Linux 2.4 firewall, how can I monitor usage?

We have a Linux box (mandrake 8.0 with kernel 2.4) set up as a firewall.

It has 2 NIC's, one for our link and one into our switch. I noticed today that the usage looks fishy. i.e. : Received bytes (970MB) Transmitted bytes (2790MB).

As the link is only used for mail and www surfing I suspect either misuse of mail (all those porn videos) or someone running a warez server on our network.

I need a way to monitor traffic by host in our network. Overall usage statistics will also be usefull of course.

I had a look on the web but got lost in all the pre-ipchains and other old methods (which I did not bother to even read. I am trying the easy way out here).

Thus what I need is pointers to the best network usage/firewall traffic usage software that will work with our current setup to catch the culprit.

Fire away ...

PS. Please do not tell me to run tcpdump. I am very capable of doing that but doing the math in my head is too much and writing scripts to do it will hog the server too much.
Who is Participating?
try ntop, or snort

either require that you monitor what's on the display.

I'm not sure if they are included as default in your install, but they can be obtained from

have you checked your local file integrity on your machine to make sure that you haven't been root-kitted from outside?

if not, most of the root-kits install trojaned versions of ls, ps, top, netstat.....I found a rootkit on a machine by doing a updatedb, and then locate log...

Are you able to insist that users on the network use proxy software on the firewall box, eg squid for web browsing? If you also install a mail server on the box, eg sendmail, and insist that all emails sent out from your network have to be relayed by it, you will get immediate logging of all mail and web surfing activity.

Having done that, you could then shut down all ip forwarding and let the proxy software take over the ipchains functions.

What was said earlier about checking for possible compromise of your system is very valid. If you have your original installation cd, reinstall the system utilities from the cd and check that everything is ok.

gysbert1Author Commented:
Ok, am looking into the above.

I am running a proxy as well as mailserver on the machine as suggested already. Unfortunately we are a development company, developing some custom tcp/ip communications software amongst other things. I can thus not force all traffic through the proxy.

Am pretty sure the machine is still OK though. I can see that most of my traffic is coming from inside our network. I suspect mail or some gnutella or similar server but I cannot audit every machine on the lan.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


If you are using a iptables firewall, you can add logging quite easily. For example,

/sbin/iptables -A FORWARD -p tcp --dport 21 -j LOG --log-level warning --log-prefix "FTP inbound connex."
/sbin/iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

This should put entries into /var/log/messages.

Above assumes ftp server is on port 21 which for a warez server might well not be the case. What you could  also do is exploit the 'not' option to log everything that was not going to a well-known port, e.g. '! --dport 1:1024'

/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j LOG --log-level warning --log-prefix "Unpriveleged port."
/sbin/iptables -A FORWARD -p tcp ! --dport 1:1024 -j ACCEPT


Gnutella or something similar is quite possible, and the user may be completely unaware of the load it's putting on the network.

If you suspect that someone within the network is abusing the system, whether intentionally or not, then I would suggest you talk to whoever is in charge of the development team, and tell them that you need to tighten up security on the gateway. Ask them to specify which ports they need left open, and then you can shut everything else down (or you can leave it open, but log it). You will then have a much better chance of finding the pcs within the network that are imposing the load, and then investigating in more detail.

gysbert1Author Commented:
Had a look at both, NTOP does the trick!

The latest version does not need monitoring of the display. It runs as a daemon and writes data to a GDB database on the server.

I can now monitor usage per src/dest host by protocol and time, and all of this via the web from my browser ...


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.