LAN Traffic Monitoring

[Strych9]

I currently have a home LAN consisting of 6 machines, one of which is a server. They are all networked/sharing cable through a Linksys 4-port router and Linksys switch. I am interested in detailed monitoring of lan/internet traffic. Currently I only have the router log which is not very detailed. What would be the best way for me to do this-hardware configuration and software? I would like to use my server to monitor the traffic.

 

[spidey07]

This might be difficult because of the switch. Any kind of analyzer you plug into one port on the switch is only going to see broadcasts and multicasts. Can you maybe explain the layout of your network gear and what you are trying to monitor? Are you only concerned with internet traffic and what applications are being used or do you need detailed information on every machine in terms of bytes, applications and usage?

 

[Strych9]

This is similar to my setup except that I have a 5-port switch plugged into the router connecting the remaining machines. All machines are behind the router. All machines running Win98SE except mine and the server which are on Win2K Pro. I have kids and they have their own machines. I basically want to monitor their activity both internet and apps usage. The router logs help out some but I'm looking for more than that. Any help would be appreciated.

 

[Strych9]

Suggestions please.

 

[Strych9]

Maybe I should have titled this AMD vs. Intel. Probably would have got more response 🙂.

 

[GigaCluster]

If you want to monitor every machine, I think you'd need to buy a router/switch with a special "Monitor" port in it, which is designed to receive a copy of ALL traffic for monitoring/logging purposes. I know that Cisco stuff has that.

 

[DaveK]

Yup...with a switch, you'll need to use the Monitor port, or SPAN port in Cisco land. Currently, with a switch, you'll only be able to see broadcasts, multicasts, and any unicast flooding (ie. the switch doesn't have a MAC Address entry in it's CAM table).

DaveK

 

[Ace69]

Use Ethereal. It is a nice little packet sniffer that will do everything that you want it to.. I am a little leary of the switch though. Switches only unicast traffic to their respected MAC, so I don't know if you would be able to see what the other computers are doing. You would only see general ARP requests and/or NetBIOS announcements. What you could do is get a hub and hooked it into the router instead of the switch. The hub will broadcast all activity on all ports allowing you to sniff what is going with the other PCs. I would think that is your best bet..

 

[Lark888]

I've used a few of the trial versions like "Little Brother" when I was running Hubs. Also worked with my HP Managed Switch as it had the ability to 'monitor' the traffic on a selected port. I had thought about placing a simple hub between my router and the cable modem to provide monitoring capability although I wouldn't be able to tell which PC originated the request. Thanks for the Ethereal link - I'm going to give it a try.

 

[flawedecision]

The best of the best from my experience is going to be NTOP

I've yet to find anything to compare that is free. It really is a phenomenal piece of software.

Here's a quick description from the site:

What's ntop?

ntop is a Unix tool that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well. I have developed libpcap for Win32 (port of libpcap to Win32) in order to have a single ntop source tree.

ntop comes with two applications: the 'classical' ntop that sports an embedded web server, and intop (interactive ntop) is basically a network shell based on the ntop engine.

intop provides a powerful and flexible interface to the ntop packet sniffer. Since ntop has grown so much in functionality and it cannot be simply considered a network-brower, the problem of capturinag and showing network usage has been split. As of version 1.3 the ntop engine captures packets, performs traffic analysis and information storage. intop implements a bare, command line based interface, with an apparently spartan look and feel, but a lot of functionality already implemented, and others planned for future releases.

What can ntop do for me?



Sort network traffic according to many protocols
Show network traffic sorted according to various criteria
Display traffic statistics
Show IP traffic distribution among the various protocols
Analyse IP traffic and sort it according to the source/destination
Display IP Traffic Subnet matrix (who's talking to who?)
Report IP protocol usage sorted by protocol type

Platforms Unix
Win32

Media Loopback
Ethernet
Token Ring
PPP
Raw IP
FDDI

Protocols IP
IPX
DecNet
AppleTalk
Netbios
OSI
DLC

IP Protocols Fully User Configurable
Additional
Features Embedded HTTP server
Network Flows
Local Traffic Analysis
Multithread
Lightweight Network IDS (Intrusion Detection System)
C++/Perl lightweight API for accessing ntop from remote
Internet Domain Statistics
CGI support
Advanced 'per user' HTTP password protection with encrypted passwords
Support for SQL database for storing persistent traffic information
Remote hosts OS identification (via nmap)
HTTPS (Secure HTTP via OpenSSL)
libwrap support
Virtual/multiple network interfaces support
Graphical Charts (via gdchart)
Perl Interface
WAP support

 

[Strych9]

<< If you want to monitor every machine, I think you'd need to buy a router/switch with a special "Monitor" port in it, which is designed to receive a copy of ALL traffic for monitoring/logging purposes. I know that Cisco stuff has that. >>

Any recommendations on a specific model? Something fairly inexpensive if that's even possible.

 

[flawedecision]

strych if you want to use your server like you said in the initial post i'd load NTOP on it and put it on a hub or some point of contact where it can see traffic from all of your networked devices.

it will monitor every single machine, label it, down to the protocol, port number, time.. whatever... all on a nice web page for point and click results.

oh and it is free.

 

[Strych9]

<< strych if you want to use your server like you said in the initial post i'd load NTOP on it and put it on a hub or some point of contact where it can see traffic from all of your networked devices >>

Thanks, I'll try it. I am also interested still in the Cisco switch idea. So if anyone could suggest a specific model for me to look at I'd appreciate it. Thanks.

 

[Strych9]

One more thought. If I lose the router and do the ICS thing through my server will that give me the same results. I should be able to monitor all machines that way right?

 

[Techwhore]

<< One more thought. If I lose the router and do the ICS thing through my server will that give me the same results. I should be able to monitor all machines that way right? >>



Yes, however, it depends on how your network is setup after the ICS. I have a linux box that I turned into a router using NAT and I use Network Monitor to graphically display LAN and WAN bandwidth consumption.

If you use your server to perform ICS and therefore route the network, you'll need 1 NIC for every machine on your network in your server. So, if you have 6 PCs, one being the server, you'd need 6 NICs... 5 for the 5 ports for the other 5 machines and 1 for WAN. You may be able to get away with only 2 NICs in the server and on the LAN side use a HUB, that'll broadcast data so in theory the server should be able to see all traffic, i'm not positive on that though. Using a HUB will split your bandwidth though, which is why i don't use them. If you buy a 100 Mbps HUB and attach 6 PCs to it, at max usage you'll only be able to get 16.6 Mbps... but that's without overhead, so probably just a little over 10 Mbps is what you can expect if all your PCs are actively using their lines.

On a security note, using a server to perform ICS is not a good idea, but i guess that all depends on how sensitive your data is or how much you care.

HTH