: +61-2-9022-1800 > > >> E-mail: martin.visserAThp.com > > >> > > >> This email (including any attachments) is intended only > for the use of the individual or entity named above and may > contain information that is confidential, proprietary or > privileged. If you are not the intended recipient, please > notify HP immediately by return email and then delete the > email, destroy any printed copy and do not disclose or use the > information in it. > > >> > > >> > > >> -----Original Message----- > > >> From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Aleksey > Tsalolikhin > > >> Sent: Tuesday, 8 January 2008 4:10 PM > > >> To: [email protected] > > >> Subject: Re: [SLUG] measuring traffic > > >> > > >> Have you tried ntop? It should show you what the top > usage is on your network. That might be the answer you are > looking for. > > >> > > >> Best, > > >> -at > > >> > > >> On Jan 7, 2008 8:49 PM, david <[EMAIL PROTECTED]> > wrote: > > >>> I have a local network for which I do not have access to > the gateway > > >>> host. > > >>> > > >>> What tool would folk suggest to determine what and how > much traffic is > > >>> going to what port on which host? > > >>> > > >>> I've got 8 hosts on the network which are a mixture of > mac and linux, > > >>> mostly on public IP addresses, and the bandwidth is > getting chewed up > > >>> by something but i can't tell what. > > >>> > > >>> thanks... > > >>> > > >>> David. > > >>> > > >>> -- > > >>> SLUG - Sydney Linux User's Group Mailing List - > http://slug.org.au/ > > >>> Subscription info and FAQs: > http://slug.org.au/faq/mailinglists.html > > >>> > > >> -- > > >> SLUG - Sydney Linux User's Group Mailing List - > http://slug.org.au/ Subscription info and FAQs: > http://slug.org.au/faq/mailinglists.html > > >> -- > > >> SLUG - Sydney Linux User's Group Mailing List - > http://slug.org.au/ > > >> Subscription info and FAQs: > http://slug.org.au/faq/mailinglists.html > > >> > > -- > SLUG - Sydney Linux User's Group Mailing List - > http://slug.org.au/ > Subscription info and FAQs: > http://slug.org.au/faq/mailinglists.html > > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
