• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 221
  • Last Modified:

Need User Internet Usage monitor for linux

My network has 150+ users on NT/2000.  They all run through a Watchguard firewall.  I need to implement a internet use monitor (on Linux) for port 80 25 110 143 .  I can attach the monitor with a hub to sniff the traffic, but I was wondering if there are any better suggestions?
Thanks
0
bkern
Asked:
bkern
  • 4
  • 4
  • 2
  • +1
3 Solutions
 
Flash828Commented:
Well what are you trying to see the usage of?  Succesfull connections to these ports?  Connection attempts to these ports?  Unauthorized attempts at these ports?

In these cases, if you run IPTABLES, you can create a logging Chain (or table.. never figured out the difference), to log these events.  For instance,



-A LOGGING --dport 80 -j LOG --log-prefix "Port 80 Access:"

This would show all TCP/UDP connection attempts to port 80 on your machine.

However im not sure thats what your looking for...  can you be more specific?
0
 
TheAmigoCommented:
As a side note to clarify the difference between a chain and a table:  With 2.4 (iptables), there are only three tables (filter, mangle & nat).  To have more tables, you need to find/write more kernel modules.  Chains can be created at will with the -N option and are placed in one of the existing tables. (e.g. PREROUTING and OUTPUT are the default chains in the mangle table)

To monitor the internet usage for many machines, you could add a couple rules (one for each port) in the style that Flash828 mentioned to the FORWARD chain of the filter table.  However, this will only work if the linux box doing this monitoring is also routing all the packets that you're interested in.

If sniffing the traffic is your only option, then you'll need a different solution.
0
 
bkernAuthor Commented:
I need to log all incoming out going email  as well as all web surfing.  The linux box will be off of a hub so I think that dsniff may be my answer.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Flash828Commented:
Then you can run the interface in permiscuos (sp?) mode to see all trafic then log ports 25 (smtp), 80 (http) and 110 (pop3) using iptables.
0
 
TheAmigoCommented:
I don't think that will work.  Which table and chain would you put that in, Flash828?  iptables allows you to log traffic for one of three conditions:
1) your IP is the destination [INPUT]
2) you are sending it [OUPUT]
3) you are routing the packet [FORWARD]

Even in promiscuous (ok, so I don't know how to spell it either) mode, you'd need software other than iptables to create a log of the traffic as it won't match any of the above conditions.
0
 
TheAmigoCommented:
I don't think that will work.  Which table and chain would you put that in, Flash828?  AFAIK, iptables allows you to log traffic for one of three conditions:
1) your IP is the destination [INPUT]
2) you are sending it [OUPUT]
3) you are routing the packet [FORWARD]

Even in promiscuous (ok, so I don't know how to spell it either) mode how would you add a rule to match packets that aren't any of the above three conditions?
0
 
Flash828Commented:
Thats an interesting point.  However since the interface is operating is promiscious mode, it means the packets are moving into kernel-space then user-space.  If that is the case, then IPTABLES should be able to pick it up with a rule where the source and destination is not equal to the IP of the machine, for an input packet.... Im going to look into this.  more about this a little later.
0
 
Flash828Commented:
oh and I do believe there are more conditions than just input output and forward.. I think theres pre-routing, post-routing, and a bunch more... Again I haven't used iptables in these conditions as of yet, so I dont know how these options work.  However I have been playing with iptables long enough to know that its an incredibly powerful tool above being just a packet filter.
0
 
TheAmigoCommented:
The PREROUTING and POSTROUTING chains are only in the mangle and nat tables.  While I haven't tried it, I don't think you can write a rule in either of those tables that would match a packet that you're not routing.

I'd always wondered where there are so many dup posts on the boards here.  Today my 'net connection's flaky and I posted a dup... now I know. :)
0
 
bkernAuthor Commented:
I ended up with dsniff and using MailScanner over sendmail.
0
 
CleanupPingCommented:
bkern:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now